Windows Analysis Report
file.exe

Overview

General Information

Sample Name: file.exe
Analysis ID: 882707
MD5: 5e7d3490818e3f2a96f7a9dfc6950f9c
SHA1: 934454a655f32b4645ce827b3a39bed2cf5d891c
SHA256: e498809a30cab90e8d5eb3ff4610bc177ea9e63110530da50643332263f4ab55
Tags: exeGlupteba
Infos:

Detection

Glupteba
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Detected unpacking (overwrites its own PE header)
Sigma detected: Schedule system process
Yara detected Glupteba
Detected unpacking (changes PE section rights)
Antivirus detection for URL or domain
Multi AV Scanner detection for dropped file
Creates an autostart registry key pointing to binary in C:\Windows
Uses netsh to modify the Windows network and firewall settings
Found Tor onion address
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Performs DNS queries to domains with low reputation
Creates files in the system32 config directory
Machine Learning detection for dropped file
Modifies the windows firewall
Performs DNS TXT record lookups
Drops executables to the windows directory (C:\Windows) and starts them
Uses schtasks.exe or at.exe to add and modify task schedules
Drops PE files with benign system names
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Sample execution stops while process was sleeping (likely an evasion)
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Drops PE files
Contains functionality to read the PEB
Drops PE files to the windows directory (C:\Windows)
Contains capabilities to detect virtual machines
PE / OLE file has an invalid certificate
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)

Classification

Name Description Attribution Blogpost URLs Link
Glupteba Glupteba is a trojan horse malware that is one of the top ten malware variants of 2021. After infecting a system, the Glupteba malware can be used to deliver additional malware, steal user authentication information, and enroll the infected system in a cryptomining botnet. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.glupteba

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: file.exe ReversingLabs: Detection: 75%
Source: file.exe Virustotal: Detection: 80% Perma Link
Yara detected Glupteba
Source: Yara match File source: 15.2.csrss.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 55.2.csrss.exe.3400e67.15.unpack, type: UNPACKEDPE
Source: Yara match File source: 64.2.csrss.exe.3400e67.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 54.2.csrss.exe.3400e67.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 55.2.csrss.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.2.csrss.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 54.2.csrss.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 40.2.csrss.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.3.file.exe.3890000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.file.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.3.csrss.exe.3cf0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.file.exe.3760000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 60.2.csrss.exe.3400e67.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.csrss.exe.3400e67.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 41.2.csrss.exe.3400e67.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 60.2.csrss.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 64.2.csrss.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.csrss.exe.3400e67.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 40.2.csrss.exe.3400e67.15.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.2.csrss.exe.3400e67.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.2e70e67.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.400548532.0000000000843000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 0000003C.00000002.570772687.0000000003843000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000029.00000002.480076167.0000000000843000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.599256866.0000000003843000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000002.475119649.0000000000843000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.342311330.0000000003BA1000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000029.00000002.517016941.0000000003843000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000003C.00000002.555538595.0000000000843000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.364753333.00000000032B3000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.624848873.0000000003843000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.442933383.0000000000843000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000036.00000002.509180776.0000000000843000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.360923805.0000000000843000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.474423573.0000000003843000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000002.514590108.0000000003843000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000037.00000002.522989058.0000000000843000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000040.00000002.609271972.0000000003843000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000040.00000002.598741475.0000000000843000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000036.00000002.521380153.0000000003843000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.362103364.0000000003CD1000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.566670417.0000000000843000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.615156234.0000000000843000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000037.00000002.553779043.0000000003843000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.414419556.00000000033E3000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000003.401909888.0000000004131000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 6760, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: file.exe PID: 1488, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: csrss.exe PID: 768, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: csrss.exe PID: 4472, type: MEMORYSTR
Antivirus detection for URL or domain
Source: http://un6fsy7wsdbqb54aridsmu5mtdcctatumigg37ip476tsdy2jf6ascqd.onion Avira URL Cloud: Label: malware
Source: https://mastiakele.xyz Avira URL Cloud: Label: malware
Multi AV Scanner detection for dropped file
Source: C:\Windows\rss\csrss.exe ReversingLabs: Detection: 75%
Machine Learning detection for sample
Source: file.exe Joe Sandbox ML: detected
Machine Learning detection for dropped file
Source: C:\Windows\rss\csrss.exe Joe Sandbox ML: detected

Bitcoin Miner
barindex
Yara detected Glupteba
Source: Yara match File source: 15.2.csrss.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 55.2.csrss.exe.3400e67.15.unpack, type: UNPACKEDPE
Source: Yara match File source: 64.2.csrss.exe.3400e67.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 54.2.csrss.exe.3400e67.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 55.2.csrss.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.2.csrss.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 54.2.csrss.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 40.2.csrss.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.3.file.exe.3890000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.file.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.3.csrss.exe.3cf0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.file.exe.3760000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 60.2.csrss.exe.3400e67.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.csrss.exe.3400e67.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 41.2.csrss.exe.3400e67.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 60.2.csrss.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 64.2.csrss.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.csrss.exe.3400e67.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 40.2.csrss.exe.3400e67.15.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.2.csrss.exe.3400e67.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.2e70e67.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.400548532.0000000000843000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 0000003C.00000002.570772687.0000000003843000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000029.00000002.480076167.0000000000843000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.599256866.0000000003843000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000002.475119649.0000000000843000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.342311330.0000000003BA1000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000029.00000002.517016941.0000000003843000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000003C.00000002.555538595.0000000000843000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.364753333.00000000032B3000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.624848873.0000000003843000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.442933383.0000000000843000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000036.00000002.509180776.0000000000843000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.360923805.0000000000843000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.474423573.0000000003843000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000002.514590108.0000000003843000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000037.00000002.522989058.0000000000843000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000040.00000002.609271972.0000000003843000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000040.00000002.598741475.0000000000843000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000036.00000002.521380153.0000000003843000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.362103364.0000000003CD1000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.566670417.0000000000843000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.615156234.0000000000843000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000037.00000002.553779043.0000000003843000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.414419556.00000000033E3000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000003.401909888.0000000004131000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 6760, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: file.exe PID: 1488, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: csrss.exe PID: 768, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: csrss.exe PID: 4472, type: MEMORYSTR

Compliance
barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\file.exe Unpacked PE file: 0.2.file.exe.400000.1.unpack
Source: C:\Users\user\Desktop\file.exe Unpacked PE file: 5.2.file.exe.400000.0.unpack
Source: C:\Windows\rss\csrss.exe Unpacked PE file: 15.2.csrss.exe.400000.2.unpack
Source: C:\Windows\rss\csrss.exe Unpacked PE file: 22.2.csrss.exe.400000.0.unpack
Source: C:\Windows\rss\csrss.exe Unpacked PE file: 28.2.csrss.exe.400000.4.unpack
Source: C:\Windows\rss\csrss.exe Unpacked PE file: 40.2.csrss.exe.400000.2.unpack
Source: C:\Windows\rss\csrss.exe Unpacked PE file: 41.2.csrss.exe.400000.2.unpack
Source: C:\Windows\rss\csrss.exe Unpacked PE file: 54.2.csrss.exe.400000.0.unpack
Source: C:\Windows\rss\csrss.exe Unpacked PE file: 55.2.csrss.exe.400000.3.unpack
Source: C:\Windows\rss\csrss.exe Unpacked PE file: 60.2.csrss.exe.400000.1.unpack
Source: C:\Windows\rss\csrss.exe Unpacked PE file: 64.2.csrss.exe.400000.0.unpack
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Windows\rss\csrss.exe Registry value created: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Uninstaller
Source: C:\Users\user\Desktop\file.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: Binary string: Loader.pdb source: file.exe, 00000000.00000003.342311330.0000000003BA1000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.364753333.00000000032B3000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.360923805.0000000000843000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000002.400548532.0000000000843000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000003.362103364.0000000003CD1000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.414419556.00000000033E3000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003843000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000003C.00000002.570772687.0000000003843000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: EfiGuardDxe.pdb7 source: file.exe, file.exe, 00000005.00000002.403769101.0000000002BA3000.00000040.00000020.00020000.00000000.sdmp
Source: Binary string: Unrecognized pdb formatThis error indicates attempting to access a .pdb file with source: file.exe, 00000000.00000003.342311330.0000000003E2B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.364753333.000000000353B000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.400548532.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000002.414419556.000000000366B000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003ACB000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: A connection with the server could not be establishedAn extended error was returned from the WinHttp serverThe .pdb file is probably no longer indexed in the symbol server share location. source: file.exe, 00000000.00000003.342311330.0000000003E2B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.364753333.000000000353B000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.400548532.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000002.414419556.000000000366B000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003ACB000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: C:\rumez\pihipifa\zuyum_n.pdb source: file.exe, 00000000.00000001.340268872.0000000000401000.00000020.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000001.360817575.0000000000401000.00000020.00000001.01000000.00000003.sdmp
Source: Binary string: Age does not matchThe module age and .pdb age do not match. source: file.exe, 00000000.00000003.342311330.0000000003E2B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.364753333.000000000353B000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.400548532.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000002.414419556.000000000366B000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003ACB000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: symsrv.pdb source: file.exe, file.exe, 00000005.00000002.400548532.0000000000C79000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000002.414419556.0000000003819000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.615156234.0000000000C79000.00000040.00000001.01000000.00000005.sdmp
Source: Binary string: Cvinfo is corruptThe .pdb file contains a corrupted debug codeview information. source: file.exe, 00000000.00000003.342311330.0000000003E2B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.364753333.000000000353B000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.400548532.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000002.414419556.000000000366B000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003ACB000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: Downloading symbols for [%s] %ssrv*symsrv*http://https://_bad_pdb_file.pdb source: file.exe, 00000000.00000003.342311330.0000000003E2B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.364753333.000000000353B000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.400548532.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000002.414419556.000000000366B000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003ACB000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: The symbol server has never indexed any version of this symbol fileNo version of the .pdb file with the given name has ever been registered. source: file.exe, 00000000.00000003.342311330.0000000003E2B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.364753333.000000000353B000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.400548532.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000002.414419556.000000000366B000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003ACB000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: PDB not foundUnable to locate the .pdb file in any of the symbol search path locations. source: file.exe, 00000000.00000003.342311330.0000000003E2B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.364753333.000000000353B000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.400548532.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000002.414419556.000000000366B000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003ACB000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: c:\Users\Admin\documents\visual studio 2015\Projects\Winmon\Release\Winmon.pdb source: file.exe, 00000000.00000003.342311330.0000000003BA1000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.364753333.00000000032B3000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.360923805.0000000000843000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000002.400548532.0000000000843000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000003.362103364.0000000003CD1000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.414419556.00000000033E3000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003843000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000003C.00000002.570772687.0000000003843000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: C:\vbox\branch\w64-1.6\out\win.amd64\release\obj\src\VBox\HostDrivers\VBoxDrv\VBoxDrv.pdb source: file.exe, 00000000.00000003.342311330.0000000003BA1000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.364753333.00000000032B3000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.360923805.0000000000843000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000002.400548532.0000000000843000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000003.362103364.0000000003CD1000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.414419556.00000000033E3000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003843000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000003C.00000002.570772687.0000000003843000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: c:\Users\Admin\documents\visual studio 2015\Projects\Winmon\x64\Release\Winmon.pdb source: file.exe, 00000000.00000003.342311330.0000000003BA1000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.364753333.00000000032B3000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.360923805.0000000000843000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000002.400548532.0000000000843000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000003.362103364.0000000003CD1000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.414419556.00000000033E3000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003843000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000003C.00000002.570772687.0000000003843000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: Drive not readyThis error indicates a .pdb file related failure. source: file.exe, 00000000.00000003.342311330.0000000003E2B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.364753333.000000000353B000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.400548532.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000002.414419556.000000000366B000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003ACB000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: Error while loading symbolsUnable to locate the .pdb file in any of the symbol search source: file.exe, 00000000.00000003.342311330.0000000003E2B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.364753333.000000000353B000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.400548532.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000002.414419556.000000000366B000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003ACB000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: zzz_AsmCodeRange_*FrameDatainvalid string positionstring too long.pdb source: file.exe, 00000000.00000003.342311330.0000000003E2B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.364753333.000000000353B000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.400548532.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000002.414419556.000000000366B000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003ACB000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: Pdb read access deniedYou may be attempting to access a .pdb file with read-only attributes source: file.exe, 00000000.00000003.342311330.0000000003E2B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.364753333.000000000353B000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.400548532.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000002.414419556.000000000366B000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003ACB000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: Unable to locate the .pdb file in this location source: file.exe, 00000000.00000003.342311330.0000000003E2B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.364753333.000000000353B000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.400548532.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000002.414419556.000000000366B000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003ACB000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: $BC:\rumez\pihipifa\zuyum_n.pdb source: file.exe, 00000000.00000001.340268872.0000000000401000.00000020.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000001.360817575.0000000000401000.00000020.00000001.01000000.00000003.sdmp
Source: Binary string: C:\Users\Admin\documents\visual studio 2015\Projects\WinmonFS\x64\Release\WinmonFS.pdb source: file.exe, 00000000.00000003.342311330.0000000003BA1000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.364753333.00000000032B3000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.360923805.0000000000843000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000002.400548532.0000000000843000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000003.362103364.0000000003CD1000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.414419556.00000000033E3000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003843000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000003C.00000002.570772687.0000000003843000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: The module signature does not match with .pdb signature. source: file.exe, 00000000.00000003.342311330.0000000003E2B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.364753333.000000000353B000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.400548532.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000002.414419556.000000000366B000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003ACB000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: .pdb.dbg source: file.exe, 00000000.00000003.342311330.0000000003E2B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.364753333.000000000353B000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.400548532.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000002.414419556.000000000366B000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003ACB000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: '(EfiGuardDxe.pdbx source: file.exe, 00000000.00000003.342311330.0000000003E2B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.364753333.000000000353B000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.400548532.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000002.414419556.000000000366B000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000003.362103364.0000000003F5B000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003ACB000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: symsrv.pdbGCTL source: file.exe, 00000000.00000002.360923805.0000000000C79000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.342311330.0000000003FD8000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.364753333.00000000036E9000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.400548532.0000000000C79000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000002.414419556.0000000003819000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.615156234.0000000000C79000.00000040.00000001.01000000.00000005.sdmp
Source: Binary string: C:\Users\admin\source\repos\driver-process-monitor-master\Release\WinmonProcessMonitor.pdb source: file.exe, 00000000.00000003.342311330.0000000003BA1000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.364753333.00000000032B3000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.360923805.0000000000843000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000002.400548532.0000000000843000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000003.362103364.0000000003CD1000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.414419556.00000000033E3000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003843000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000003C.00000002.570772687.0000000003843000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: C:\Users\Admin\documents\visual studio 2015\Projects\WinmonFS\Release\WinmonFS.pdb source: file.exe, 00000000.00000003.342311330.0000000003BA1000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.364753333.00000000032B3000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.360923805.0000000000843000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000002.400548532.0000000000843000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000003.362103364.0000000003CD1000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.414419556.00000000033E3000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003843000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000003C.00000002.570772687.0000000003843000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: or you do not have access permission to the .pdb location. source: file.exe, 00000000.00000003.342311330.0000000003E2B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.364753333.000000000353B000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.400548532.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000002.414419556.000000000366B000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003ACB000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: An Exception happened while downloading the module .pdbPlease open a bug if this is a consistent repro. source: file.exe, 00000000.00000003.342311330.0000000003E2B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.364753333.000000000353B000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.400548532.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000002.414419556.000000000366B000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003ACB000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: C:\Users\admin\source\repos\driver-process-monitor-master\x64\Release\WinmonProcessMonitor.pdb source: file.exe, 00000000.00000003.342311330.0000000003BA1000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.364753333.00000000032B3000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.360923805.0000000000843000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000002.400548532.0000000000843000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000003.362103364.0000000003CD1000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.414419556.00000000033E3000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003843000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000003C.00000002.570772687.0000000003843000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: EfiGuardDxe.pdb source: file.exe, 00000000.00000003.342311330.0000000003E2B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.364753333.000000000353B000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.400548532.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000002.414419556.000000000366B000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000003.362103364.0000000003F5B000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003ACB000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: Signature does not matchThe module signature does not match with .pdb signature source: file.exe, 00000000.00000003.342311330.0000000003E2B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.364753333.000000000353B000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.400548532.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000002.414419556.000000000366B000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003ACB000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: dbghelp.pdb source: file.exe, 00000000.00000003.342311330.0000000003E2B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.364753333.000000000353B000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.400548532.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000002.414419556.000000000366B000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003ACB000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: dbghelp.pdbGCTL source: file.exe, 00000000.00000003.342311330.0000000003E2B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.364753333.000000000353B000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.400548532.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000002.414419556.000000000366B000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003ACB000.00000040.00001000.00020000.00000000.sdmp

Networking
barindex
Found Tor onion address
Source: file.exe String found in binary or memory: .2.0edwards25519: internal error: setShortBytes called with a long stringhttp2: Transport closing idle conn %p (forSingleUse=%v, maxStream=%v)http://vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.oniontls: handshake message of length %d bytes exceeds
Source: file.exe String found in binary or memory: nvalid checksumheadTailIndex overflowheader field %q = %q%shpack: string too longhsmiths4fyqlw5xw.onionhsmiths5mjk6uijs.onionhttp2: frame too largehttp://localhost:3433/https://duniadekho.baridna: invalid label %qinappropriate fallbackinteger divide by zeroint
Source: file.exe, 00000000.00000003.342311330.0000000003760000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: Nyiakeng_Puachue_HmongPakistan Standard TimeParaguay Standard TimeRoGetActivationFactoryRtlDeleteFunctionTableRtlGetNtVersionNumbersSafeArrayGetRecordInfoSafeArraySetRecordInfoSakhalin Standard TimeSao Tome Standard TimeSeImpersonatePrivilegeSetupDiEnumDriverInfoWSetupDiGetClassDevsExWTasmania Standard TimeTor bootstrap progressTor service is runningUnsupported Media TypeWSAGetOverlappedResultWSALookupServiceBeginWWaitForMultipleObjectsWget/1.12 (freebsd8.1)Xenu Link Sleuth/1.3.8access-control-max-ageaddress already in useadvapi32.dll not foundargument list too longassembly checks failedbad g->status in readybad sweepgen in refillbitcoin3nqy3db7c.onionbody closed by handlercannot allocate memoryclient not initializedcompileCallabck: type couldn't create devicecouldn't get file infocouldn't start servicecoulnd't write to filecreate main window: %wdecode and decrypt: %wdriver: bad connectionduplicated defer entryelectrum.leblancnet.uselectrum3.hodlister.coelectrum5.hodlister.coelectrumxhqdsmlu.onionencrypt and encode: %werror decoding messageerror parsing regexp: failed to get UUID: %wfailed to hide app: %wfailed to open key: %wfailed to open src: %wfailed to register: %wfailed to set UUID: %wframe_data_pad_too_bigfreeIndex is not validgenerate challenge: %wgetenv before env initgzip: invalid checksumheadTailIndex overflowheader field %q = %q%shpack: string too longhsmiths4fyqlw5xw.onionhsmiths5mjk6uijs.onionhttp2: frame too largehttp://localhost:3433/https://duniadekho.baridna: invalid label %qinappropriate fallbackinteger divide by zerointegrity check failedinterface conversion: internal inconsistencyinvalid Trailer key %qinvalid address familyinvalid number base %djson: unknown field %qkernel32.dll not foundmalformed HTTP versionminpc or maxpc invalidmissing ']' in addressmultiple :: in addressndndword5lpb7eex.onionnetwork is unreachableno connection providednon-Go function at pc=oldoverflow is not niloperation was canceledoverflowing coordinateozahtqwp25chjdjd.onionprotocol not availableprotocol not supportedqtornadoklbgdyww.onionread response body: %wreflect.Value.MapIndexreflect.Value.SetFloatreflectlite.Value.Elemreflectlite.Value.Typeremote address changedruntime.main not on m0runtime: work.nwait = runtime:scanstack: gp=s.freeindex > s.nelemss7clinmo4cazmhul.onionscanstack - bad statussecure boot is enabledsend on closed channelserver.peers.subscribeservice does not existservice is not runningset Tor mode to %s: %wskipping Question Nameskipping Question Typespan has no free spacesql: no Rows availablestack not a power of 2status/bootstrap-phasetrace reader (blocked)trace: alloc too largetransaction is stoppedtransaction not existsunexpected length codeunexpected method stepwirep: invalid p statewrite on closed bufferx509: malformed issuerzero length BIT STRINGzlib: invalid checksum into Go value of type ) must be a power of 2
Source: file.exe, 00000000.00000002.360923805.0000000000400000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: Nyiakeng_Puachue_HmongPakistan Standard TimeParaguay Standard TimeRoGetActivationFactoryRtlDeleteFunctionTableRtlGetNtVersionNumbersSafeArrayGetRecordInfoSafeArraySetRecordInfoSakhalin Standard TimeSao Tome Standard TimeSeImpersonatePrivilegeSetupDiEnumDriverInfoWSetupDiGetClassDevsExWTasmania Standard TimeTor bootstrap progressTor service is runningUnsupported Media TypeWSAGetOverlappedResultWSALookupServiceBeginWWaitForMultipleObjectsWget/1.12 (freebsd8.1)Xenu Link Sleuth/1.3.8access-control-max-ageaddress already in useadvapi32.dll not foundargument list too longassembly checks failedbad g->status in readybad sweepgen in refillbitcoin3nqy3db7c.onionbody closed by handlercannot allocate memoryclient not initializedcompileCallabck: type couldn't create devicecouldn't get file infocouldn't start servicecoulnd't write to filecreate main window: %wdecode and decrypt: %wdriver: bad connectionduplicated defer entryelectrum.leblancnet.uselectrum3.hodlister.coelectrum5.hodlister.coelectrumxhqdsmlu.onionencrypt and encode: %werror decoding messageerror parsing regexp: failed to get UUID: %wfailed to hide app: %wfailed to open key: %wfailed to open src: %wfailed to register: %wfailed to set UUID: %wframe_data_pad_too_bigfreeIndex is not validgenerate challenge: %wgetenv before env initgzip: invalid checksumheadTailIndex overflowheader field %q = %q%shpack: string too longhsmiths4fyqlw5xw.onionhsmiths5mjk6uijs.onionhttp2: frame too largehttp://localhost:3433/https://duniadekho.baridna: invalid label %qinappropriate fallbackinteger divide by zerointegrity check failedinterface conversion: internal inconsistencyinvalid Trailer key %qinvalid address familyinvalid number base %djson: unknown field %qkernel32.dll not foundmalformed HTTP versionminpc or maxpc invalidmissing ']' in addressmultiple :: in addressndndword5lpb7eex.onionnetwork is unreachableno connection providednon-Go function at pc=oldoverflow is not niloperation was canceledoverflowing coordinateozahtqwp25chjdjd.onionprotocol not availableprotocol not supportedqtornadoklbgdyww.onionread response body: %wreflect.Value.MapIndexreflect.Value.SetFloatreflectlite.Value.Elemreflectlite.Value.Typeremote address changedruntime.main not on m0runtime: work.nwait = runtime:scanstack: gp=s.freeindex > s.nelemss7clinmo4cazmhul.onionscanstack - bad statussecure boot is enabledsend on closed channelserver.peers.subscribeservice does not existservice is not runningset Tor mode to %s: %wskipping Question Nameskipping Question Typespan has no free spacesql: no Rows availablestack not a power of 2status/bootstrap-phasetrace reader (blocked)trace: alloc too largetransaction is stoppedtransaction not existsunexpected length codeunexpected method stepwirep: invalid p statewrite on closed bufferx509: malformed issuerzero length BIT STRINGzlib: invalid checksum into Go value of type ) must be a power of 2
Source: file.exe, 00000000.00000002.378648564.000000000C0DE000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://un6fsy7wsdbqb54aridsmu5mtdcctatumigg37ip476tsdy2jf6ascqd.onion
Source: file.exe, 00000000.00000002.378648564.000000000C0DE000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: 1c1b0732151b1d231030330b0713013107http://un6fsy7wsdbqb54aridsmu5mtdcctatumigg37ip476tsdy2jf6ascqd.onionhttp://un6fsy7wsdbqb54aridsmu5mtdcctatumigg37ip476tsdy2jf6ascqd.onionS-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\TestAppS-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8S-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8S-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8S-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8S-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8S-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8S-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8FirstInstallDateS-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8FirstInstallDateS-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8S-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8S-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8S-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8S-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8S-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8S-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8S-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8S-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8S-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8S-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8S-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8S-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzS-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8current filenname with args "C:\Users\user\Desktop\file.exe"
Source: file.exe, 00000000.00000002.364753333.0000000002E70000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: Nyiakeng_Puachue_HmongPakistan Standard TimeParaguay Standard TimeRoGetActivationFactoryRtlDeleteFunctionTableRtlGetNtVersionNumbersSafeArrayGetRecordInfoSafeArraySetRecordInfoSakhalin Standard TimeSao Tome Standard TimeSeImpersonatePrivilegeSetupDiEnumDriverInfoWSetupDiGetClassDevsExWTasmania Standard TimeTor bootstrap progressTor service is runningUnsupported Media TypeWSAGetOverlappedResultWSALookupServiceBeginWWaitForMultipleObjectsWget/1.12 (freebsd8.1)Xenu Link Sleuth/1.3.8access-control-max-ageaddress already in useadvapi32.dll not foundargument list too longassembly checks failedbad g->status in readybad sweepgen in refillbitcoin3nqy3db7c.onionbody closed by handlercannot allocate memoryclient not initializedcompileCallabck: type couldn't create devicecouldn't get file infocouldn't start servicecoulnd't write to filecreate main window: %wdecode and decrypt: %wdriver: bad connectionduplicated defer entryelectrum.leblancnet.uselectrum3.hodlister.coelectrum5.hodlister.coelectrumxhqdsmlu.onionencrypt and encode: %werror decoding messageerror parsing regexp: failed to get UUID: %wfailed to hide app: %wfailed to open key: %wfailed to open src: %wfailed to register: %wfailed to set UUID: %wframe_data_pad_too_bigfreeIndex is not validgenerate challenge: %wgetenv before env initgzip: invalid checksumheadTailIndex overflowheader field %q = %q%shpack: string too longhsmiths4fyqlw5xw.onionhsmiths5mjk6uijs.onionhttp2: frame too largehttp://localhost:3433/https://duniadekho.baridna: invalid label %qinappropriate fallbackinteger divide by zerointegrity check failedinterface conversion: internal inconsistencyinvalid Trailer key %qinvalid address familyinvalid number base %djson: unknown field %qkernel32.dll not foundmalformed HTTP versionminpc or maxpc invalidmissing ']' in addressmultiple :: in addressndndword5lpb7eex.onionnetwork is unreachableno connection providednon-Go function at pc=oldoverflow is not niloperation was canceledoverflowing coordinateozahtqwp25chjdjd.onionprotocol not availableprotocol not supportedqtornadoklbgdyww.onionread response body: %wreflect.Value.MapIndexreflect.Value.SetFloatreflectlite.Value.Elemreflectlite.Value.Typeremote address changedruntime.main not on m0runtime: work.nwait = runtime:scanstack: gp=s.freeindex > s.nelemss7clinmo4cazmhul.onionscanstack - bad statussecure boot is enabledsend on closed channelserver.peers.subscribeservice does not existservice is not runningset Tor mode to %s: %wskipping Question Nameskipping Question Typespan has no free spacesql: no Rows availablestack not a power of 2status/bootstrap-phasetrace reader (blocked)trace: alloc too largetransaction is stoppedtransaction not existsunexpected length codeunexpected method stepwirep: invalid p statewrite on closed bufferx509: malformed issuerzero length BIT STRINGzlib: invalid checksum into Go value of type ) must be a power of 2
Source: file.exe, 00000000.00000002.378648564.000000000C092000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: S-1-5-21-3853321935-2125563209-4053062332-1002https://mastiakele.xyzhttp://un6fsy7wsdbqb54aridsmu5mtdcctatumigg37ip476tsdy2jf6ascqd.onionCommonProgramW6432=C:\Program Files\Common FilesLOCALAPPDATA=C:\Users\user\AppData\LocalS-1-5-21-3853321935-2125563209-4053062332-1002
Source: file.exe, 00000000.00000002.378648564.000000000C0A2000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://un6fsy7wsdbqb54aridsmu5mtdcctatumigg37ip476tsdy2jf6ascqd.onion
Source: file.exe, 00000000.00000002.378648564.000000000C0A2000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: !This program cannoHKEY_USERS\S-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\TestAppHKEY_USERS\S-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8https://mastiakele.xyzhttp://un6fsy7wsdbqb54aridsmu5mtdcctatumigg37ip476tsdy2jf6ascqd.onionhttps://mastiakele.xyzhttp://un6fsy7wsdbqb54aridsmu5mtdcctatumigg37ip476tsdy2jf6ascqd.onionSELECT Caption FROM Win32_OperatingSystemMicrosoft Windows 10 ProPacific Standard Time2023/06/06 17:18:25 current filenname with args "C:\Users\user\Desktop\file.exe"
Source: file.exe, 00000000.00000002.378648564.000000000C0E6000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://mastiakele.xyzhttp://un6fsy7wsdbqb54aridsmu5mtdcctatumigg37ip476tsdy2jf6ascqd.onion
Source: file.exe String found in binary or memory: .2.0edwards25519: internal error: setShortBytes called with a long stringhttp2: Transport closing idle conn %p (forSingleUse=%v, maxStream=%v)http://vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.oniontls: handshake message of length %d bytes exceeds
Source: file.exe String found in binary or memory: nvalid checksumheadTailIndex overflowheader field %q = %q%shpack: string too longhsmiths4fyqlw5xw.onionhsmiths5mjk6uijs.onionhttp2: frame too largehttp://localhost:3433/https://duniadekho.baridna: invalid label %qinappropriate fallbackinteger divide by zeroint
Source: file.exe, 00000005.00000002.424748729.000000000C01A000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: Path=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\WindowsAppshttp://un6fsy7wsdbqb54aridsmu5mtdcctatumigg37ip476tsdy2jf6ascqd.onionC:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\WindowsAppsC:\Program Files (x86)\Common Files\Oracle\Java\javapath\powershell.comC:\Program Files (x86)\Common Files\Oracle\Java\javapath\powershell.exeC:\Program Files (x86)\Common Files\Oracle\Java\javapath\powershell.batC:\Program Files (x86)\Common Files\Oracle\Java\javapath\powershell.cmdC:\Program Files (x86)\Common Files\Oracle\Java\javapath\powershell.vbsC:\Program Files (x86)\Common Files\Oracle\Java\javapath\powershell.vbeC:\Program Files (x86)\Common Files\Oracle\Java\javapath\powershell.jsC:\Program Files (x86)\Common Files\Oracle\Java\javapath\powershell.jseC:\Program Files (x86)\Common Files\Oracle\Java\javapath\powershell.wsfC:\Program Files (x86)\Common Files\Oracle\Java\javapath\powershell.wshC:\Program Files (x86)\Common Files\Oracle\Java\javapath\powershell.mscLOCALAPPDATA=C:\Windows\system32\config\systemprofile\AppData\LocalPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\WindowsAppsPROCESSOR_IDENTIFIER=Intel64 Family 6 Model 85 Stepping 7, GenuineIntelPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\WindowsAppsC:\Program Files (x86)\Common Files\Oracle\Java\javapath\powershell.batC:\Program Files (x86)\Common Files\Oracle\Java\javapath\powershell.cmdC:\Program Files (x86)\Common Files\Oracle\Java\javapath\powershell.vbsC:\Program Files (x86)\Common Files\Oracle\Java\javapath\powershell.vbeC:\Program Files (x86)\Common Files\Oracle\Java\javapath\powershell.mscLOCALAPPDATA=C:\Windows\system32\config\systemprofile\AppData\LocalPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\WindowsAppsPROCESSOR_IDENTIFIER=Intel64 Family 6 Model 85 Stepping 7, GenuineIntelPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\
Source: file.exe, 00000005.00000002.426549971.000000000C11E000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: S-1-5-21-3853321935-2125563209-4053062332-1002https://mastiakele.xyzhttp://un6fsy7wsdbqb54aridsmu5mtdcctatumigg37ip476tsdy2jf6ascqd.onionCommonProgramW6432=C:\Program Files\Common FilesCommonProgramW6432=C:\Program Files\Common Files
Source: file.exe, 00000005.00000002.400548532.0000000000400000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: Nyiakeng_Puachue_HmongPakistan Standard TimeParaguay Standard TimeRoGetActivationFactoryRtlDeleteFunctionTableRtlGetNtVersionNumbersSafeArrayGetRecordInfoSafeArraySetRecordInfoSakhalin Standard TimeSao Tome Standard TimeSeImpersonatePrivilegeSetupDiEnumDriverInfoWSetupDiGetClassDevsExWTasmania Standard TimeTor bootstrap progressTor service is runningUnsupported Media TypeWSAGetOverlappedResultWSALookupServiceBeginWWaitForMultipleObjectsWget/1.12 (freebsd8.1)Xenu Link Sleuth/1.3.8access-control-max-ageaddress already in useadvapi32.dll not foundargument list too longassembly checks failedbad g->status in readybad sweepgen in refillbitcoin3nqy3db7c.onionbody closed by handlercannot allocate memoryclient not initializedcompileCallabck: type couldn't create devicecouldn't get file infocouldn't start servicecoulnd't write to filecreate main window: %wdecode and decrypt: %wdriver: bad connectionduplicated defer entryelectrum.leblancnet.uselectrum3.hodlister.coelectrum5.hodlister.coelectrumxhqdsmlu.onionencrypt and encode: %werror decoding messageerror parsing regexp: failed to get UUID: %wfailed to hide app: %wfailed to open key: %wfailed to open src: %wfailed to register: %wfailed to set UUID: %wframe_data_pad_too_bigfreeIndex is not validgenerate challenge: %wgetenv before env initgzip: invalid checksumheadTailIndex overflowheader field %q = %q%shpack: string too longhsmiths4fyqlw5xw.onionhsmiths5mjk6uijs.onionhttp2: frame too largehttp://localhost:3433/https://duniadekho.baridna: invalid label %qinappropriate fallbackinteger divide by zerointegrity check failedinterface conversion: internal inconsistencyinvalid Trailer key %qinvalid address familyinvalid number base %djson: unknown field %qkernel32.dll not foundmalformed HTTP versionminpc or maxpc invalidmissing ']' in addressmultiple :: in addressndndword5lpb7eex.onionnetwork is unreachableno connection providednon-Go function at pc=oldoverflow is not niloperation was canceledoverflowing coordinateozahtqwp25chjdjd.onionprotocol not availableprotocol not supportedqtornadoklbgdyww.onionread response body: %wreflect.Value.MapIndexreflect.Value.SetFloatreflectlite.Value.Elemreflectlite.Value.Typeremote address changedruntime.main not on m0runtime: work.nwait = runtime:scanstack: gp=s.freeindex > s.nelemss7clinmo4cazmhul.onionscanstack - bad statussecure boot is enabledsend on closed channelserver.peers.subscribeservice does not existservice is not runningset Tor mode to %s: %wskipping Question Nameskipping Question Typespan has no free spacesql: no Rows availablestack not a power of 2status/bootstrap-phasetrace reader (blocked)trace: alloc too largetransaction is stoppedtransaction not existsunexpected length codeunexpected method stepwirep: invalid p statewrite on closed bufferx509: malformed issuerzero length BIT STRINGzlib: invalid checksum into Go value of type ) must be a power of 2
Source: file.exe, 00000005.00000003.362103364.0000000003890000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: Nyiakeng_Puachue_HmongPakistan Standard TimeParaguay Standard TimeRoGetActivationFactoryRtlDeleteFunctionTableRtlGetNtVersionNumbersSafeArrayGetRecordInfoSafeArraySetRecordInfoSakhalin Standard TimeSao Tome Standard TimeSeImpersonatePrivilegeSetupDiEnumDriverInfoWSetupDiGetClassDevsExWTasmania Standard TimeTor bootstrap progressTor service is runningUnsupported Media TypeWSAGetOverlappedResultWSALookupServiceBeginWWaitForMultipleObjectsWget/1.12 (freebsd8.1)Xenu Link Sleuth/1.3.8access-control-max-ageaddress already in useadvapi32.dll not foundargument list too longassembly checks failedbad g->status in readybad sweepgen in refillbitcoin3nqy3db7c.onionbody closed by handlercannot allocate memoryclient not initializedcompileCallabck: type couldn't create devicecouldn't get file infocouldn't start servicecoulnd't write to filecreate main window: %wdecode and decrypt: %wdriver: bad connectionduplicated defer entryelectrum.leblancnet.uselectrum3.hodlister.coelectrum5.hodlister.coelectrumxhqdsmlu.onionencrypt and encode: %werror decoding messageerror parsing regexp: failed to get UUID: %wfailed to hide app: %wfailed to open key: %wfailed to open src: %wfailed to register: %wfailed to set UUID: %wframe_data_pad_too_bigfreeIndex is not validgenerate challenge: %wgetenv before env initgzip: invalid checksumheadTailIndex overflowheader field %q = %q%shpack: string too longhsmiths4fyqlw5xw.onionhsmiths5mjk6uijs.onionhttp2: frame too largehttp://localhost:3433/https://duniadekho.baridna: invalid label %qinappropriate fallbackinteger divide by zerointegrity check failedinterface conversion: internal inconsistencyinvalid Trailer key %qinvalid address familyinvalid number base %djson: unknown field %qkernel32.dll not foundmalformed HTTP versionminpc or maxpc invalidmissing ']' in addressmultiple :: in addressndndword5lpb7eex.onionnetwork is unreachableno connection providednon-Go function at pc=oldoverflow is not niloperation was canceledoverflowing coordinateozahtqwp25chjdjd.onionprotocol not availableprotocol not supportedqtornadoklbgdyww.onionread response body: %wreflect.Value.MapIndexreflect.Value.SetFloatreflectlite.Value.Elemreflectlite.Value.Typeremote address changedruntime.main not on m0runtime: work.nwait = runtime:scanstack: gp=s.freeindex > s.nelemss7clinmo4cazmhul.onionscanstack - bad statussecure boot is enabledsend on closed channelserver.peers.subscribeservice does not existservice is not runningset Tor mode to %s: %wskipping Question Nameskipping Question Typespan has no free spacesql: no Rows availablestack not a power of 2status/bootstrap-phasetrace reader (blocked)trace: alloc too largetransaction is stoppedtransaction not existsunexpected length codeunexpected method stepwirep: invalid p statewrite on closed bufferx509: malformed issuerzero length BIT STRINGzlib: invalid checksum into Go value of type ) must be a power of 2
Source: file.exe, 00000005.00000002.424748729.000000000C00E000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://un6fsy7wsdbqb54aridsmu5mtdcctatumigg37ip476tsdy2jf6ascqd.onion
Source: file.exe, 00000005.00000002.424748729.000000000C00E000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: 1c1b0732151b1d231030330b0713013107http://un6fsy7wsdbqb54aridsmu5mtdcctatumigg37ip476tsdy2jf6ascqd.onionhttp://un6fsy7wsdbqb54aridsmu5mtdcctatumigg37ip476tsdy2jf6ascqd.onionS-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\TestAppS-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8S-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8http://un6fsy7wsdbqb54aridsmu5mtdcctatumigg37ip476tsdy2jf6ascqd.onionS-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8S-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8S-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8FirstInstallDateS-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8S-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8S-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8S-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8S-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8S-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8S-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8S-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8S-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8S-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8S-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzS-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8current filenname with args "C:\Users\user\Desktop\file.exe"
Source: file.exe, 00000005.00000002.414419556.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: Nyiakeng_Puachue_HmongPakistan Standard TimeParaguay Standard TimeRoGetActivationFactoryRtlDeleteFunctionTableRtlGetNtVersionNumbersSafeArrayGetRecordInfoSafeArraySetRecordInfoSakhalin Standard TimeSao Tome Standard TimeSeImpersonatePrivilegeSetupDiEnumDriverInfoWSetupDiGetClassDevsExWTasmania Standard TimeTor bootstrap progressTor service is runningUnsupported Media TypeWSAGetOverlappedResultWSALookupServiceBeginWWaitForMultipleObjectsWget/1.12 (freebsd8.1)Xenu Link Sleuth/1.3.8access-control-max-ageaddress already in useadvapi32.dll not foundargument list too longassembly checks failedbad g->status in readybad sweepgen in refillbitcoin3nqy3db7c.onionbody closed by handlercannot allocate memoryclient not initializedcompileCallabck: type couldn't create devicecouldn't get file infocouldn't start servicecoulnd't write to filecreate main window: %wdecode and decrypt: %wdriver: bad connectionduplicated defer entryelectrum.leblancnet.uselectrum3.hodlister.coelectrum5.hodlister.coelectrumxhqdsmlu.onionencrypt and encode: %werror decoding messageerror parsing regexp: failed to get UUID: %wfailed to hide app: %wfailed to open key: %wfailed to open src: %wfailed to register: %wfailed to set UUID: %wframe_data_pad_too_bigfreeIndex is not validgenerate challenge: %wgetenv before env initgzip: invalid checksumheadTailIndex overflowheader field %q = %q%shpack: string too longhsmiths4fyqlw5xw.onionhsmiths5mjk6uijs.onionhttp2: frame too largehttp://localhost:3433/https://duniadekho.baridna: invalid label %qinappropriate fallbackinteger divide by zerointegrity check failedinterface conversion: internal inconsistencyinvalid Trailer key %qinvalid address familyinvalid number base %djson: unknown field %qkernel32.dll not foundmalformed HTTP versionminpc or maxpc invalidmissing ']' in addressmultiple :: in addressndndword5lpb7eex.onionnetwork is unreachableno connection providednon-Go function at pc=oldoverflow is not niloperation was canceledoverflowing coordinateozahtqwp25chjdjd.onionprotocol not availableprotocol not supportedqtornadoklbgdyww.onionread response body: %wreflect.Value.MapIndexreflect.Value.SetFloatreflectlite.Value.Elemreflectlite.Value.Typeremote address changedruntime.main not on m0runtime: work.nwait = runtime:scanstack: gp=s.freeindex > s.nelemss7clinmo4cazmhul.onionscanstack - bad statussecure boot is enabledsend on closed channelserver.peers.subscribeservice does not existservice is not runningset Tor mode to %s: %wskipping Question Nameskipping Question Typespan has no free spacesql: no Rows availablestack not a power of 2status/bootstrap-phasetrace reader (blocked)trace: alloc too largetransaction is stoppedtransaction not existsunexpected length codeunexpected method stepwirep: invalid p statewrite on closed bufferx509: malformed issuerzero length BIT STRINGzlib: invalid checksum into Go value of type ) must be a power of 2
Source: csrss.exe, 0000000F.00000002.624321444.000000000105A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://mastiakele.xyzhttp://un6fsy7wsdbqb54aridsmu5mtdcctatumigg37ip476tsdy2jf6ascqd.onion
Source: csrss.exe, 0000000F.00000002.624848873.0000000003400000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: Nyiakeng_Puachue_HmongPakistan Standard TimeParaguay Standard TimeRoGetActivationFactoryRtlDeleteFunctionTableRtlGetNtVersionNumbersSafeArrayGetRecordInfoSafeArraySetRecordInfoSakhalin Standard TimeSao Tome Standard TimeSeImpersonatePrivilegeSetupDiEnumDriverInfoWSetupDiGetClassDevsExWTasmania Standard TimeTor bootstrap progressTor service is runningUnsupported Media TypeWSAGetOverlappedResultWSALookupServiceBeginWWaitForMultipleObjectsWget/1.12 (freebsd8.1)Xenu Link Sleuth/1.3.8access-control-max-ageaddress already in useadvapi32.dll not foundargument list too longassembly checks failedbad g->status in readybad sweepgen in refillbitcoin3nqy3db7c.onionbody closed by handlercannot allocate memoryclient not initializedcompileCallabck: type couldn't create devicecouldn't get file infocouldn't start servicecoulnd't write to filecreate main window: %wdecode and decrypt: %wdriver: bad connectionduplicated defer entryelectrum.leblancnet.uselectrum3.hodlister.coelectrum5.hodlister.coelectrumxhqdsmlu.onionencrypt and encode: %werror decoding messageerror parsing regexp: failed to get UUID: %wfailed to hide app: %wfailed to open key: %wfailed to open src: %wfailed to register: %wfailed to set UUID: %wframe_data_pad_too_bigfreeIndex is not validgenerate challenge: %wgetenv before env initgzip: invalid checksumheadTailIndex overflowheader field %q = %q%shpack: string too longhsmiths4fyqlw5xw.onionhsmiths5mjk6uijs.onionhttp2: frame too largehttp://localhost:3433/https://duniadekho.baridna: invalid label %qinappropriate fallbackinteger divide by zerointegrity check failedinterface conversion: internal inconsistencyinvalid Trailer key %qinvalid address familyinvalid number base %djson: unknown field %qkernel32.dll not foundmalformed HTTP versionminpc or maxpc invalidmissing ']' in addressmultiple :: in addressndndword5lpb7eex.onionnetwork is unreachableno connection providednon-Go function at pc=oldoverflow is not niloperation was canceledoverflowing coordinateozahtqwp25chjdjd.onionprotocol not availableprotocol not supportedqtornadoklbgdyww.onionread response body: %wreflect.Value.MapIndexreflect.Value.SetFloatreflectlite.Value.Elemreflectlite.Value.Typeremote address changedruntime.main not on m0runtime: work.nwait = runtime:scanstack: gp=s.freeindex > s.nelemss7clinmo4cazmhul.onionscanstack - bad statussecure boot is enabledsend on closed channelserver.peers.subscribeservice does not existservice is not runningset Tor mode to %s: %wskipping Question Nameskipping Question Typespan has no free spacesql: no Rows availablestack not a power of 2status/bootstrap-phasetrace reader (blocked)trace: alloc too largetransaction is stoppedtransaction not existsunexpected length codeunexpected method stepwirep: invalid p statewrite on closed bufferx509: malformed issuerzero length BIT STRINGzlib: invalid checksum into Go value of type ) must be a power of 2
Source: csrss.exe, 0000000F.00000002.629197861.000000000C91E000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: S-1-5-21-3853321935-2125563209-4053062332-1002https://mastiakele.xyzhttp://un6fsy7wsdbqb54aridsmu5mtdcctatumigg37ip476tsdy2jf6ascqd.onionCommonProgramW6432=C:\Program Files\Common FilesCommonProgramW6432=C:\Program Files\Common Files
Source: csrss.exe, 0000000F.00000002.627457527.000000000C80E000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://un6fsy7wsdbqb54aridsmu5mtdcctatumigg37ip476tsdy2jf6ascqd.onion
Source: csrss.exe, 0000000F.00000002.627457527.000000000C80E000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: 1c1b0732151b1d231030330b0713013107http://un6fsy7wsdbqb54aridsmu5mtdcctatumigg37ip476tsdy2jf6ascqd.onionhttp://un6fsy7wsdbqb54aridsmu5mtdcctatumigg37ip476tsdy2jf6ascqd.onionS-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\TestAppS-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8S-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8http://un6fsy7wsdbqb54aridsmu5mtdcctatumigg37ip476tsdy2jf6ascqd.onionS-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8S-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8S-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8FirstInstallDateS-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8S-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8S-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8S-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8S-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8S-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8S-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8S-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8S-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8S-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8S-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzS-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f82023/06/06 17:18:56 current filenname with args "C:\Windows\rss\csrss.exe"
Performs DNS queries to domains with low reputation
Source: C:\Windows\rss\csrss.exe DNS query: 28a89d66-6769-4b6d-ad7a-64ea56a01c93.uuid.mastiakele.xyz
Source: file.exe String found in binary or memory: Intel Mac OS X; U; en) Presto/2.6.30 Version/10.61facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)tls: internal error: handshake returned an error but is marked successfultls: received unexpected handshake message of type %T when wait equals www.facebook.com (Facebook)
Source: file.exe String found in binary or memory: :1.6) Gecko Debian/1.6-7Mozilla/5.0 (compatible; Konqueror/3.3; Linux 2.6.8-gentoo-r3; X11;facebookscraper/1.0( http://www.facebook.com/sharescraper_help.php)269599466671506397946670150870196259404578077144243917216827223680612695994666715063979466701508701963 equals www.facebook.com (Facebook)
Source: file.exe String found in binary or memory: http://archive.org/details/archive.org_bot)Mozilla/5.0
Source: file.exe, 00000000.00000002.363521570.0000000002A72000.00000040.00000020.00020000.00000000.sdmp, file.exe, 00000005.00000002.403769101.0000000002BA3000.00000040.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.g
Source: file.exe, 00000000.00000003.342311330.0000000003BA1000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.364753333.00000000032B3000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.360923805.0000000000843000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000002.400548532.0000000000843000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000003.362103364.0000000003CD1000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.414419556.00000000033E3000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003843000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000003C.00000002.570772687.0000000003843000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/ObjectSign.crl0
Source: file.exe, 00000000.00000003.342311330.0000000003BA1000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.364753333.00000000032B3000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.360923805.0000000000843000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000002.400548532.0000000000843000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000003.362103364.0000000003CD1000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.414419556.00000000033E3000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003843000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000003C.00000002.570772687.0000000003843000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/Root.crl0
Source: file.exe, 00000000.00000003.342311330.0000000003BA1000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.364753333.00000000032B3000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.360923805.0000000000843000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000002.400548532.0000000000843000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000003.362103364.0000000003CD1000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.414419556.00000000033E3000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003843000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000003C.00000002.570772687.0000000003843000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/primobject.crl0
Source: file.exe, file.exe, 00000005.00000002.400548532.0000000000400000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000003.362103364.0000000003890000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.414419556.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003400000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: http://devlog.gregarius.net/docs/ua)Links
Source: file.exe String found in binary or memory: http://gais.cs.ccu.edu.tw/robot.php)Gulper
Source: file.exe String found in binary or memory: http://grub.org)Mozilla/5.0
Source: file.exe String found in binary or memory: http://help.yahoo.com/help/us/ysearch/slurp)SonyEricssonK550i/R1JD
Source: file.exe, 00000000.00000003.342311330.0000000003E2B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.364753333.000000000353B000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.400548532.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000002.414419556.000000000366B000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003ACB000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: http://https://_bad_pdb_file.pdb
Source: file.exe, file.exe, 00000005.00000002.400548532.0000000000400000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000003.362103364.0000000003890000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.414419556.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003400000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: http://invalidlog.txtlookup
Source: file.exe, file.exe, 00000005.00000002.400548532.0000000000400000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000003.362103364.0000000003890000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.414419556.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003400000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: http://localhost:3433/https://duniadekho.baridna:
Source: file.exe String found in binary or memory: http://misc.yahoo.com.cn/help.html)QueryPerformanceFrequency
Source: file.exe, file.exe, 00000005.00000002.400548532.0000000000400000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000003.362103364.0000000003890000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.414419556.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003400000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: http://search.msn.com/msnbot.htm)msnbot/1.1
Source: file.exe String found in binary or memory: http://search.msn.com/msnbot.htm)net/htt
Source: file.exe, 00000000.00000003.342311330.0000000003760000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.360923805.0000000000400000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000002.364753333.0000000002E70000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.400548532.0000000000400000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000003.362103364.0000000003890000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.414419556.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003400000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: http://search.msn.com/msnbot.htm)net/http:
Source: file.exe, file.exe, 00000005.00000002.400548532.0000000000400000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000003.362103364.0000000003890000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.414419556.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003400000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: http://search.msn.com/msnbot.htm)pkcs7:
Source: file.exe, 00000000.00000002.378648564.000000000C0DE000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.378648564.000000000C0A2000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.424748729.000000000C00E000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.627457527.000000000C80E000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://un6fsy7wsdbqb54aridsmu5mtdcctatumigg37ip476tsdy2jf6ascqd.onion
Source: file.exe, 00000005.00000002.424748729.000000000C01A000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://un6fsy7wsdbqb54aridsmu5mtdcctatumigg37ip476tsdy2jf6ascqd.onionC:
Source: file.exe, 00000005.00000002.424748729.000000000C00E000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.627457527.000000000C80E000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://un6fsy7wsdbqb54aridsmu5mtdcctatumigg37ip476tsdy2jf6ascqd.onionS-1-5-21-3853321935-2125563209-
Source: file.exe, 00000000.00000002.378648564.000000000C0DE000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.424748729.000000000C00E000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.627457527.000000000C80E000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://un6fsy7wsdbqb54aridsmu5mtdcctatumigg37ip476tsdy2jf6ascqd.onionhttp://un6fsy7wsdbqb54aridsmu5m
Source: file.exe String found in binary or memory: http://vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.oniontls:
Source: file.exe String found in binary or memory: http://www.alexa.com/help/webmasters;
Source: file.exe String found in binary or memory: http://www.alltheweb.com/help/webmaster/crawler)Mozilla/5.0
Source: file.exe String found in binary or memory: http://www.archive.org/details/archive.org_bot)Opera/9.80
Source: file.exe String found in binary or memory: http://www.avantbrowser.com
Source: file.exe, 00000000.00000003.342311330.0000000003760000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.360923805.0000000000400000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000002.364753333.0000000002E70000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.400548532.0000000000400000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000003.362103364.0000000003890000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.414419556.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003400000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.avantbrowser.com)MOT-V9mm/00.62
Source: file.exe, file.exe, 00000005.00000002.400548532.0000000000400000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000003.362103364.0000000003890000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.414419556.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003400000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.baidu.com/search/spider.htm)MobileSafari/600.1.4
Source: file.exe String found in binary or memory: http://www.bloglines.com)Frame
Source: file.exe String found in binary or memory: http://www.everyfeed.com)explicit
Source: file.exe String found in binary or memory: http://www.exabot.com/go/robot)Opera/9.80
Source: file.exe String found in binary or memory: http://www.google.
Source: file.exe String found in binary or memory: http://www.google.com/adsbot.html)Encountered
Source: file.exe String found in binary or memory: http://www.google.com/bot.html)Mozilla/5.0
Source: file.exe String found in binary or memory: http://www.google.com/bot.html)crypto/ecdh:
Source: file.exe, file.exe, 00000005.00000002.400548532.0000000000400000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000003.362103364.0000000003890000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.414419556.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003400000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.google.com/feedfetcher.html)HKLM
Source: file.exe String found in binary or memory: http://www.googlebot.com/bot.html)Links
Source: file.exe String found in binary or memory: http://www.spidersoft.com)Wg
Source: file.exe String found in binary or memory: http://yandex.com/
Source: file.exe String found in binary or memory: http://yandex.com/bots)Opera/9.51
Source: csrss.exe, 0000000F.00000002.624848873.0000000003400000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: https://blockchain.infoindex
Source: file.exe String found in binary or memory: https://cdn.discordapp.com/attachments/1087398815188910163/1087399133926674453/LZ.zipreflect.Value.I
Source: file.exe String found in binary or memory: https://github.com/Snawoot/opera-proxy/releases/download/v1.2.2/opera-p
Source: file.exe, 00000000.00000002.378648564.000000000C090000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.378648564.000000000C0A2000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.424748729.000000000C016000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.424748729.000000000C00E000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.627457527.000000000C80E000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.627457527.000000000C816000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://mastiakele.xyz
Source: file.exe, 00000005.00000002.424748729.000000000C00E000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.424748729.000000000C072000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.627457527.000000000C858000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.627457527.000000000C80E000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://mastiakele.xyzMicrosoft
Source: file.exe, 00000000.00000002.378648564.000000000C0E6000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624321444.000000000105A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://mastiakele.xyzhttp://un6fsy7wsdbqb54aridsmu5mtdcctatumigg37ip476tsdy2jf6ascqd.onion
Source: file.exe, 00000000.00000002.378648564.000000000C092000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.426549971.000000000C11E000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.629197861.000000000C91E000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://mastiakele.xyzhttp://un6fsy7wsdbqb54aridsmu5mtdcctatumigg37ip476tsdy2jf6ascqd.onionCommonPro
Source: file.exe, 00000000.00000002.378648564.000000000C0A2000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://mastiakele.xyzhttp://un6fsy7wsdbqb54aridsmu5mtdcctatumigg37ip476tsdy2jf6ascqd.onionhttps://m
Source: file.exe, 00000005.00000002.424748729.000000000C016000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.627457527.000000000C816000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://mastiakele.xyzhttps://mastiakele.xyzRegQueryValueExWUUIDPGDSE64-bitc:
Source: file.exe, 00000000.00000002.378648564.000000000C090000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://mastiakele.xyzhttps://mastiakele.xyzRegQueryValueExWhttps://mastiakele.xyzUUIDUUIDPGDSEPGDSE
Source: file.exe String found in binary or memory: https://raw.githubusercontent.com/spesmilo/electrum/master/electrum/servers.jsonsize
Source: file.exe, file.exe, 00000005.00000002.400548532.0000000000400000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000003.362103364.0000000003890000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.414419556.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003400000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: https://turnitin.com/robot/crawlerinfo.html)cannot
Source: unknown DNS traffic detected: queries for: 28a89d66-6769-4b6d-ad7a-64ea56a01c93.uuid.mastiakele.xyz
Creates a DirectInput object (often for capturing keystrokes)
Source: file.exe, 00000000.00000002.362994570.0000000000E7A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud
barindex
Yara detected Glupteba
Source: Yara match File source: 15.2.csrss.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 55.2.csrss.exe.3400e67.15.unpack, type: UNPACKEDPE
Source: Yara match File source: 64.2.csrss.exe.3400e67.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 54.2.csrss.exe.3400e67.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 55.2.csrss.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.2.csrss.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 54.2.csrss.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 40.2.csrss.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.3.file.exe.3890000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.file.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.3.csrss.exe.3cf0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.file.exe.3760000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 60.2.csrss.exe.3400e67.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.csrss.exe.3400e67.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 41.2.csrss.exe.3400e67.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 60.2.csrss.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 64.2.csrss.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.csrss.exe.3400e67.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 40.2.csrss.exe.3400e67.15.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.2.csrss.exe.3400e67.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.2e70e67.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.400548532.0000000000843000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 0000003C.00000002.570772687.0000000003843000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000029.00000002.480076167.0000000000843000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.599256866.0000000003843000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000002.475119649.0000000000843000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.342311330.0000000003BA1000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000029.00000002.517016941.0000000003843000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000003C.00000002.555538595.0000000000843000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.364753333.00000000032B3000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.624848873.0000000003843000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.442933383.0000000000843000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000036.00000002.509180776.0000000000843000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.360923805.0000000000843000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.474423573.0000000003843000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000002.514590108.0000000003843000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000037.00000002.522989058.0000000000843000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000040.00000002.609271972.0000000003843000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000040.00000002.598741475.0000000000843000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000036.00000002.521380153.0000000003843000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.362103364.0000000003CD1000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.566670417.0000000000843000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.615156234.0000000000843000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000037.00000002.553779043.0000000003843000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.414419556.00000000033E3000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000003.401909888.0000000004131000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 6760, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: file.exe PID: 1488, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: csrss.exe PID: 768, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: csrss.exe PID: 4472, type: MEMORYSTR

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 00000005.00000002.403769101.0000000002BA3000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000003C.00000002.567142232.0000000003000000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000016.00000002.471247409.0000000003000000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000028.00000002.510967623.0000000003000000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000037.00000002.553779043.0000000003400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 0000000F.00000002.624848873.0000000003400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 0000001C.00000002.594116326.0000000003000000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000036.00000002.521380153.0000000003400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000002.363521570.0000000002A72000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000040.00000002.604158371.0000000003000000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000000F.00000002.624483863.0000000003000000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000029.00000002.517016941.0000000003400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 0000003C.00000002.570772687.0000000003400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000002.364753333.0000000002E70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000040.00000002.609271972.0000000003400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000037.00000002.548334385.0000000003000000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000028.00000002.514590108.0000000003400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000016.00000002.474423573.0000000003400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000005.00000002.414419556.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000036.00000002.518888987.0000000003000000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000029.00000002.513462018.0000000003000000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000001C.00000002.599256866.0000000003400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 22.2.csrss.exe.3a22567.14.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 64.2.csrss.exe.a32420.4.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 28.2.csrss.exe.a1cb00.3.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 60.2.csrss.exe.3a1c967.14.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 28.2.csrss.exe.3a32287.13.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 22.2.csrss.exe.a22700.7.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 0.3.file.exe.3d91420.4.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 40.2.csrss.exe.a1cb00.1.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 60.2.csrss.exe.3a32287.15.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 55.2.csrss.exe.3a1c967.11.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 64.2.csrss.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth (Nextron Systems), description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), score = , reference = Internal Research
Source: 5.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth (Nextron Systems), description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), score = , reference = Internal Research
Source: 40.2.csrss.exe.a22700.0.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 54.2.csrss.exe.3a32287.15.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 40.2.csrss.exe.3a1c967.14.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 41.2.csrss.exe.3400e67.11.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth (Nextron Systems), description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), score = , reference = Internal Research
Source: 60.2.csrss.exe.3a22567.13.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 15.2.csrss.exe.a22700.7.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 55.2.csrss.exe.a32420.0.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 0.2.file.exe.a1cb00.4.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 40.3.csrss.exe.3cf0000.0.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth (Nextron Systems), description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), score = , reference = Internal Research
Source: 0.3.file.exe.3d7bb00.5.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 55.2.csrss.exe.400000.3.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth (Nextron Systems), description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), score = , reference = Internal Research
Source: 15.3.csrss.exe.3cf0000.1.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth (Nextron Systems), description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), score = , reference = Internal Research
Source: 0.3.file.exe.3d81700.7.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 60.2.csrss.exe.a22700.5.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 22.2.csrss.exe.3a32287.15.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 15.3.csrss.exe.4321420.6.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 0.2.file.exe.2e70e67.12.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth (Nextron Systems), description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), score = , reference = Internal Research
Source: 22.2.csrss.exe.a32420.2.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 40.2.csrss.exe.3a32287.12.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 5.3.file.exe.3ec1420.6.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 5.2.file.exe.a22700.7.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 0.2.file.exe.34a2287.8.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 41.2.csrss.exe.400000.2.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth (Nextron Systems), description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), score = , reference = Internal Research
Source: 55.2.csrss.exe.a22700.1.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 22.2.csrss.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth (Nextron Systems), description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), score = , reference = Internal Research
Source: 22.2.csrss.exe.3400e67.9.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth (Nextron Systems), description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), score = , reference = Internal Research
Source: 41.2.csrss.exe.a32420.7.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 15.3.csrss.exe.4311700.4.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 54.2.csrss.exe.a32420.4.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 5.2.file.exe.a32420.3.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 0.2.file.exe.a22700.2.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 15.2.csrss.exe.3a22567.10.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 41.2.csrss.exe.a1cb00.6.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 0.2.file.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth (Nextron Systems), description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), score = , reference = Internal Research
Source: 60.2.csrss.exe.3400e67.9.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth (Nextron Systems), description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), score = , reference = Internal Research
Source: 60.2.csrss.exe.a32420.4.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 5.2.file.exe.35c2567.9.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 60.2.csrss.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth (Nextron Systems), description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), score = , reference = Internal Research
Source: 0.3.file.exe.3760000.0.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth (Nextron Systems), description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), score = , reference = Internal Research
Source: 55.2.csrss.exe.3a32287.12.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 22.2.csrss.exe.a1cb00.5.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 5.3.file.exe.3890000.3.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth (Nextron Systems), description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), score = , reference = Internal Research
Source: 5.2.file.exe.2fa0e67.12.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth (Nextron Systems), description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), score = , reference = Internal Research
Source: 64.2.csrss.exe.3a22567.11.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 55.2.csrss.exe.3400e67.15.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth (Nextron Systems), description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), score = , reference = Internal Research
Source: 54.2.csrss.exe.3a1c967.14.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 28.2.csrss.exe.3a1c967.9.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 15.2.csrss.exe.3a32287.15.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 28.2.csrss.exe.a32420.7.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 40.2.csrss.exe.3a22567.13.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 64.2.csrss.exe.3a32287.8.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 5.3.file.exe.3eb1700.4.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 55.2.csrss.exe.3a22567.14.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 54.2.csrss.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth (Nextron Systems), description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), score = , reference = Internal Research
Source: 28.2.csrss.exe.a22700.0.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 54.2.csrss.exe.a1cb00.7.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 5.2.file.exe.35bc967.8.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 5.2.file.exe.35d2287.10.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 0.2.file.exe.a32420.3.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 54.2.csrss.exe.3400e67.9.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth (Nextron Systems), description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), score = , reference = Internal Research
Source: 64.2.csrss.exe.a22700.1.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 28.2.csrss.exe.400000.4.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth (Nextron Systems), description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), score = , reference = Internal Research
Source: 5.2.file.exe.a1cb00.2.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 60.2.csrss.exe.a1cb00.2.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 54.2.csrss.exe.a22700.3.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 0.2.file.exe.3492567.9.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 41.2.csrss.exe.3a1c967.10.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 22.2.csrss.exe.3a1c967.12.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 41.2.csrss.exe.3a22567.9.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 5.3.file.exe.3eabb00.0.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 0.2.file.exe.348c967.10.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 28.2.csrss.exe.3400e67.10.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth (Nextron Systems), description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), score = , reference = Internal Research
Source: 15.2.csrss.exe.3400e67.11.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth (Nextron Systems), description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), score = , reference = Internal Research
Source: 41.2.csrss.exe.3a32287.12.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 64.2.csrss.exe.3a1c967.9.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 15.2.csrss.exe.a32420.6.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 15.2.csrss.exe.3a1c967.13.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 40.2.csrss.exe.400000.2.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth (Nextron Systems), description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), score = , reference = Internal Research
Source: 15.3.csrss.exe.430bb00.0.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 55.2.csrss.exe.a1cb00.6.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 15.2.csrss.exe.a1cb00.1.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 54.2.csrss.exe.3a22567.12.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 40.2.csrss.exe.3400e67.15.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth (Nextron Systems), description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), score = , reference = Internal Research
Source: 41.2.csrss.exe.a22700.1.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 40.2.csrss.exe.a32420.4.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 64.2.csrss.exe.a1cb00.6.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 28.2.csrss.exe.3a22567.15.raw.unpack, type: UNPACKEDPE Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 15.2.csrss.exe.400000.2.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth (Nextron Systems), description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), score = , reference = Internal Research
Source: 64.2.csrss.exe.3400e67.14.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth (Nextron Systems), description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), score = , reference = Internal Research
Source: 00000005.00000002.403769101.0000000002BA3000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000003.342311330.0000000003760000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth (Nextron Systems), description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), score = , reference = Internal Research
Source: 0000003C.00000002.567142232.0000000003000000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000016.00000002.471247409.0000000003000000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000036.00000002.509180776.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth (Nextron Systems), description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), score = , reference = Internal Research
Source: 0000003C.00000002.555538595.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth (Nextron Systems), description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), score = , reference = Internal Research
Source: 00000028.00000002.510967623.0000000003000000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000029.00000002.480076167.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth (Nextron Systems), description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), score = , reference = Internal Research
Source: 00000037.00000002.553779043.0000000003400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000040.00000002.598741475.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth (Nextron Systems), description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), score = , reference = Internal Research
Source: 0000000F.00000002.624848873.0000000003400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 0000001C.00000002.594116326.0000000003000000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000016.00000002.442933383.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth (Nextron Systems), description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), score = , reference = Internal Research
Source: 00000036.00000002.521380153.0000000003400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 0000000F.00000002.615156234.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth (Nextron Systems), description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), score = , reference = Internal Research
Source: 00000000.00000002.363521570.0000000002A72000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000005.00000002.400548532.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth (Nextron Systems), description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), score = , reference = Internal Research
Source: 00000040.00000002.604158371.0000000003000000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.360923805.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth (Nextron Systems), description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), score = , reference = Internal Research
Source: 0000000F.00000002.624483863.0000000003000000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000000F.00000003.401909888.0000000003CF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth (Nextron Systems), description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), score = , reference = Internal Research
Source: 00000029.00000002.517016941.0000000003400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 0000003C.00000002.570772687.0000000003400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000037.00000002.522989058.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth (Nextron Systems), description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), score = , reference = Internal Research
Source: 00000000.00000002.364753333.0000000002E70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000040.00000002.609271972.0000000003400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000037.00000002.548334385.0000000003000000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000028.00000002.514590108.0000000003400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000028.00000002.475119649.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth (Nextron Systems), description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), score = , reference = Internal Research
Source: 00000016.00000002.474423573.0000000003400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000005.00000003.362103364.0000000003890000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth (Nextron Systems), description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), score = , reference = Internal Research
Source: 0000001C.00000002.566670417.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth (Nextron Systems), description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), score = , reference = Internal Research
Source: 00000028.00000003.442621501.0000000003CF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth (Nextron Systems), description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), score = , reference = Internal Research
Source: 00000005.00000002.414419556.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000036.00000002.518888987.0000000003000000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000029.00000002.513462018.0000000003000000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000001C.00000002.599256866.0000000003400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Deletes files inside the Windows folder
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File deleted: C:\Windows\Temp\__PSScriptPolicyTest_txvnygx2.3pj.ps1 Jump to behavior
Creates files inside the system directory
Source: C:\Users\user\Desktop\file.exe File created: C:\Windows\rss Jump to behavior
Sample file is different than original file name gathered from version info
Source: file.exe Binary or memory string: OriginalFilename vs file.exe
Source: file.exe, 00000000.00000003.342311330.0000000003BA1000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameWinmonFS.sysZ vs file.exe
Source: file.exe, 00000000.00000003.342311330.0000000003BA1000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedsefix.exe. vs file.exe
Source: file.exe, 00000000.00000002.364753333.00000000032B3000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameWinmonFS.sysZ vs file.exe
Source: file.exe, 00000000.00000002.364753333.00000000032B3000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedsefix.exe. vs file.exe
Source: file.exe, 00000000.00000002.360923805.0000000000C79000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameDBGHELP.DLLj% vs file.exe
Source: file.exe, 00000000.00000002.360923805.0000000000C79000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamesymsrv.dllj% vs file.exe
Source: file.exe, 00000000.00000002.360923805.0000000000843000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameWinmonFS.sysZ vs file.exe
Source: file.exe, 00000000.00000002.360923805.0000000000843000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamedsefix.exe. vs file.exe
Source: file.exe, 00000000.00000003.342311330.0000000003FD8000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameDBGHELP.DLLj% vs file.exe
Source: file.exe, 00000000.00000003.342311330.0000000003FD8000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamesymsrv.dllj% vs file.exe
Source: file.exe, 00000000.00000002.364753333.00000000036E9000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameDBGHELP.DLLj% vs file.exe
Source: file.exe, 00000000.00000002.364753333.00000000036E9000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamesymsrv.dllj% vs file.exe
Source: file.exe Binary or memory string: OriginalFilename vs file.exe
Source: file.exe, 00000005.00000002.400548532.0000000000843000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameWinmonFS.sysZ vs file.exe
Source: file.exe, 00000005.00000002.400548532.0000000000843000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamedsefix.exe. vs file.exe
Source: file.exe, 00000005.00000002.400548532.0000000000C79000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameDBGHELP.DLLj% vs file.exe
Source: file.exe, 00000005.00000002.400548532.0000000000C79000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamesymsrv.dllj% vs file.exe
Source: file.exe, 00000005.00000002.414419556.0000000003819000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameDBGHELP.DLLj% vs file.exe
Source: file.exe, 00000005.00000002.414419556.0000000003819000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamesymsrv.dllj% vs file.exe
Source: file.exe, 00000005.00000003.362103364.0000000003CD1000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameWinmonFS.sysZ vs file.exe
Source: file.exe, 00000005.00000003.362103364.0000000003CD1000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedsefix.exe. vs file.exe
Source: file.exe, 00000005.00000002.414419556.00000000033E3000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameWinmonFS.sysZ vs file.exe
Source: file.exe, 00000005.00000002.414419556.00000000033E3000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedsefix.exe. vs file.exe
PE / OLE file has an invalid certificate
Source: file.exe Static PE information: invalid certificate
Source: file.exe ReversingLabs: Detection: 75%
Source: file.exe Virustotal: Detection: 80%
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\user\Desktop\file.exe Jump to behavior
Source: file.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\servicing\TrustedInstaller.exe C:\Windows\servicing\TrustedInstaller.exe
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\netsh.exe netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\rss\csrss.exe C:\Windows\rss\csrss.exe
Source: C:\Windows\rss\csrss.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\rss\csrss.exe Process created: C:\Windows\System32\schtasks.exe schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
Source: unknown Process created: C:\Windows\rss\csrss.exe "C:\Windows\rss\csrss.exe"
Source: C:\Windows\System32\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\rss\csrss.exe Process created: C:\Windows\System32\schtasks.exe schtasks /delete /tn ScheduledUpdate /f
Source: C:\Windows\System32\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\rss\csrss.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\rss\csrss.exe C:\Windows\rss\csrss.exe
Source: C:\Windows\rss\csrss.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\Sysnative\cmd.exe /C fodhelper
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\fodhelper.exe fodhelper
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\fodhelper.exe "C:\Windows\system32\fodhelper.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\fodhelper.exe "C:\Windows\system32\fodhelper.exe"
Source: C:\Windows\rss\csrss.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\fodhelper.exe Process created: C:\Windows\rss\csrss.exe "C:\Windows\rss\csrss.exe"
Source: unknown Process created: C:\Windows\rss\csrss.exe "C:\Windows\rss\csrss.exe"
Source: C:\Windows\rss\csrss.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\rss\csrss.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\rss\csrss.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\Sysnative\cmd.exe /C fodhelper
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\fodhelper.exe fodhelper
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\fodhelper.exe "C:\Windows\system32\fodhelper.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\fodhelper.exe "C:\Windows\system32\fodhelper.exe"
Source: C:\Windows\rss\csrss.exe Process created: C:\Windows\rss\csrss.exe C:\Windows\rss\csrss.exe
Source: C:\Windows\System32\fodhelper.exe Process created: C:\Windows\rss\csrss.exe "C:\Windows\rss\csrss.exe"
Source: C:\Windows\rss\csrss.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\rss\csrss.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\rss\csrss.exe Process created: C:\Windows\rss\csrss.exe C:\Windows\rss\csrss.exe
Source: C:\Windows\rss\csrss.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\rss\csrss.exe Process created: C:\Windows\rss\csrss.exe C:\Windows\rss\csrss.exe
Source: C:\Windows\rss\csrss.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes" Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\rss\csrss.exe C:\Windows\rss\csrss.exe Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\netsh.exe netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes Jump to behavior
Source: C:\Windows\rss\csrss.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
Source: C:\Windows\rss\csrss.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
Source: C:\Windows\rss\csrss.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
Source: C:\Windows\rss\csrss.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\Sysnative\cmd.exe /C fodhelper
Source: C:\Windows\rss\csrss.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\fodhelper.exe fodhelper
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\fodhelper.exe "C:\Windows\system32\fodhelper.exe"
Source: C:\Windows\System32\fodhelper.exe Process created: C:\Windows\rss\csrss.exe "C:\Windows\rss\csrss.exe"
Source: C:\Windows\rss\csrss.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
Source: C:\Windows\rss\csrss.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\Sysnative\cmd.exe /C fodhelper
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\fodhelper.exe fodhelper
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\fodhelper.exe "C:\Windows\system32\fodhelper.exe"
Source: C:\Windows\System32\fodhelper.exe Process created: C:\Windows\rss\csrss.exe "C:\Windows\rss\csrss.exe"
Source: C:\Windows\rss\csrss.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
Source: C:\Windows\rss\csrss.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
Source: C:\Windows\rss\csrss.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
Source: C:\Windows\rss\csrss.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\file.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name FROM Win32_Processor
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_s4hshgl2.ban.ps1 Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winEXE@79/32@1/0
Source: C:\Windows\System32\cmd.exe File read: C:\Users\user\Desktop\desktop.ini
Source: file.exe, 00000000.00000002.378648564.000000000C0B6000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: SELECT OSArchitecture FROM Win32_OperatingSystem.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCDriverData=C:\Windows\System32\Drivers\DriverData
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\Desktop\file.exe Code function: 5_2_02BA37C6 CreateToolhelp32Snapshot,Module32First, 5_2_02BA37C6
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6720:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6660:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6892:120:WilError_01
Source: C:\Windows\rss\csrss.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\h48yorbq6rm87zot
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3432:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6740:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6200:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5124:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5984:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6724:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4164:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6532:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7136:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:240:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4768:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5788:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6140:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6816:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3372:120:WilError_01
Source: file.exe String found in binary or memory: yscalltick= work.nproc= work.nwait= %s/rawaddr/%s%s\%s\drivers, gp->status=, not pointer-bind-address-byte block (3814697265625: unknown pc Accept-RangesAuthorizationCLIENT_RANDOMCONNECTION-IDCONNECT_ERRORCache-ControlCertOpenStoreCoTaskMemFreeConnectServerCo
Source: file.exe String found in binary or memory: PED-ADDRESSMAX_FRAME_SIZEMB; allocated MakeAbsoluteSDMissing quotesModule32FirstWNetUserGetInfoNot AcceptableNtResumeThreadOSArchitectureOpenSCManagerWOther_ID_StartPROTOCOL_ERRORPattern_SyntaxProcess32NextWProtection DirQuotation_MarkRCodeNameErrorREFUSED_STR
Source: file.exe String found in binary or memory: current modeTor is dowloadedTranslateMessageTrustedInstallerUnregisterClassWUpgrade RequiredUser-Agent: %s VirtualProtectExWinVerifyTrustExWindows DefenderWww-AuthenticateXOR-PEER-ADDRESSZanabazar_Square\windefender.exe runtime stack: address is emptyafter ob
Source: file.exe String found in binary or memory: unknown network unpacking headerworkbuf is emptywrite config: %wwww-authenticate spinningthreads=%%!%c(big.Int=%s)%s/address/%s/txs, p.searchAddr = 0123456789ABCDEFX0123456789abcdefx060102150405Z07001192092895507812559604644775390625: missing method AdjustToke
Source: file.exe String found in binary or memory: Temporary RedirectTerminateJobObjectTime.MarshalJSON: Time.MarshalText: UNKNOWN-ATTRIBUTESUNKNOWN_SETTING_%dUnknown value typeVariation_SelectorWeb Downloader/6.9WriteProcessMemoryXOR-MAPPED-ADDRESSadaptivestackstartbad Content-Lengthbad manualFreeListbufio: b
Source: file.exe String found in binary or memory: 1.6.2WSALookupServiceEndWaitForSingleObjectWindowsCreateStringWindowsDeleteStringWinmonSystemMonitorXOR-RELAYED-ADDRESSYukon Standard Timeadjusttimers: bad pafter array elementattribute not foundbad ABI descriptionbad file descriptorbad kind in runfinqbad noti
Source: file.exe String found in binary or memory: REQUESTED-ADDRESS-FAMILYRequest Entity Too LargeSA Eastern Standard TimeSA Pacific Standard TimeSA Western Standard TimeSafeArrayAllocDescriptorSetConsoleCursorPositionSetDefaultDllDirectoriesSetupDiCreateDeviceInfoWSetupDiGetSelectedDeviceSetupDiSetSelectedDe
Source: file.exe String found in binary or memory: yscalltick= work.nproc= work.nwait= %s/rawaddr/%s%s\%s\drivers, gp->status=, not pointer-bind-address-byte block (3814697265625: unknown pc Accept-RangesAuthorizationCLIENT_RANDOMCONNECTION-IDCONNECT_ERRORCache-ControlCertOpenStoreCoTaskMemFreeConnectServerCo
Source: file.exe String found in binary or memory: PED-ADDRESSMAX_FRAME_SIZEMB; allocated MakeAbsoluteSDMissing quotesModule32FirstWNetUserGetInfoNot AcceptableNtResumeThreadOSArchitectureOpenSCManagerWOther_ID_StartPROTOCOL_ERRORPattern_SyntaxProcess32NextWProtection DirQuotation_MarkRCodeNameErrorREFUSED_STR
Source: file.exe String found in binary or memory: current modeTor is dowloadedTranslateMessageTrustedInstallerUnregisterClassWUpgrade RequiredUser-Agent: %s VirtualProtectExWinVerifyTrustExWindows DefenderWww-AuthenticateXOR-PEER-ADDRESSZanabazar_Square\windefender.exe runtime stack: address is emptyafter ob
Source: file.exe String found in binary or memory: unknown network unpacking headerworkbuf is emptywrite config: %wwww-authenticate spinningthreads=%%!%c(big.Int=%s)%s/address/%s/txs, p.searchAddr = 0123456789ABCDEFX0123456789abcdefx060102150405Z07001192092895507812559604644775390625: missing method AdjustToke
Source: file.exe String found in binary or memory: Temporary RedirectTerminateJobObjectTime.MarshalJSON: Time.MarshalText: UNKNOWN-ATTRIBUTESUNKNOWN_SETTING_%dUnknown value typeVariation_SelectorWeb Downloader/6.9WriteProcessMemoryXOR-MAPPED-ADDRESSadaptivestackstartbad Content-Lengthbad manualFreeListbufio: b
Source: file.exe String found in binary or memory: 1.6.2WSALookupServiceEndWaitForSingleObjectWindowsCreateStringWindowsDeleteStringWinmonSystemMonitorXOR-RELAYED-ADDRESSYukon Standard Timeadjusttimers: bad pafter array elementattribute not foundbad ABI descriptionbad file descriptorbad kind in runfinqbad noti
Source: file.exe String found in binary or memory: REQUESTED-ADDRESS-FAMILYRequest Entity Too LargeSA Eastern Standard TimeSA Pacific Standard TimeSA Western Standard TimeSafeArrayAllocDescriptorSetConsoleCursorPositionSetDefaultDllDirectoriesSetupDiCreateDeviceInfoWSetupDiGetSelectedDeviceSetupDiSetSelectedDe
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: file.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: C:\Windows\System32\fodhelper.exe Key opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Office\16.0\Outlook\Capabilities\UrlAssociations
Source: C:\Windows\rss\csrss.exe Registry value created: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Uninstaller
Source: C:\Users\user\Desktop\file.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: file.exe Static file information: File size 4377472 > 1048576
Source: file.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x40ac00
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: Loader.pdb source: file.exe, 00000000.00000003.342311330.0000000003BA1000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.364753333.00000000032B3000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.360923805.0000000000843000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000002.400548532.0000000000843000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000003.362103364.0000000003CD1000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.414419556.00000000033E3000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003843000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000003C.00000002.570772687.0000000003843000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: EfiGuardDxe.pdb7 source: file.exe, file.exe, 00000005.00000002.403769101.0000000002BA3000.00000040.00000020.00020000.00000000.sdmp
Source: Binary string: Unrecognized pdb formatThis error indicates attempting to access a .pdb file with source: file.exe, 00000000.00000003.342311330.0000000003E2B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.364753333.000000000353B000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.400548532.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000002.414419556.000000000366B000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003ACB000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: A connection with the server could not be establishedAn extended error was returned from the WinHttp serverThe .pdb file is probably no longer indexed in the symbol server share location. source: file.exe, 00000000.00000003.342311330.0000000003E2B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.364753333.000000000353B000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.400548532.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000002.414419556.000000000366B000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003ACB000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: C:\rumez\pihipifa\zuyum_n.pdb source: file.exe, 00000000.00000001.340268872.0000000000401000.00000020.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000001.360817575.0000000000401000.00000020.00000001.01000000.00000003.sdmp
Source: Binary string: Age does not matchThe module age and .pdb age do not match. source: file.exe, 00000000.00000003.342311330.0000000003E2B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.364753333.000000000353B000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.400548532.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000002.414419556.000000000366B000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003ACB000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: symsrv.pdb source: file.exe, file.exe, 00000005.00000002.400548532.0000000000C79000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000002.414419556.0000000003819000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.615156234.0000000000C79000.00000040.00000001.01000000.00000005.sdmp
Source: Binary string: Cvinfo is corruptThe .pdb file contains a corrupted debug codeview information. source: file.exe, 00000000.00000003.342311330.0000000003E2B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.364753333.000000000353B000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.400548532.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000002.414419556.000000000366B000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003ACB000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: Downloading symbols for [%s] %ssrv*symsrv*http://https://_bad_pdb_file.pdb source: file.exe, 00000000.00000003.342311330.0000000003E2B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.364753333.000000000353B000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.400548532.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000002.414419556.000000000366B000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003ACB000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: The symbol server has never indexed any version of this symbol fileNo version of the .pdb file with the given name has ever been registered. source: file.exe, 00000000.00000003.342311330.0000000003E2B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.364753333.000000000353B000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.400548532.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000002.414419556.000000000366B000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003ACB000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: PDB not foundUnable to locate the .pdb file in any of the symbol search path locations. source: file.exe, 00000000.00000003.342311330.0000000003E2B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.364753333.000000000353B000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.400548532.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000002.414419556.000000000366B000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003ACB000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: c:\Users\Admin\documents\visual studio 2015\Projects\Winmon\Release\Winmon.pdb source: file.exe, 00000000.00000003.342311330.0000000003BA1000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.364753333.00000000032B3000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.360923805.0000000000843000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000002.400548532.0000000000843000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000003.362103364.0000000003CD1000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.414419556.00000000033E3000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003843000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000003C.00000002.570772687.0000000003843000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: C:\vbox\branch\w64-1.6\out\win.amd64\release\obj\src\VBox\HostDrivers\VBoxDrv\VBoxDrv.pdb source: file.exe, 00000000.00000003.342311330.0000000003BA1000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.364753333.00000000032B3000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.360923805.0000000000843000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000002.400548532.0000000000843000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000003.362103364.0000000003CD1000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.414419556.00000000033E3000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003843000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000003C.00000002.570772687.0000000003843000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: c:\Users\Admin\documents\visual studio 2015\Projects\Winmon\x64\Release\Winmon.pdb source: file.exe, 00000000.00000003.342311330.0000000003BA1000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.364753333.00000000032B3000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.360923805.0000000000843000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000002.400548532.0000000000843000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000003.362103364.0000000003CD1000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.414419556.00000000033E3000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003843000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000003C.00000002.570772687.0000000003843000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: Drive not readyThis error indicates a .pdb file related failure. source: file.exe, 00000000.00000003.342311330.0000000003E2B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.364753333.000000000353B000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.400548532.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000002.414419556.000000000366B000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003ACB000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: Error while loading symbolsUnable to locate the .pdb file in any of the symbol search source: file.exe, 00000000.00000003.342311330.0000000003E2B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.364753333.000000000353B000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.400548532.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000002.414419556.000000000366B000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003ACB000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: zzz_AsmCodeRange_*FrameDatainvalid string positionstring too long.pdb source: file.exe, 00000000.00000003.342311330.0000000003E2B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.364753333.000000000353B000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.400548532.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000002.414419556.000000000366B000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003ACB000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: Pdb read access deniedYou may be attempting to access a .pdb file with read-only attributes source: file.exe, 00000000.00000003.342311330.0000000003E2B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.364753333.000000000353B000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.400548532.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000002.414419556.000000000366B000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003ACB000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: Unable to locate the .pdb file in this location source: file.exe, 00000000.00000003.342311330.0000000003E2B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.364753333.000000000353B000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.400548532.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000002.414419556.000000000366B000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003ACB000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: $BC:\rumez\pihipifa\zuyum_n.pdb source: file.exe, 00000000.00000001.340268872.0000000000401000.00000020.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000001.360817575.0000000000401000.00000020.00000001.01000000.00000003.sdmp
Source: Binary string: C:\Users\Admin\documents\visual studio 2015\Projects\WinmonFS\x64\Release\WinmonFS.pdb source: file.exe, 00000000.00000003.342311330.0000000003BA1000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.364753333.00000000032B3000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.360923805.0000000000843000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000002.400548532.0000000000843000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000003.362103364.0000000003CD1000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.414419556.00000000033E3000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003843000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000003C.00000002.570772687.0000000003843000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: The module signature does not match with .pdb signature. source: file.exe, 00000000.00000003.342311330.0000000003E2B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.364753333.000000000353B000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.400548532.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000002.414419556.000000000366B000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003ACB000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: .pdb.dbg source: file.exe, 00000000.00000003.342311330.0000000003E2B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.364753333.000000000353B000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.400548532.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000002.414419556.000000000366B000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003ACB000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: '(EfiGuardDxe.pdbx source: file.exe, 00000000.00000003.342311330.0000000003E2B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.364753333.000000000353B000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.400548532.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000002.414419556.000000000366B000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000003.362103364.0000000003F5B000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003ACB000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: symsrv.pdbGCTL source: file.exe, 00000000.00000002.360923805.0000000000C79000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.342311330.0000000003FD8000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.364753333.00000000036E9000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.400548532.0000000000C79000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000002.414419556.0000000003819000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.615156234.0000000000C79000.00000040.00000001.01000000.00000005.sdmp
Source: Binary string: C:\Users\admin\source\repos\driver-process-monitor-master\Release\WinmonProcessMonitor.pdb source: file.exe, 00000000.00000003.342311330.0000000003BA1000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.364753333.00000000032B3000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.360923805.0000000000843000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000002.400548532.0000000000843000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000003.362103364.0000000003CD1000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.414419556.00000000033E3000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003843000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000003C.00000002.570772687.0000000003843000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: C:\Users\Admin\documents\visual studio 2015\Projects\WinmonFS\Release\WinmonFS.pdb source: file.exe, 00000000.00000003.342311330.0000000003BA1000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.364753333.00000000032B3000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.360923805.0000000000843000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000002.400548532.0000000000843000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000003.362103364.0000000003CD1000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.414419556.00000000033E3000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003843000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000003C.00000002.570772687.0000000003843000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: or you do not have access permission to the .pdb location. source: file.exe, 00000000.00000003.342311330.0000000003E2B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.364753333.000000000353B000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.400548532.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000002.414419556.000000000366B000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003ACB000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: An Exception happened while downloading the module .pdbPlease open a bug if this is a consistent repro. source: file.exe, 00000000.00000003.342311330.0000000003E2B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.364753333.000000000353B000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.400548532.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000002.414419556.000000000366B000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003ACB000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: C:\Users\admin\source\repos\driver-process-monitor-master\x64\Release\WinmonProcessMonitor.pdb source: file.exe, 00000000.00000003.342311330.0000000003BA1000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.364753333.00000000032B3000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.360923805.0000000000843000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000002.400548532.0000000000843000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000003.362103364.0000000003CD1000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.414419556.00000000033E3000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003843000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000003C.00000002.570772687.0000000003843000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: EfiGuardDxe.pdb source: file.exe, 00000000.00000003.342311330.0000000003E2B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.364753333.000000000353B000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.400548532.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000002.414419556.000000000366B000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000003.362103364.0000000003F5B000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003ACB000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: Signature does not matchThe module signature does not match with .pdb signature source: file.exe, 00000000.00000003.342311330.0000000003E2B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.364753333.000000000353B000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.400548532.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000002.414419556.000000000366B000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003ACB000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: dbghelp.pdb source: file.exe, 00000000.00000003.342311330.0000000003E2B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.364753333.000000000353B000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.400548532.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000002.414419556.000000000366B000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003ACB000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: dbghelp.pdbGCTL source: file.exe, 00000000.00000003.342311330.0000000003E2B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.364753333.000000000353B000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.400548532.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000002.414419556.000000000366B000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003ACB000.00000040.00001000.00020000.00000000.sdmp

Data Obfuscation
barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\file.exe Unpacked PE file: 0.2.file.exe.400000.1.unpack
Source: C:\Users\user\Desktop\file.exe Unpacked PE file: 5.2.file.exe.400000.0.unpack
Source: C:\Windows\rss\csrss.exe Unpacked PE file: 15.2.csrss.exe.400000.2.unpack
Source: C:\Windows\rss\csrss.exe Unpacked PE file: 22.2.csrss.exe.400000.0.unpack
Source: C:\Windows\rss\csrss.exe Unpacked PE file: 28.2.csrss.exe.400000.4.unpack
Source: C:\Windows\rss\csrss.exe Unpacked PE file: 40.2.csrss.exe.400000.2.unpack
Source: C:\Windows\rss\csrss.exe Unpacked PE file: 41.2.csrss.exe.400000.2.unpack
Source: C:\Windows\rss\csrss.exe Unpacked PE file: 54.2.csrss.exe.400000.0.unpack
Source: C:\Windows\rss\csrss.exe Unpacked PE file: 55.2.csrss.exe.400000.3.unpack
Source: C:\Windows\rss\csrss.exe Unpacked PE file: 60.2.csrss.exe.400000.1.unpack
Source: C:\Windows\rss\csrss.exe Unpacked PE file: 64.2.csrss.exe.400000.0.unpack
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\file.exe Unpacked PE file: 0.2.file.exe.400000.1.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.idata:W;.reloc:R;.symtab:R;
Source: C:\Users\user\Desktop\file.exe Unpacked PE file: 5.2.file.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.idata:W;.reloc:R;.symtab:R;
Source: C:\Windows\rss\csrss.exe Unpacked PE file: 15.2.csrss.exe.400000.2.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.idata:W;.reloc:R;.symtab:R;
Source: C:\Windows\rss\csrss.exe Unpacked PE file: 22.2.csrss.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.idata:W;.reloc:R;.symtab:R;
Source: C:\Windows\rss\csrss.exe Unpacked PE file: 28.2.csrss.exe.400000.4.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.idata:W;.reloc:R;.symtab:R;
Source: C:\Windows\rss\csrss.exe Unpacked PE file: 40.2.csrss.exe.400000.2.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.idata:W;.reloc:R;.symtab:R;
Source: C:\Windows\rss\csrss.exe Unpacked PE file: 41.2.csrss.exe.400000.2.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.idata:W;.reloc:R;.symtab:R;
Source: C:\Windows\rss\csrss.exe Unpacked PE file: 54.2.csrss.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.idata:W;.reloc:R;.symtab:R;
Source: C:\Windows\rss\csrss.exe Unpacked PE file: 55.2.csrss.exe.400000.3.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.idata:W;.reloc:R;.symtab:R;
Source: C:\Windows\rss\csrss.exe Unpacked PE file: 60.2.csrss.exe.400000.1.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.idata:W;.reloc:R;.symtab:R;
Source: C:\Windows\rss\csrss.exe Unpacked PE file: 64.2.csrss.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.idata:W;.reloc:R;.symtab:R;
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\file.exe Code function: 5_2_02BA7C7E pushad ; ret 5_2_02BA7C90
Source: C:\Users\user\Desktop\file.exe Code function: 5_2_02BA516A pushfd ; ret 5_2_02BA51B2
Source: C:\Users\user\Desktop\file.exe Code function: 5_2_02BA7D59 pushad ; ret 5_2_02BA7D80
PE file contains an invalid checksum
Source: csrss.exe.5.dr Static PE information: real checksum: 0x43a16c should be: 0x42d1a9
Source: file.exe Static PE information: real checksum: 0x43a16c should be: 0x42d1a9

Persistence and Installation Behavior
barindex
Creates files in the system32 config directory
Source: C:\Windows\System32\netsh.exe File created: C:\Windows\system32\config\systemprofile\AppData\Local\PeerDistRepub Jump to behavior
Drops executables to the windows directory (C:\Windows) and starts them
Source: C:\Windows\System32\fodhelper.exe Executable created and started: C:\Windows\rss\csrss.exe
Drops PE files with benign system names
Source: C:\Users\user\Desktop\file.exe File created: C:\Windows\rss\csrss.exe Jump to dropped file
Drops PE files
Source: C:\Users\user\Desktop\file.exe File created: C:\Windows\rss\csrss.exe Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Users\user\Desktop\file.exe File created: C:\Windows\rss\csrss.exe Jump to dropped file

Boot Survival
barindex
Creates an autostart registry key pointing to binary in C:\Windows
Source: C:\Users\user\Desktop\file.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run csrss Jump to behavior
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Windows\rss\csrss.exe Process created: C:\Windows\System32\schtasks.exe schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
Source: C:\Users\user\Desktop\file.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run csrss Jump to behavior
Source: C:\Users\user\Desktop\file.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run csrss Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\netsh.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\netsh.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\rss\csrss.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\rss\csrss.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: file.exe, 00000000.00000003.342311330.0000000003760000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.360923805.0000000000400000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000002.364753333.0000000002E70000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.400548532.0000000000400000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000003.362103364.0000000003890000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.414419556.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003400000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: RTP.EXESYSTEMROOT=SETFILETIMESIGNWRITINGSOFT_DOTTEDSYSTEMDRIVETTL EXPIREDUNINSTALLERVBOXSERVICEVMUSRVC.EXEVARIANTINITVIRTUALFREEVIRTUALLOCKWSARECVFROMWARANG_CITIWHITE_SPACEWINDEFENDER[:^XDIGIT:]\DSEFIX.EXEADDITIONALSALARM CLOCKAPPLICATIONASSISTQUEUEAUTHORITIESBAD ADDRESSBAD ARGSIZEBAD M VALUEBAD MESSAGEBAD TIMEDIVBITCOINS.SKBROKEN PIPECAMPAIGN_IDCGOCALL NILCLOBBERFREECLOSESOCKETCOMBASE.DLLCREATED BY CRYPT32.DLLE2.KEFF.ORGEMBEDDED/%SEXTERNAL IPFILE EXISTSFINAL TOKENFLOAT32NAN2FLOAT64NAN1FLOAT64NAN2FLOAT64NAN3GCCHECKMARKGENERALIZEDGET CDN: %WGETPEERNAMEGETSOCKNAMEGLOBALALLOCHTTP2CLIENTHTTP2SERVERHTTPS_PROXYI/O TIMEOUTLOCAL ERRORMSPANMANUALMETHODARGS(MINTRIGGER=MOVE %S: %WMSWSOCK.DLLNETPOLLINITNEXT SERVERNIL CONTEXTOPERA-PROXYORANNIS.COMOUT OF SYNCPARSE ERRORPROCESS: %SREFLECT.SETREFLECTOFFSRETRY-AFTERRUNTIME: P RUNTIME: G RUNTIME: P SCHEDDETAILSECHOST.DLLSECUR32.DLLSERVICE: %SSHELL32.DLLSHORT WRITESTACK TRACESTART PROXYTASKMGR.EXETLS: ALERT(TRACEALLOC(TRAFFIC UPDUNREACHABLEUSERENV.DLLVERSION.DLLVERSION=195WININET.DLLWUP_PROCESS (SENSITIVE) B (
Source: file.exe, 00000005.00000002.428126829.000000000C19C000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.424748729.000000000C08A000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: VMUSRVC.EXE
Source: file.exe, 00000005.00000002.428126829.000000000C19C000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: C:\USERS\user\APPDATA\LOCAL\TEMPC:\USERS\user\APPDATA\LOCAL\TEMP\CSRSSC:\USERS\user\DESKTOP\FILE.EXEC:\USERS\user\DESKTOP\FILE.EXE"C:\USERS\user\APPDATA\LOCAL\TEMP\CSRSS""CSRSS.EXE", "WINDEFENDER.EXE", "FILE.EXE"C:\WINDOWS\SYSTEM32\WBEM\POWERSHELLC:\WINDOWS\SYSTEM32\WBEM\POWERSHELL.COMC:\WINDOWS\SYSTEM32\WBEM\POWERSHELL.EXEC:\WINDOWS\SYSTEM32\WBEM\POWERSHELL.BATC:\WINDOWS\SYSTEM32\WBEM\POWERSHELL.CMDC:\WINDOWS\SYSTEM32\WBEM\POWERSHELL.VBSC:\WINDOWS\SYSTEM32\WBEM\POWERSHELL.VBEC:\WINDOWS\SYSTEM32\WBEM\POWERSHELL.JSC:\WINDOWS\SYSTEM32\WBEM\POWERSHELL.JSEC:\WINDOWS\SYSTEM32\WBEM\POWERSHELL.WSFC:\WINDOWS\SYSTEM32\WBEM\POWERSHELL.WSHC:\WINDOWS\SYSTEM32\WBEM\POWERSHELL.MSCC:\WINDOWS\SYSTEM32\WINDOWSPOWERSHELL\V1.0\OQNDYQLSNS.EXEVMSRVC.EXEVMUSRVC.EXEOQNDYQLSNS.EXEVMSRVC.EXEVMUSRVC.EXEOQNDYQLSNS.EXEVMSRVC.EXEVMUSRVC.EXEOQNDYQLSNS.EXEVMSRVC.EXEVMUSRVC.EXEOQNDYQLSNS.EXEVMSRVC.EXEVMUSRVC.EXEOQNDYQLSNS.EXEVMSRVC.EXEVMUSRVC.EXEOQNDYQLSNS.EXEVMSRVC.EXEVMUSRVC.EXEOQNDYQLSNS.EXEVMSRVC.EXEVMUSRVC.EXEOQNDYQLSNS.EXEVMSRVC.EXEVMUSRVC.EXEOQNDYQLSNS.EXEVMSRVC.EXEVMUSRVC.EXEOQNDYQLSNS.EXEVMSRVC.EXEVMUSRVC.EXEOQNDYQLSNS.EXEVMSRVC.EXEVMUSRVC.EXEOQNDYQLSNS.EXEVMSRVC.EXEVMUSRVC.EXEOQNDYQLSNS.EXEVMSRVC.EXEVMUSRVC.EXEOQNDYQLSNS.EXEVMSRVC.EXEVMUSRVC.EXEOQNDYQLSNS.EXEVMSRVC.EXEVMUSRVC.EXEOQNDYQLSNS.EXEVMSRVC.EXEVMUSRVC.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXEVMSRVC.EXEVMUSRVC.EXEWMIPRVSE.EXEWMIPRVSE.EXEVMSRVC.EXEVMUSRVC.EXEVMSRVC.EXEVMUSRVC.EXEFILE.EXEVMSRVC.EXEVMUSRVC.EXE$
Source: file.exe, 00000005.00000002.424748729.000000000C08A000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: VMSRVC.EXEVMUSRVC.EXESMSS.EXEVMSRVC.EXEVMUSRVC.EXECSRSS.EXEVMSRVC.EXEVMUSRVC.EXEWININIT.EXEVMSRVC.EXEVMUSRVC.EXECSRSS.EXEVMSRVC.EXEVMUSRVC.EXESERVICES.EXEVMSRVC.EXEVMUSRVC.EXEWINLOGON.EXEVMSRVC.EXEVMUSRVC.EXELSASS.EXEVMSRVC.EXEVMUSRVC.EXEVMSRVC.EXEVMUSRVC.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXEPOWERSHELL.JSEPOWERSHELL.WSFPOWERSHELL.WSHPOWERSHELL.MSCC:\WINDOWS\HOMEDRIVE=C:OS=WINDOWS_NTUSERPROFILEUSERNAMETMPTEMPUSERDOMAINSYSTEMROOTPUBLICSYSTEMDRIVEPSMODULEPATHPROGRAMW6432PROGRAMFILESPROGRAMDATAPROCESSOR_LEVELPATHEXTPATHOSLOCALAPPDATAHOMEPATHCOMSPECHOMEDRIVEDRIVERDATACOMPUTERNAMEAPPDATA
Source: file.exe, 00000000.00000003.342311330.0000000003760000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.360923805.0000000000400000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000002.364753333.0000000002E70000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.400548532.0000000000400000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000003.362103364.0000000003890000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.414419556.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003400000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: TOO MANY LINKSTOO MANY USERSTORRC FILENAMEUNEXPECTED EOFUNKNOWN CODE: UNKNOWN ERROR UNKNOWN METHODUNKNOWN MODE: UNREACHABLE: UNSAFE.POINTERUSERARENASTATEVIRTUALBOX: %WVMWARETRAY.EXEVMWAREUSER.EXEWII LIBNUP/1.0WINAPI ERROR #WINDOW CREATEDWORK.FULL != 0XENSERVICE.EXEZERO PARAMETER WITH GC PROG
Source: file.exe, 00000000.00000003.342311330.0000000003760000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.360923805.0000000000400000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000002.364753333.0000000002E70000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.400548532.0000000000400000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000003.362103364.0000000003890000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.414419556.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003400000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: ... OMITTING ACCEPT-CHARSETAFTER EFIGUARDALLOCFREETRACEBAD ALLOCCOUNTBAD RECORD MACBAD RESTART PCBAD SPAN STATEBTC.USEBSV.COMCERT INSTALLEDCHECKSUM ERRORCONTENT-LENGTHCOULDN'T PATCHDATA TRUNCATEDDISTRIBUTOR_IDDRIVER REMOVEDERROR RESPONSEFILE TOO LARGEFINALIZER WAITGCSTOPTHEWORLDGET UPTIME: %WGETPROTOBYNAMEGOT SYSTEM PIDINITIAL SERVERINTERNAL ERRORINVALID SYNTAXIS A DIRECTORYKEY SIZE WRONGLEVEL 2 HALTEDLEVEL 3 HALTEDMEMPROFILERATEMULTIPARTFILESNEED MORE DATANIL ELEM TYPE!NO MODULE DATANO SUCH DEVICEOPEN EVENT: %WPARSE CERT: %WPROTOCOL ERRORREAD CERTS: %WREAD_FRAME_EOFREFLECT.VALUE.REMOVE APP: %WRUNTIME: FULL=RUNTIME: WANT=S.ALLOCCOUNT= SEMAROOT QUEUESERVER.VERSIONSTACK OVERFLOWSTOPM SPINNINGSTORE64 FAILEDSYNC.COND.WAITTEXT FILE BUSYTIME.LOCATION(TIMEENDPERIODTOO MANY LINKSTOO MANY USERSTORRC FILENAMEUNEXPECTED EOFUNKNOWN CODE: UNKNOWN ERROR UNKNOWN METHODUNKNOWN MODE: UNREACHABLE: UNSAFE.POINTERUSERARENASTATEVIRTUALBOX: %WVMWARETRAY.EXEVMWAREUSER.EXEWII LIBNUP/1.0WINAPI ERROR #WINDOW CREATEDWORK.FULL != 0XENSERVICE.EXEZERO PARAMETER WITH GC PROG
Source: file.exe Binary or memory string: RTP.EXESYSTEMROOT=SETFILETIMESIGNWRITINGSOFT_DOTTEDSYSTEMDRIVETTL EXPIREDUNINSTALLERVBOXSERVICEVMUSRVC.EXEVARIANTINITVIRTUALFREEVIRTUALLOCKWSARECVFROMWARANG_CITIWHITE_SPACEWINDEFENDER[:^XDIGIT:]\DSEFIX.EXEADDITIONALSALARM CLOCKAPPLICATIONASSISTQUEUEAUTHORITIES
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7136 Thread sleep time: -2767011611056431s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5764 Thread sleep time: -7378697629483816s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3376 Thread sleep time: -1844674407370954s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1540 Thread sleep time: -1844674407370954s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5576 Thread sleep time: -5534023222112862s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2220 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6164 Thread sleep time: -7378697629483816s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5344 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1368 Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7148 Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4872 Thread sleep count: 9184 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2348 Thread sleep time: -4611686018427385s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7040 Thread sleep time: -4611686018427385s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7120 Thread sleep time: -4611686018427385s >= -30000s
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Contains long sleeps (>= 3 min)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 9133 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 9393 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 9112 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 9001 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 9301
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 8766
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 7315
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 9160
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 8648
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 8899
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 9184
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 9096
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 8550
Contains capabilities to detect virtual machines
Source: C:\Users\user\Desktop\file.exe File opened / queried: VBoxGuest Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened / queried: vmci Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened / queried: HGFS Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened / queried: VBoxTrayIPC Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened / queried: \pipe\VBoxTrayIPC Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened / queried: VBoxMiniRdrDN Jump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\Desktop\file.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name FROM Win32_Processor
Source: C:\Users\user\Desktop\file.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: csrss.exe, 0000000F.00000002.624848873.0000000003400000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: entersyscallexit status failed to %wfound av: %sgcBitsArenasgcpacertracegetaddrinfowgot TI tokenguid_machineharddecommithost is downhttp2debug=1http2debug=2illegal seekinjector.exeinstall_dateinvalid baseinvalid pathinvalid portinvalid slotiphlpapi.dllkernel32.dllmachine_guidmadvdontneedmax-forwardsmheapSpecialmsftedit.dllmspanSpecialnetapi32.dllno such hostnon-existentnot pollableoleaut32.dllout of rangeparse PE: %wproxyconnectrandautoseedrecv_goaway_reflect.Copyreleasep: m=remote errorremoving appruntime: gp=runtime: sp=s ap traffics hs trafficself-preemptsetupapi.dllshort bufferspanSetSpinesweepWaiterstraceStringstraffic/readtransmitfileulrichard.chunexpected )unknown portunknown typevmacthlp.exevmtoolsd.exewatchdog.exewinlogon.exewintrust.dllwirep: p->m=worker mode wtsapi32.dll != sweepgen (default %q) (default %v) MB globals, MB) workers= called from flushedWork idlethreads= in host name is nil, not nStackRoots= out of range pluginpath= s.spanclass= span.base()= syscalltick= work.nproc= work.nwait= %s/rawaddr/%s%s\%s\drivers, gp->status=, not pointer-bind-address-byte block (3814697265625: unknown pc Accept-RangesAuthorizationCLIENT_RANDOMCONNECTION-IDCONNECT_ERRORCache-ControlCertOpenStoreCoTaskMemFreeConnectServerContent-RangeDONT-FRAGMENTDeleteServiceDestroyWindowDistributorIDECDSAWithSHA1EnumProcessesExitWindowsExFQDN too longFindFirstFileFindNextFileWFindResourceWFreeAddrInfoWGC sweep waitGeoIPFile %s
Source: file.exe, 00000000.00000003.342311330.0000000003760000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.360923805.0000000000400000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000002.364753333.0000000002E70000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.400548532.0000000000400000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000003.362103364.0000000003890000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.414419556.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003400000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: DnsRecordListFreeENHANCE_YOUR_CALMEnumThreadWindowsFLE Standard TimeFailed DependencyGC assist markingGMT Standard TimeGTB Standard TimeGetCurrentProcessGetShortPathNameWHEADER_TABLE_SIZEHKEY_CLASSES_ROOTHKEY_CURRENT_USERHTTP_1_1_REQUIREDIf-Modified-SinceIsTokenRestrictedLookupAccountSidWMESSAGE-INTEGRITYMoved PermanentlyOld_North_ArabianOld_South_ArabianOther_ID_ContinuePython-urllib/2.5QueryWorkingSetExRESERVATION-TOKENReadProcessMemoryRegLoadMUIStringWRtlGetCurrentPebSafeArrayCopyDataSafeArrayCreateExSentence_TerminalSysAllocStringLenSystemFunction036Too Many RequestsTransfer-EncodingUnexpected escapeUnified_IdeographUnknown AttributeVGAuthService.exeWSAEnumProtocolsWWTSQueryUserTokenWrite after CloseWrong CredentialsX-Idempotency-Key\System32\drivers\\.\VBoxMiniRdrDN
Source: csrss.exe, 0000000F.00000002.624848873.0000000003400000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: IP addressIsValidSidKeep-AliveKharoshthiLocalAllocLockFileExLogonUserWManichaeanMessage-IdNo ContentOld_ItalicOld_PermicOld_TurkicOpenEventWOpenMutexWOpenThreadOther_MathPOSTALCODEParseAddr(ParseFloatPhoenicianProcessingPulseEventRIPEMD-160RST_STREAMResetEventSHA256-RSASHA384-RSASHA512-RSASYSTEMROOTSaurashtraSecureBootSet-CookieShowWindowTor uptimeUser-AgentVMSrvc.exeWSACleanupWSASocketWWSAStartupWget/1.9.1Windows 10Windows 11[:^alnum:][:^alpha:][:^ascii:][:^blank:][:^cntrl:][:^digit:][:^graph:][:^lower:][:^print:][:^punct:][:^space:][:^upper:][:xdigit:]\\.\WinMon\patch.exe^{[\w-]+}$app_%d.txtatomicand8attr%d=%s cmd is nilcomplex128connectiondebug calldnsapi.dlldsefix.exedwmapi.dlle.keff.orgexecerrdotexitThreadexp masterfloat32nanfloat64nangetsockoptgoroutine http_proxyimage/avifimage/jpegimage/webpimpossibleindicationinvalid IPinvalidptrkeep-alivemSpanInUsemyhostnameno resultsnot a boolnot signednotifyListowner diedpowershellprl_cc.exeprofInsertres binderres masterresumptionrune <nil>runtime: gs.state = schedtracesemacquiresend stateset-cookiesetsockoptskipping: socks bindstackLarget.Kind == terminatedtext/plaintime.Date(time.Localtracefree(tracegc()
Source: file.exe, 00000005.00000002.428126829.000000000C190000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: smartscreen.exeSgrmBroker.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exe\\.\VBoxGuest\\.\VBoxTrayIPC[System Process]fontdrvhost.exefontdrvhost.exesmartscreen.exeSgrmBroker.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeS-1-5-18CreateToolhelp32SnapshotShellExperienceHost.exebackgroundTaskHost.exebackgroundTaskHost.exefile.exeVBoxSFRegistrysmss.exedwm.exeShellExperienceHost.exebackgroundTaskHost.exebackgroundTaskHost.exefile.exevmhgfsvmmousevmxnetRegistrysmss.exedwm.exeShellExperienceHost.exebackgroundTaskHost.exebackgroundTaskHost.exefile.exevpc-s3vpcuhubRegistrysmss.exedwm.exeShellExperienceHost.exebackgroundTaskHost.exebackgroundTaskHost.exefile.exexennetxennet6xensvcxenvdbC:\Windows\Sysnative\cmd.exeC:\Windows\Sysnative\cmd.exePATHEXTCOMPUTERNAME=computerHOMEPATH=\Windows\system32NUMBER_OF_PROCESSORS=2PROCESSOR_ARCHITECTURE=x86PROCESSOR_ARCHITEW6432=AMD64PROCESSOR_REVISION=5507ProgramData=C:\ProgramDataProgramW6432=C:\Program FilesPUBLIC=C:\Users\PublicUSERNAME=computer$C:\Windows\windefender.exeC:\Windows\System32\drivers"C:\Windows\windefender.exe""C:\Windows\System32\drivers"PATHEXTPATHEXTC:\Windows\powershell.cmdC:\Windows\powershell.vbsC:\Windows\powershell.vbeC:\Windows\powershell.jseC:\Windows\powershell.wsfC:\Windows\powershell.wshC:\Windows\powershell.msc
Source: csrss.exe, 0000000F.00000002.624848873.0000000003400000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: acceptactivechan<-closedcookiedirectdomainefenceempty exec: expectfamilygeoip6gopherhangupheaderinternip+netkilledlistenminutenetdnsnumberobjectoriginpopcntrdtscpreadatreasonremoverenamereturnrun-v3rune1 secondselectsendtoserversocketsocks socks5statusstringstructsweep sysmontelnettimersuint16uint32uint64unuseduptimevmhgfsvmxnetvpc-s3wup_hsxennetxensvcxenvdb %v=%v, (conn) (scan (scan) MB in Value> allocs dying= flags= len=%d locks= m->g0= nmsys= pad1= pad2= s=nil
Source: file.exe, 00000005.00000002.428126829.000000000C19C000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.424748729.000000000C08A000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: vmusrvc.exe
Source: csrss.exe, 0000000F.00000002.624848873.0000000003400000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: (MISSING)(unknown), newval=, oldval=, size = , tail = -07:00:00/api/cdn?/api/poll127.0.0.1244140625: status=AuthorityBassa_VahBhaiksukiClassINETCuneiformDiacriticEVEN-PORTExecQueryFindCloseForbiddenGetDIBitsHex_DigitInheritedInstMatchInstRune1InterfaceKhudawadiLocalFreeMalayalamMongolianMoveFileWNabataeanNot FoundOP_RETURNOSCaptionPalmyreneParseUintPatchTimePublisherReleaseDCRemoveAllSTUN addrSamaritanSee OtherSeptemberSundaneseSysnativeToo EarlyTrailer: TypeCNAMETypeHINFOTypeMINFOUse ProxyVBoxGuestVBoxMouseVBoxVideoWSASendToWednesdayWindows 7WriteFileZ07:00:00[%v = %d][:^word:][:alnum:][:alpha:][:ascii:][:blank:][:cntrl:][:digit:][:graph:][:lower:][:print:][:punct:][:space:][:upper:]_outboundatomicor8attributeb.ooze.ccbad indirbus errorchallengechan sendcomplex64connectexcopystackcsrss.exectxt != 0d.nx != 0dns,filesecdsa.netempty urlfiles,dnsfn.48.orgfodhelperfork/execfuncargs(gdi32.dllhchanLeafimage/gifimage/pnginittraceinterfaceinterruptinvalid nipv6-icmplocalhostmSpanDeadnew tokennil errorntdll.dllole32.dllomitemptyop_returnpanicwaitpatch.exepclmulqdqpreemptedprintableprofBlockprotocol proxy.exepsapi.dllquestionsreboot inrecover: reflect: rwxrwxrwxscavtracestackpoolsucceededtask %+v
Source: file.exe, 00000005.00000002.403769101.0000000002BA3000.00000040.00000020.00020000.00000000.sdmp Binary or memory string: aryvmcixn-SE-
Source: file.exe, 00000005.00000002.403486156.0000000000E37000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\pipe\VBoxTrayIPCi
Source: csrss.exe, 0000000F.00000002.624848873.0000000003400000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: VirtualUnlockWINDOW_UPDATEWTSFreeMemoryWriteConsoleW[FrameHeader \\.\VBoxGuestaccept-rangesaccess deniedadvapi32.dll
Source: file.exe, 00000005.00000002.428126829.000000000C19C000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: C:\Users\user\AppData\Local\TempC:\Users\user\AppData\Local\Temp\csrssC:\Users\user\Desktop\file.exec:\users\user\desktop\file.exe"C:\Users\user\AppData\Local\Temp\csrss""csrss.exe", "windefender.exe", "file.exe"C:\Windows\System32\Wbem\powershellC:\Windows\System32\Wbem\powershell.comC:\Windows\System32\Wbem\powershell.exeC:\Windows\System32\Wbem\powershell.batC:\Windows\System32\Wbem\powershell.cmdC:\Windows\System32\Wbem\powershell.vbsC:\Windows\System32\Wbem\powershell.vbeC:\Windows\System32\Wbem\powershell.jsC:\Windows\System32\Wbem\powershell.jseC:\Windows\System32\Wbem\powershell.wsfC:\Windows\System32\Wbem\powershell.wshC:\Windows\System32\Wbem\powershell.mscC:\Windows\System32\WindowsPowerShell\v1.0\oqndyqlsns.exevmsrvc.exevmusrvc.exeoqndyqlsns.exevmsrvc.exevmusrvc.exeoqndyqlsns.exevmsrvc.exevmusrvc.exeoqndyqlsns.exevmsrvc.exevmusrvc.exeoqndyqlsns.exevmsrvc.exevmusrvc.exeoqndyqlsns.exevmsrvc.exevmusrvc.exeoqndyqlsns.exevmsrvc.exevmusrvc.exeoqndyqlsns.exevmsrvc.exevmusrvc.exeoqndyqlsns.exevmsrvc.exevmusrvc.exeoqndyqlsns.exevmsrvc.exevmusrvc.exeoqndyqlsns.exevmsrvc.exevmusrvc.exeoqndyqlsns.exevmsrvc.exevmusrvc.exeoqndyqlsns.exevmsrvc.exevmusrvc.exeoqndyqlsns.exevmsrvc.exevmusrvc.exeoqndyqlsns.exevmsrvc.exevmusrvc.exeoqndyqlsns.exevmsrvc.exevmusrvc.exeoqndyqlsns.exevmsrvc.exevmusrvc.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exevmsrvc.exevmusrvc.exeWmiPrvSE.exewmiprvse.exevmsrvc.exevmusrvc.exevmsrvc.exevmusrvc.exefile.exevmsrvc.exevmusrvc.exe$
Source: file.exe, 00000005.00000002.428126829.000000000C18A000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: qemuvirtual
Source: file.exe, 00000000.00000002.363521570.0000000002A72000.00000040.00000020.00020000.00000000.sdmp, file.exe, 00000005.00000002.403769101.0000000002BA3000.00000040.00000020.00020000.00000000.sdmp Binary or memory string: ameNewaPINGPOSTPathQEMUROOTH
Source: csrss.exe, 0000000F.00000002.624848873.0000000003400000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: too many linkstoo many userstorrc filenameunexpected EOFunknown code: unknown error unknown methodunknown mode: unreachable: unsafe.PointeruserArenaStatevirtualbox: %wvmwaretray.exevmwareuser.exewii libnup/1.0winapi error #window createdwork.full != 0xenservice.exezero parameter with GC prog
Source: file.exe Binary or memory string: popcntrdtscpreadatreasonremoverenamereturnrun-v3rune1 secondselectsendtoserversocketsocks socks5statusstringstructsweep sysmontelnettimersuint16uint32uint64unuseduptimevmhgfsvmxnetvpc-s3wup_hsxennetxensvcxenvdb %v=%v, (conn) (scan (scan) MB in Value> allocs
Source: file.exe Binary or memory string: arecvwsasendwup_verxen: %wxennet6 bytes, data=%q etypes incr=%v is not maxpc= mcount= minLC= minutes nalloc= newval= nfreed= ping=%q pointer stack=[ status %!Month(%02d%02d%s %s:%d%s: 0x%x-cleanup2.5.4.102.5.4.112.5.4.1748828125?4#?'1#0AcceptExAcceptedAll
Source: file.exe, 00000005.00000002.428126829.000000000C19A000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: RuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeTrustedInstaller.exe\\.\VBoxMiniRdrDNMemory CompressionRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeTrustedInstaller.exeMemory CompressionRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeTrustedInstaller.exeMemory CompressionRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeTrustedInstaller.exeAPPDATA=C:\Windows\system32\config\systemprofile\AppData\RoamingLOCALAPPDATA=C:\Windows\system32\config\systemprofile\AppData\LocalPROCESSOR_IDENTIFIER=Intel64 Family 6 Model 85 Stepping 7, GenuineIntelPROCESSOR_LEVEL=6TEMP=C:\Windows\TEMPTMP=C:\Windows\TEMPUSERDOMAIN=WORKGROUPwindir=C:\WindowsLOCALAPPDATA=C:\Windows\system32\config\systemprofile\AppData\LocalPROCESSOR_IDENTIFIER=Intel64 Family 6 Model 85 Stepping 7, GenuineIntelAdd-MpPreference -ExclusionProcess "csrss.exe", "windefender.exe", "file.exe"C:\Program Files (x86)\Common Files\Oracle\Java\javapath\powershell.comC:\Program Files (x86)\Common Files\Oracle\Java\javapath\powershell.exeC:\Program Files (x86)\Common Files\Oracle\Java\javapath\powershell.jsC:\Program Files (x86)\Common Files\Oracle\Java\javapath\powershell.jseC:\Program Files (x86)\Common Files\Oracle\Java\javapath\powershell.wsfC:\Program Files (x86)\Common Files\Oracle\Java\javapath\powershell.wsh
Source: file.exe, 00000005.00000002.403769101.0000000002BA3000.00000040.00000020.00020000.00000000.sdmp Binary or memory string: 11VBoxSFWINDIRWD
Source: file.exe, 00000005.00000002.424748729.000000000C08A000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: vmsrvc.exevmusrvc.exesmss.exevmsrvc.exevmusrvc.execsrss.exevmsrvc.exevmusrvc.exewininit.exevmsrvc.exevmusrvc.execsrss.exevmsrvc.exevmusrvc.exeservices.exevmsrvc.exevmusrvc.exewinlogon.exevmsrvc.exevmusrvc.exelsass.exevmsrvc.exevmusrvc.exevmsrvc.exevmusrvc.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exepowershell.jsepowershell.wsfpowershell.wshpowershell.mscC:\Windows\HOMEDRIVE=C:OS=Windows_NTuserprofileusernametmptempuserdomainsystemrootpublicsystemdrivepsmodulepathprogramw6432programfilesprogramdataprocessor_levelpathextpathoslocalappdatahomepathcomspechomedrivedriverdatacomputernameappdata
Source: file.exe Binary or memory string: pclmulqdqpreemptedprintableprofBlockprotocol proxy.exepsapi.dllquestionsreboot inrecover: reflect: rwxrwxrwxscavtracestackpoolsucceededtask %+v tracebackunderflowunhandleduninstallunzip Torunzip: %wurn:uuid:w3m/0.5.1wbufSpanswebsocketxenevtchn} stack=[ netGo
Source: file.exe Binary or memory string: sse41sse42ssse3sudogsweeptext/tls: torrctotaltraceuint8unameusageuser=utf-8valuevmusbvmx86write B -> Value addr= alloc base code= ctxt: curg= free goid jobs= list= m->p= max= min= next= p->m= prev= span=% util%s.exe%s.sys%s: %s(...) , i = , not , val -BE
Source: csrss.exe, 0000000F.00000002.624848873.0000000003400000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: ... omitting accept-charsetafter EfiGuardallocfreetracebad allocCountbad record MACbad restart PCbad span statebtc.usebsv.comcert installedchecksum errorcontent-lengthcouldn't patchdata truncateddistributor_iddriver removederror responsefile too largefinalizer waitgcstoptheworldget uptime: %wgetprotobynamegot system PIDinitial serverinternal errorinvalid syntaxis a directorykey size wronglevel 2 haltedlevel 3 haltedmemprofileratemultipartfilesneed more datanil elem type!no module datano such deviceopen event: %wparse cert: %wprotocol errorread certs: %wread_frame_eofreflect.Value.remove app: %wruntime: full=runtime: want=s.allocCount= semaRoot queueserver.versionstack overflowstopm spinningstore64 failedsync.Cond.Waittext file busytime.Location(timeEndPeriodtoo many linkstoo many userstorrc filenameunexpected EOFunknown code: unknown error unknown methodunknown mode: unreachable: unsafe.PointeruserArenaStatevirtualbox: %wvmwaretray.exevmwareuser.exewii libnup/1.0winapi error #window createdwork.full != 0xenservice.exezero parameter with GC prog
Source: file.exe, 00000005.00000002.403486156.0000000000E56000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\vmci
Source: csrss.exe, 0000000F.00000002.624848873.0000000003400000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: tracebackunderflowunhandleduninstallunzip Torunzip: %wurn:uuid:w3m/0.5.1wbufSpanswebsocketxenevtchn} stack=[ netGo = MB goal, flushGen for type gfreecnt= heapGoal= pages at ptrSize= runqsize= runqueue= s.base()= spinning= stopwait= stream=%d sweepgen sweepgen= targetpc= throwing= until pc=%!(NOVERB)%!Weekday(%s.uuid.%s%s|%s%s|%s(BADINDEX), bound = , limit = -noprofile-uninstall.localhost/dev/stdin/etc/hosts/show-eula12207031256103515625: parsing :authorityAdditionalBad varintCampaignIDCancelIoExChorasmianClassCHAOSClassCSNETConnectionContent-IdCreateFileCreatePipeDSA-SHA256DeprecatedDevanagariDnsQuery_WECDSA-SHA1END_STREAMERROR-CODEException GC forced
Source: file.exe Binary or memory string: pi.dllquestionsreboot inrecover: reflect: rwxrwxrwxscavtracestackpoolsucceededtask %+v tracebackunderflowunhandleduninstallunzip Torunzip: %wurn:uuid:w3m/0.5.1wbufSpanswebsocketxenevtchn} stack=[ netGo = MB goal, flushGen for type gfreecnt= heapGoal= page
Source: csrss.exe, 0000003C.00000002.570772687.0000000003843000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: main.isRunningInsideVMWare
Source: file.exe Binary or memory string: myreneParseUintPatchTimePublisherReleaseDCRemoveAllSTUN addrSamaritanSee OtherSeptemberSundaneseSysnativeToo EarlyTrailer: TypeCNAMETypeHINFOTypeMINFOUse ProxyVBoxGuestVBoxMouseVBoxVideoWSASendToWednesdayWindows 7WriteFileZ07:00:00[%v = %d][:^word:][:alnum:][:
Source: file.exe Binary or memory string: hPOSTALCODEParseAddr(ParseFloatPhoenicianProcessingPulseEventRIPEMD-160RST_STREAMResetEventSHA256-RSASHA384-RSASHA512-RSASYSTEMROOTSaurashtraSecureBootSet-CookieShowWindowTor uptimeUser-AgentVMSrvc.exeWSACleanupWSASocketWWSAStartupWget/1.9.1Windows 10Windows 1
Source: file.exe Binary or memory string: s5cas6chandatedeaddialdoneermsetagethmfailfileflagfromftpsfuncgziphosthourhttpicmpidleigmpint8itabjsonkindlinkmdnsnullopenpathpipepop3quitreadrootsbrkseeksid=sizesmtpsse3tag:tcp4texttruetypeudp4uintunixuuidvaryvmcixn-- -%s (at ... MB, \" and got= max= m
Source: file.exe Binary or memory string: rSetEndOfFileSetErrorModeSetStdHandleSora_SompengSyloti_NagriSysStringLenThread32NextTor mode setTransmitFileUnauthorizedUnlockFileExVBoxTray.exeVariantClearVirtualAllocVirtualQueryWinmon32.sysWinmon64.sysWintrust.dllX-ImforwardsX-Powered-By[[:^ascii:]]\/(\d+)
Source: file.exe, 00000005.00000002.403486156.0000000000E71000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: msvmmouf?
Source: file.exe, 00000005.00000002.428126829.000000000C18A000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: exit status 1exit status 1: nehalemS-1-5-18kvmqemuvirtualpersocon$
Source: file.exe, 00000005.00000002.424748729.000000000C08A000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: vmsrvc.exe
Source: csrss.exe, 0000000F.00000002.624848873.0000000003400000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: , i = , not , val -BEFV--DYOR--FMLD--FZTA--IRXC--JFQI--JQGP--JSKV--JZUF--KGQJ--KSFO--MKND--MOHU--NSFS--PFQJ--PLND--RTMD--VRSM--XQVL-.local.onion/%d-%s370000390625:31461<-chanAcceptAnswerArabicAugustBUTTONBasic BitBltBrahmiCANCELCONIN$CancelCarianChakmaCommonCookieCopticExpectFltMgrFormatFridayGOAWAYGetACPGothicHangulHatranHebrewHyphenKaithiKhojkiLengthLepchaLockedLycianLydianMondayPADDEDPcaSvcPragmaRejangSCHED STREETServerStringSundaySyriacTai_LeTangutTeluguThaanaTypeMXTypeNSUTC+12UTC+13UTC-02UTC-08UTC-09UTC-11VBoxSFWINDIRWanchoWinMonWinmonX25519Yezidi[]byte\??\%s\csrss\ufffd
Source: file.exe, 00000005.00000002.428126829.000000000C18A000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: vboxservice.exe
Source: csrss.exe, 0000000F.00000002.624848873.0000000003400000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: and got= max= ms, ptr tab= top=%s %q%s %s%s*%d%s/%s%s:%d%s=%s&#34;&#39;&amp;+0330+0430+0530+0545+0630+0845+1030+1245+1345, fp:-0930.avif.html.jpeg.json.wasm.webp1.4.2156253.2.250001500025000350004500055000650512560015600278125:***@:path<nil>AdlamAprilBamumBatakBuhidCall ClassCountDograECDSAErrorFlagsFoundGetDCGreekHTTP/KhmerLatinLimbuLocalLstatMarchNONCENushuOghamOriyaOsageP-224P-256P-384P-521PGDSEREALMRangeRealmRunicSHA-1STermTakriTamilTypeAUSTARUUID=\u202] = (allowarrayatimebad nchdirchmodclosecsrssctimedeferfalsefaultfilesfloatgcinggeoipgnamegscanhchanhostshttpsimap2imap3imapsinit int16int32int64matchmheapmkdirmonthmtimentohspanicparsepgdsepop3sproxyrangermdirrouterune scav schedsdsetsleepslicesockssse41sse42ssse3sudogsweeptext/tls: torrctotaltraceuint8unameusageuser=utf-8valuevmusbvmx86write B -> Value addr= alloc base code= ctxt: curg= free goid jobs= list= m->p= max= min= next= p->m= prev= span=% util%s.exe%s.sys%s: %s(...)
Source: file.exe, 00000005.00000002.403769101.0000000002BA3000.00000040.00000020.00020000.00000000.sdmp Binary or memory string: tVMSrvcs|!
Source: file.exe, 00000000.00000003.342311330.0000000003760000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.360923805.0000000000400000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000002.364753333.0000000002E70000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.400548532.0000000000400000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000003.362103364.0000000003890000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.414419556.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003400000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: 100-continue127.0.0.1:%d127.0.0.1:53152587890625762939453125AUTHENTICATEBidi_ControlCIDR addressCONTINUATIONCfgMgr32.dllCoCreateGuidCoInitializeContent TypeContent-TypeCookie.ValueCreateEventWCreateMutexWDeleteObjectECDSA-SHA256ECDSA-SHA384ECDSA-SHA512ErrUnknownPCFindNextFileGetAddrInfoWGetConsoleCPGetLastErrorGetLengthSidGetProcessIdGetStdHandleGetTempPathWGetUserGeoIDGlobalUnlockGlobal\csrssI'm a teapotInstAltMatchJoin_ControlLittleEndianLoadLibraryWLoadResourceLockResourceMax-ForwardsMeetei_MayekMime-VersionMulti-StatusNot ExtendedNot ModifiedNtCreateFileOpenServiceWPUSH_PROMISEPahawh_HmongRCodeRefusedRCodeSuccessReadConsoleWReleaseMutexReportEventWResumeThreadRevertToSelfRoInitializeS-1-5-32-544SERIALNUMBERSelectObjectServer ErrorSetEndOfFileSetErrorModeSetStdHandleSora_SompengSyloti_NagriSysStringLenThread32NextTor mode setTransmitFileUnauthorizedUnlockFileExVBoxTray.exeVariantClearVirtualAllocVirtualQueryWinmon32.sysWinmon64.sysWintrust.dllX-ImforwardsX-Powered-By[[:^ascii:]]\/(\d+)-(.*)\\.\WinMonFSabi mismatchadvapi32.dllaltmatch -> anynotnl -> bad flushGenbad g statusbad g0 stackbad recoverybad value %dbootmgfw.efibuild_numberc ap trafficc hs trafficcaller errorcan't happencas64 failedcdn is emptychan receiveclose notifycontent-typecontext.TODOcountry_codedse disableddumping heapend tracegc
Source: file.exe Binary or memory string: sbmousevmware: %wws2_32.dll of size (targetpc= , plugin: ErrCode=%v KiB work, bytes ... exp.) for freeindex= gcwaiting= idleprocs= in status mallocing= ms clock, nBSSRoots= p->status= s.nelems= schedtick= span.list= timerslen=$WINDIR\rss%!(BADPREC)%s
Source: file.exe, 00000005.00000002.424748729.000000000C08A000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.428126829.000000000C18A000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: vboxtray.exe
Source: csrss.exe, 0000000F.00000002.624848873.0000000003400000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: RTP.exeSYSTEMROOT=SetFileTimeSignWritingSoft_DottedSystemDriveTTL expiredUninstallerVBoxServiceVMUSrvc.exeVariantInitVirtualFreeVirtualLockWSARecvFromWarang_CitiWhite_SpaceWinDefender[:^xdigit:]\dsefix.exeadditionalsalarm clockapplicationassistQueueauthoritiesbad addressbad argSizebad m valuebad messagebad timedivbitcoins.skbroken pipecampaign_idcgocall nilclobberfreeclosesocketcombase.dllcreated by crypt32.dlle2.keff.orgembedded/%sexternal IPfile existsfinal tokenfloat32nan2float64nan1float64nan2float64nan3gccheckmarkgeneralizedget CDN: %wgetpeernamegetsocknameglobalAllochttp2clienthttp2serverhttps_proxyi/o timeoutlocal errormSpanManualmethodargs(minTrigger=move %s: %wmswsock.dllnetpollInitnext servernil contextopera-proxyorannis.comout of syncparse errorprocess: %sreflect.SetreflectOffsretry-afterruntime: P runtime: g runtime: p scheddetailsechost.dllsecur32.dllservice: %sshell32.dllshort writestack tracestart proxytaskmgr.exetls: alert(tracealloc(traffic updunreachableuserenv.dllversion.dllversion=195wininet.dllwup_process (sensitive) B (
Source: file.exe Binary or memory string: ermsetagethmfailfileflagfromftpsfuncgziphosthourhttpicmpidleigmpint8itabjsonkindlinkmdnsnullopenpathpipepop3quitreadrootsbrkseeksid=sizesmtpsse3tag:tcp4texttruetypeudp4uintunixuuidvaryvmcixn-- -%s (at ... MB, \" and got= max= ms, ptr tab= top=%s %q%s
Source: file.exe Binary or memory string: yreleasep: m=remote errorremoving appruntime: gp=runtime: sp=s ap traffics hs trafficself-preemptsetupapi.dllshort bufferspanSetSpinesweepWaiterstraceStringstraffic/readtransmitfileulrichard.chunexpected )unknown portunknown typevmacthlp.exevmtoolsd.exewatchdo
Source: file.exe Binary or memory string: sse3tag:tcp4texttruetypeudp4uintunixuuidvaryvmcixn-- -%s (at ... MB, \" and got= max= ms, ptr tab= top=%s %q%s %s%s*%d%s/%s%s:%d%s=%s&#34;&#39;&amp;+0330+0430+0530+0545+0630+0845+1030+1245+1345, fp:-0930.avif.html.jpeg.json.wasm.webp1.4.2156253.2.2500
Source: csrss.exe, 0000000F.00000002.624848873.0000000003400000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: GetActiveObjectGetAdaptersInfoGetCommTimeoutsGetCommandLineWGetFirmwareTypeGetProcessTimesGetSecurityInfoGetStartupInfoWGlobal\qtxp9g8wHanifi_RohingyaICE-CONTROLLINGIdempotency-KeyImpersonateSelfInstall failureIsWindowUnicodeIsWindowVisibleIsWow64Process2Length RequiredLoadLibraryExALoadLibraryExWNot ImplementedNtSuspendThreadOpenThreadTokenOther_LowercaseOther_UppercasePKCS1WithSHA256PKCS1WithSHA384PKCS1WithSHA512Partial ContentPostQuitMessageProcess32FirstWPsalter_PahlaviQueryDosDeviceWRegCreateKeyExWRegDeleteValueWRequest TimeoutRtlDefaultNpAclSafeArrayCreateSafeArrayGetDimSafeArrayGetIIDSafeArrayUnlockScheduledUpdateSetCommTimeoutsSetSecurityInfoSetVolumeLabelWShellExecuteExWStringFromCLSIDStringFromGUID2TerminateThreadUnescaped quoteUninstallStringUnmapViewOfFileVBoxService.exeVPS.hsmiths.comWinsta0\DefaultX-Forwarded-For\\.\VBoxTrayIPC]
Source: file.exe, 00000000.00000003.342311330.0000000003760000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.360923805.0000000000400000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000002.364753333.0000000002E70000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.400548532.0000000000400000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000003.362103364.0000000003890000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.414419556.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003400000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: SafeArrayCopyDataSafeArrayCreateExSentence_TerminalSysAllocStringLenSystemFunction036Too Many RequestsTransfer-EncodingUnexpected escapeUnified_IdeographUnknown AttributeVGAuthService.exeWSAEnumProtocolsWWTSQueryUserTokenWrite after CloseWrong CredentialsX-Idempotency-Key\System32\drivers\\.\VBoxMiniRdrDN
Source: file.exe Binary or memory string: RTP.exeSYSTEMROOT=SetFileTimeSignWritingSoft_DottedSystemDriveTTL expiredUninstallerVBoxServiceVMUSrvc.exeVariantInitVirtualFreeVirtualLockWSARecvFromWarang_CitiWhite_SpaceWinDefender[:^xdigit:]\dsefix.exeadditionalsalarm clockapplicationassistQueueauthorities
Source: file.exe, 00000005.00000002.424748729.000000000C08A000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: [system process]vboxtray.exe
Source: file.exe, 00000000.00000003.342311330.0000000003760000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.360923805.0000000000400000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000002.364753333.0000000002E70000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.400548532.0000000000400000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000003.362103364.0000000003890000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.414419556.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003400000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: &gt;&lt;'\'') = ) m=+Inf-Inf.bat.cmd.com.css.exe.gif.htm.jpg.mjs.pdf.png.svg.sys.xml0x%x1.1110803125: p=ACDTACSTAEDTAESTAKDTAKSTAWSTAhomAtoiCDN=CESTChamDATADashDataDateEESTEULAEtagFromGOGCGoneHostJulyJuneLEAFLisuMiaoModiNZDTNZSTNameNewaPINGPOSTPathQEMUROOTSASTSTARSendStatTempThaiTypeUUID"%s"\rss\smb\u00
Source: file.exe Binary or memory string: sse42ssse3sudogsweeptext/tls: torrctotaltraceuint8unameusageuser=utf-8valuevmusbvmx86write B -> Value addr= alloc base code= ctxt: curg= free goid jobs= list= m->p= max= min= next= p->m= prev= span=% util%s.exe%s.sys%s: %s(...) , i = , not , val -BEFV--D
Source: file.exe Binary or memory string: WSTAhomAtoiCDN=CESTChamDATADashDataDateEESTEULAEtagFromGOGCGoneHostJulyJuneLEAFLisuMiaoModiNZDTNZSTNameNewaPINGPOSTPathQEMUROOTSASTSTARSendStatTempThaiTypeUUID"%s"\rss\smb\u00 %+v m=] = ] n=allgallparchasn1avx2basebindbitsbmi1bmi2boolcallcap cas1cas2cas3cas4c
Source: file.exe Binary or memory string: eUnprocessable EntityWinmonProcessMonitor\\.\pipe\VBoxTrayIPC^.*\._Ctype_uint8_t$asn1: syntax error: assigned stream ID 0bad font file formatbad system page sizebad use of bucket.bpbad use of bucket.mpcertificate requiredchan send (nil chan)close of nil channe
Source: file.exe Binary or memory string: rdtscpreadatreasonremoverenamereturnrun-v3rune1 secondselectsendtoserversocketsocks socks5statusstringstructsweep sysmontelnettimersuint16uint32uint64unuseduptimevmhgfsvmxnetvpc-s3wup_hsxennetxensvcxenvdb %v=%v, (conn) (scan (scan) MB in Value> allocs dying=
Source: file.exe Binary or memory string: t64unuseduptimevmhgfsvmxnetvpc-s3wup_hsxennetxensvcxenvdb %v=%v, (conn) (scan (scan) MB in Value> allocs dying= flags= len=%d locks= m->g0= nmsys= pad1= pad2= s=nil text= zombie$WINDIR% CPU (%03d %s%v: %#x, goid=, j0 = -nologo/delete19531252.5.4.32.5.4.5
Source: file.exe Binary or memory string: potency-Key\System32\drivers\\.\VBoxMiniRdrDN os/exec.Command(^.*\._Ctype_char$bad TinySizeClasscouldn't dial: %wcouldn't find pidcouldn't get UUIDcouldn't get pidscouldn't hide PIDcpu name is emptycreate window: %wdecode server: %wdecryption faileddownloading
Source: file.exe, 00000005.00000002.424748729.000000000C08A000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: registryvboxtray.exe
Source: file.exe Binary or memory string: expiresfloat32float64forcegcgctracehead = http://invalidlog.txtlookup messageminpc= nil keynop -> number pacer: panic: readdirrefererrefreshrequestrunningserial:server=signal svc_versyscalltor.exetraileruintptrunknownupgradeversionvmmousevpcuhubwaitingwindowsw
Source: file.exe Binary or memory string: 12SOFTWARESaturdaySetEventSystem32TagbanwaTai_ThamTai_VietThursdayTifinaghTypeAAAATypeAXFRUSERHASHUSERNAMEUgariticVBoxWddmWSAIoctlWinmonFSWmiPrvSE[::1]:53[:word:][signal \\.\HGFS\\.\vmcistack=[_NewEnum_gatewayacceptexaddress bad instcgocheckcontinuecs de
Source: file.exe Binary or memory string: releasep: m=remote errorremoving appruntime: gp=runtime: sp=s ap traffics hs trafficself-preemptsetupapi.dllshort bufferspanSetSpinesweepWaiterstraceStringstraffic/readtransmitfileulrichard.chunexpected )unknown portunknown typevmacthlp.exevmtoolsd.exewatchdog
Source: file.exe Binary or memory string: mountvolmsvmmoufno anodeno-cacheno_proxypollDescreadfromrecvfromreflect.runnableruntime.rwmutexRrwmutexWscavengeshutdownstrconv.taskkilltor_modetraceBuftrigger=unixgramunknown(usernamevmmemctlvmx_svgawalk: %wwsaioctlwuauservx509sha1yuio.top (forced) B exp.) B
Source: file.exe, 00000000.00000002.363521570.0000000002A72000.00000040.00000020.00020000.00000000.sdmp, file.exe, 00000005.00000002.403769101.0000000002BA3000.00000040.00000020.00020000.00000000.sdmp Binary or memory string: \\.\HGFS`
Source: file.exe, 00000005.00000002.403486156.0000000000E37000.00000004.00000020.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624231417.0000000001012000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: file.exe Binary or memory string: lUnlockWINDOW_UPDATEWTSFreeMemoryWriteConsoleW[FrameHeader \\.\VBoxGuestaccept-rangesaccess deniedadvapi32.dll
Source: file.exe, 00000005.00000002.403769101.0000000002BA3000.00000040.00000020.00020000.00000000.sdmp Binary or memory string: vmhgfsP
Source: file.exe, 00000005.00000002.403486156.0000000000E56000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\HGFS
Source: file.exe, 00000005.00000002.403486156.0000000000E37000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: xenvdb?
Source: csrss.exe, 0000000F.00000002.624848873.0000000003400000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: Not ImplementedNtSuspendThreadOpenThreadTokenOther_LowercaseOther_UppercasePKCS1WithSHA256PKCS1WithSHA384PKCS1WithSHA512Partial ContentPostQuitMessageProcess32FirstWPsalter_PahlaviQueryDosDeviceWRegCreateKeyExWRegDeleteValueWRequest TimeoutRtlDefaultNpAclSafeArrayCreateSafeArrayGetDimSafeArrayGetIIDSafeArrayUnlockScheduledUpdateSetCommTimeoutsSetSecurityInfoSetVolumeLabelWShellExecuteExWStringFromCLSIDStringFromGUID2TerminateThreadUnescaped quoteUninstallStringUnmapViewOfFileVBoxService.exeVPS.hsmiths.comWinsta0\DefaultX-Forwarded-For\\.\VBoxTrayIPC]
Source: file.exe, 00000000.00000002.362994570.0000000000E7A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlls
Source: csrss.exe, 0000000F.00000002.624848873.0000000003400000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: VirtualUnlockWINDOW_UPDATEWTSFreeMemoryWriteConsoleW[FrameHeader \\.\VBoxGuestaccept-rangesaccess deniedadvapi32.dllauthorizationbad flushGen bad map statebtc.cihar.combtc.xskyx.netcache-controlcontent-rangecouldn't polldalTLDpSugct?data is emptydouble unlockemail addressempty integerexchange fullfatal error: gethostbynamegetservbynamegzip, deflateif-none-matchignoring fileimage/svg+xmlinvalid ASN.1invalid UTF-8invalid base kernel32.dllkey expansionlame referrallast-modifiedlevel 3 resetload64 failedmaster secretmin too largename is emptynil stackbasenot a Float32open file: %wout of memoryparallels: %wparsing time powrprof.dllprl_tools.exeprofMemActiveprofMemFutureread EULA: %wrebooting nowruntime: seq=runtime: val=service stateset event: %wsigner is nilsocks connectsrmount errortimer expiredtraceStackTabtrailing dataunimplementedunsupported: user canceledvalue method virtualpc: %wxadd64 failedxchg64 failed}
Source: csrss.exe, 0000000F.00000002.624848873.0000000003400000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: unixpacketunknown pcuser-agentuser32.dllvmusbmousevmware: %wws2_32.dll of size (targetpc= , plugin: ErrCode=%v KiB work, bytes ...
Source: file.exe Binary or memory string: ssse3sudogsweeptext/tls: torrctotaltraceuint8unameusageuser=utf-8valuevmusbvmx86write B -> Value addr= alloc base code= ctxt: curg= free goid jobs= list= m->p= max= min= next= p->m= prev= span=% util%s.exe%s.sys%s: %s(...) , i = , not , val -BEFV--DYOR--
Source: file.exe Binary or memory string: bmi1bmi2boolcallcap cas1cas2cas3cas4cas5cas6chandatedeaddialdoneermsetagethmfailfileflagfromftpsfuncgziphosthourhttpicmpidleigmpint8itabjsonkindlinkmdnsnullopenpathpipepop3quitreadrootsbrkseeksid=sizesmtpsse3tag:tcp4texttruetypeudp4uintunixuuidvaryvmcixn-- -%
Source: file.exe Binary or memory string: ultX-Forwarded-For\\.\VBoxTrayIPC] morebuf={pc:accept-encodingaccept-languageadvertise erroragent is closedapplication/pdfasyncpreemptoffbad certificatebad trailer keybefore EfiGuardclass registredclient finishedcouldn't set AVcouldn't set sbdecode hash: %wdo
Source: csrss.exe, 0000000F.00000002.624848873.0000000003400000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: VersionVirtualWSARecvWSASend"%s" %stypes value=abortedalt -> answersany -> booleancharsetchunkedcmd.execonnectconsolecpu: %scpuprofderiveddriversexpiresfloat32float64forcegcgctracehead = http://invalidlog.txtlookup messageminpc= nil keynop -> number pacer: panic: readdirrefererrefreshrequestrunningserial:server=signal svc_versyscalltor.exetraileruintptrunknownupgradeversionvmmousevpcuhubwaitingwindowswsarecvwsasendwup_verxen: %wxennet6 bytes, data=%q etypes incr=%v is not maxpc= mcount= minLC= minutes nalloc= newval= nfreed= ping=%q pointer stack=[ status %!Month(%02d%02d%s %s:%d%s: 0x%x-cleanup2.5.4.102.5.4.112.5.4.1748828125?4#?'1#0AcceptExAcceptedAllocateAltitudeArmenianBAD RANKBalineseBopomofoBugineseCancelIoCherokeeClassANYConflictContinueCurveID(CyrillicDNS nameDSA-SHA1DecemberDefenderDeleteDCDuployanEULA.txtEqualSidEthiopicExtenderFebruaryFirewallFullPathGeorgianGetOEMCPGoStringGujaratiGurmukhiHTTP/1.1HTTP/2.0HiraganaInstFailInstRuneIsWindowJavaneseKatakanaKayah_LiLIFETIMELinear_ALinear_BLocationLsaCloseMD5+SHA1MahajaniNO_ERRORNO_PROXYNovemberOl_ChikiPRIORITYPROGRESSParseIntPersoconPhags_PaQuestionReadFileReceivedSETTINGSSHA1-RSASHA3-224SHA3-256SHA3-384SHA3-512SOFTWARESaturdaySetEventSystem32TagbanwaTai_ThamTai_VietThursdayTifinaghTypeAAAATypeAXFRUSERHASHUSERNAMEUgariticVBoxWddmWSAIoctlWinmonFSWmiPrvSE[::1]:53[:word:][signal \\.\HGFS\\.\vmcistack=[_NewEnum_gatewayacceptexaddress bad instcgocheckcontinuecs deadlockdefault:dial: %wdnsquerydurationeax ebp ebx ecx edi edx eflags eip embeddedesi esp execwaitexporterf is nilfinishedfs gs hijackedhttp/1.1https://if-matchif-rangeinfinityinjectorinvalid linkpathlocationmac_addrmountvolmsvmmoufno anodeno-cacheno_proxypollDescreadfromrecvfromreflect.runnableruntime.rwmutexRrwmutexWscavengeshutdownstrconv.taskkilltor_modetraceBuftrigger=unixgramunknown(usernamevmmemctlvmx_svgawalk: %wwsaioctlwuauservx509sha1yuio.top (forced) B exp.) B work ( blocked= in use)
Source: csrss.exe, 0000000F.00000002.624848873.0000000003400000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: m=] = ] n=allgallparchasn1avx2basebindbitsbmi1bmi2boolcallcap cas1cas2cas3cas4cas5cas6chandatedeaddialdoneermsetagethmfailfileflagfromftpsfuncgziphosthourhttpicmpidleigmpint8itabjsonkindlinkmdnsnullopenpathpipepop3quitreadrootsbrkseeksid=sizesmtpsse3tag:tcp4texttruetypeudp4uintunixuuidvaryvmcixn-- -%s (at ...
Source: file.exe Binary or memory string: bmi2boolcallcap cas1cas2cas3cas4cas5cas6chandatedeaddialdoneermsetagethmfailfileflagfromftpsfuncgziphosthourhttpicmpidleigmpint8itabjsonkindlinkmdnsnullopenpathpipepop3quitreadrootsbrkseeksid=sizesmtpsse3tag:tcp4texttruetypeudp4uintunixuuidvaryvmcixn-- -%s (a
Source: file.exe Binary or memory string: too many linkstoo many userstorrc filenameunexpected EOFunknown code: unknown error unknown methodunknown mode: unreachable: unsafe.PointeruserArenaStatevirtualbox: %wvmwaretray.exevmwareuser.exewii libnup/1.0winapi error #window createdwork.full != 0xenservi
Source: file.exe, 00000005.00000002.424748729.000000000C08A000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: sharedintapp.exe[system process]vmsrvc.exe
Source: file.exe Binary or memory string: ianLydianMondayPADDEDPcaSvcPragmaRejangSCHED STREETServerStringSundaySyriacTai_LeTangutTeluguThaanaTypeMXTypeNSUTC+12UTC+13UTC-02UTC-08UTC-09UTC-11VBoxSFWINDIRWanchoWinMonWinmonX25519Yezidi[]byte\??\%s\csrss\ufffd acceptactivechan<-closedcookiedirectdomai
Source: file.exe Binary or memory string: rayCreateSafeArrayGetDimSafeArrayGetIIDSafeArrayUnlockScheduledUpdateSetCommTimeoutsSetSecurityInfoSetVolumeLabelWShellExecuteExWStringFromCLSIDStringFromGUID2TerminateThreadUnescaped quoteUninstallStringUnmapViewOfFileVBoxService.exeVPS.hsmiths.comWinsta0\Def
Enables debug privileges
Source: C:\Users\user\Desktop\file.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\rss\csrss.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\rss\csrss.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\rss\csrss.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\file.exe Code function: 5_2_02BA30A3 push dword ptr fs:[00000030h] 5_2_02BA30A3

HIPS / PFW / Operating System Protection Evasion
barindex
Performs DNS TXT record lookups
Source: Traffic DNS traffic detected: queries for: 28a89d66-6769-4b6d-ad7a-64ea56a01c93.uuid.mastiakele.xyz
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes" Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\rss\csrss.exe C:\Windows\rss\csrss.exe Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\netsh.exe netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes Jump to behavior
Source: C:\Windows\rss\csrss.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
Source: C:\Windows\rss\csrss.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
Source: C:\Windows\rss\csrss.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
Source: C:\Windows\rss\csrss.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\Sysnative\cmd.exe /C fodhelper
Source: C:\Windows\rss\csrss.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\fodhelper.exe fodhelper
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\fodhelper.exe "C:\Windows\system32\fodhelper.exe"
Source: C:\Windows\System32\fodhelper.exe Process created: C:\Windows\rss\csrss.exe "C:\Windows\rss\csrss.exe"
Source: C:\Windows\rss\csrss.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
Source: C:\Windows\rss\csrss.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\Sysnative\cmd.exe /C fodhelper
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\fodhelper.exe fodhelper
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\fodhelper.exe "C:\Windows\system32\fodhelper.exe"
Source: C:\Windows\System32\fodhelper.exe Process created: C:\Windows\rss\csrss.exe "C:\Windows\rss\csrss.exe"
Source: C:\Windows\rss\csrss.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
Source: C:\Windows\rss\csrss.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
Source: C:\Windows\rss\csrss.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
Source: C:\Windows\rss\csrss.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\netsh.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\netsh.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Uses netsh to modify the Windows network and firewall settings
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\netsh.exe netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
Modifies the windows firewall
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\Desktop\file.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM AntiVirusProduct

Stealing of Sensitive Information
barindex
Yara detected Glupteba
Source: Yara match File source: 15.2.csrss.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 55.2.csrss.exe.3400e67.15.unpack, type: UNPACKEDPE
Source: Yara match File source: 64.2.csrss.exe.3400e67.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 54.2.csrss.exe.3400e67.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 55.2.csrss.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.2.csrss.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 54.2.csrss.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 40.2.csrss.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.3.file.exe.3890000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.file.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.3.csrss.exe.3cf0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.file.exe.3760000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 60.2.csrss.exe.3400e67.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.csrss.exe.3400e67.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 41.2.csrss.exe.3400e67.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 60.2.csrss.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 64.2.csrss.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.csrss.exe.3400e67.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 40.2.csrss.exe.3400e67.15.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.2.csrss.exe.3400e67.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.2e70e67.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.400548532.0000000000843000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 0000003C.00000002.570772687.0000000003843000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000029.00000002.480076167.0000000000843000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.599256866.0000000003843000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000002.475119649.0000000000843000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.342311330.0000000003BA1000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000029.00000002.517016941.0000000003843000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000003C.00000002.555538595.0000000000843000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.364753333.00000000032B3000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.624848873.0000000003843000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.442933383.0000000000843000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000036.00000002.509180776.0000000000843000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.360923805.0000000000843000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.474423573.0000000003843000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000002.514590108.0000000003843000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000037.00000002.522989058.0000000000843000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000040.00000002.609271972.0000000003843000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000040.00000002.598741475.0000000000843000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000036.00000002.521380153.0000000003843000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.362103364.0000000003CD1000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.566670417.0000000000843000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.615156234.0000000000843000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000037.00000002.553779043.0000000003843000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.414419556.00000000033E3000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000003.401909888.0000000004131000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 6760, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: file.exe PID: 1488, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: csrss.exe PID: 768, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: csrss.exe PID: 4472, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Glupteba
Source: Yara match File source: 15.2.csrss.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 55.2.csrss.exe.3400e67.15.unpack, type: UNPACKEDPE
Source: Yara match File source: 64.2.csrss.exe.3400e67.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 54.2.csrss.exe.3400e67.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 55.2.csrss.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.2.csrss.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 54.2.csrss.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 40.2.csrss.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.3.file.exe.3890000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.file.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.3.csrss.exe.3cf0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.file.exe.3760000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 60.2.csrss.exe.3400e67.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.csrss.exe.3400e67.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 41.2.csrss.exe.3400e67.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 60.2.csrss.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 64.2.csrss.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.csrss.exe.3400e67.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 40.2.csrss.exe.3400e67.15.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.2.csrss.exe.3400e67.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.2e70e67.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.400548532.0000000000843000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 0000003C.00000002.570772687.0000000003843000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000029.00000002.480076167.0000000000843000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.599256866.0000000003843000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000002.475119649.0000000000843000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.342311330.0000000003BA1000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000029.00000002.517016941.0000000003843000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000003C.00000002.555538595.0000000000843000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.364753333.00000000032B3000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.624848873.0000000003843000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.442933383.0000000000843000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000036.00000002.509180776.0000000000843000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.360923805.0000000000843000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.474423573.0000000003843000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000002.514590108.0000000003843000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000037.00000002.522989058.0000000000843000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000040.00000002.609271972.0000000003843000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000040.00000002.598741475.0000000000843000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000036.00000002.521380153.0000000003843000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.362103364.0000000003CD1000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.566670417.0000000000843000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.615156234.0000000000843000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000037.00000002.553779043.0000000003843000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.414419556.00000000033E3000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000003.401909888.0000000004131000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 6760, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: file.exe PID: 1488, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: csrss.exe PID: 768, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: csrss.exe PID: 4472, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 882707 Sample: file.exe Startdate: 06/06/2023 Architecture: WINDOWS Score: 100 107 Malicious sample detected (through community Yara rule) 2->107 109 Antivirus detection for URL or domain 2->109 111 Multi AV Scanner detection for submitted file 2->111 113 6 other signatures 2->113 11 file.exe 13 2->11         started        14 csrss.exe 2->14         started        16 csrss.exe 2->16         started        18 2 other processes 2->18 process3 signatures4 131 Detected unpacking (changes PE section rights) 11->131 133 Detected unpacking (overwrites its own PE header) 11->133 135 Modifies the windows firewall 11->135 137 Drops PE files with benign system names 11->137 20 file.exe 8 2 11->20         started        24 powershell.exe 22 11->24         started        26 cmd.exe 14->26         started        28 cmd.exe 16->28         started        30 powershell.exe 18->30         started        32 csrss.exe 18->32         started        process5 file6 103 C:\Windows\rss\csrss.exe, PE32 20->103 dropped 127 Creates an autostart registry key pointing to binary in C:\Windows 20->127 34 csrss.exe 20->34         started        38 cmd.exe 1 20->38         started        48 3 other processes 20->48 40 conhost.exe 24->40         started        42 fodhelper.exe 26->42         started        50 3 other processes 26->50 44 fodhelper.exe 28->44         started        52 3 other processes 28->52 46 conhost.exe 30->46         started        signatures7 process8 dnsIp9 105 28a89d66-6769-4b6d-ad7a-64ea56a01c93.uuid.mastiakele.xyz 34->105 115 Multi AV Scanner detection for dropped file 34->115 117 Detected unpacking (changes PE section rights) 34->117 119 Detected unpacking (overwrites its own PE header) 34->119 125 3 other signatures 34->125 54 powershell.exe 34->54         started        56 schtasks.exe 34->56         started        69 3 other processes 34->69 121 Uses netsh to modify the Windows network and firewall settings 38->121 58 netsh.exe 3 38->58         started        61 conhost.exe 38->61         started        123 Drops executables to the windows directory (C:\Windows) and starts them 42->123 63 csrss.exe 42->63         started        65 powershell.exe 42->65         started        67 csrss.exe 44->67         started        71 3 other processes 48->71 signatures10 process11 signatures12 73 conhost.exe 54->73         started        75 conhost.exe 56->75         started        129 Creates files in the system32 config directory 58->129 77 csrss.exe 63->77         started        79 powershell.exe 63->79         started        81 conhost.exe 65->81         started        83 csrss.exe 67->83         started        85 powershell.exe 67->85         started        87 conhost.exe 69->87         started        89 2 other processes 69->89 process13 process14 91 powershell.exe 77->91         started        93 conhost.exe 79->93         started        95 powershell.exe 83->95         started        97 conhost.exe 85->97         started        process15 99 conhost.exe 91->99         started        101 conhost.exe 95->101         started       
No contacted IP infos

Contacted Domains

Name IP Active
28a89d66-6769-4b6d-ad7a-64ea56a01c93.uuid.mastiakele.xyz unknown unknown