Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample Name:	file.exe
Analysis ID:	882707
MD5:	5e7d3490818e3f2a96f7a9dfc6950f9c
SHA1:	934454a655f32b4645ce827b3a39bed2cf5d891c
SHA256:	e498809a30cab90e8d5eb3ff4610bc177ea9e63110530da50643332263f4ab55
Tags:	exeGlupteba
Infos:

Detection

Glupteba

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Detected unpacking (overwrites its own PE header)

Sigma detected: Schedule system process

Yara detected Glupteba

Detected unpacking (changes PE section rights)

Antivirus detection for URL or domain

Multi AV Scanner detection for dropped file

Creates an autostart registry key pointing to binary in C:\Windows

Uses netsh to modify the Windows network and firewall settings

Found Tor onion address

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Machine Learning detection for sample

Performs DNS queries to domains with low reputation

Creates files in the system32 config directory

Machine Learning detection for dropped file

Modifies the windows firewall

Performs DNS TXT record lookups

Drops executables to the windows directory (C:\Windows) and starts them

Uses schtasks.exe or at.exe to add and modify task schedules

Drops PE files with benign system names

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Deletes files inside the Windows folder

May sleep (evasive loops) to hinder dynamic analysis

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Uses code obfuscation techniques (call, push, ret)

Creates files inside the system directory

Sample execution stops while process was sleeping (likely an evasion)

Contains long sleeps (>= 3 min)

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Sample file is different than original file name gathered from version info

PE file contains an invalid checksum

Drops PE files

Contains functionality to read the PEB

Drops PE files to the windows directory (C:\Windows)

Contains capabilities to detect virtual machines

PE / OLE file has an invalid certificate

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

file.exe (PID: 6760 cmdline: C:\Users\user\Desktop\file.exe MD5: 5E7D3490818E3F2A96F7A9DFC6950F9C)

powershell.exe (PID: 6824 cmdline: powershell -nologo -noprofile MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 6816 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

file.exe (PID: 1488 cmdline: C:\Users\user\Desktop\file.exe MD5: 5E7D3490818E3F2A96F7A9DFC6950F9C)

powershell.exe (PID: 5576 cmdline: powershell -nologo -noprofile MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 5984 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 2760 cmdline: C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 3432 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

netsh.exe (PID: 6792 cmdline: netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes MD5: 98CC37BBF363A38834253E22C80A8F32)

powershell.exe (PID: 7076 cmdline: powershell -nologo -noprofile MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 6892 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

powershell.exe (PID: 5848 cmdline: powershell -nologo -noprofile MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 3372 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

csrss.exe (PID: 768 cmdline: C:\Windows\rss\csrss.exe MD5: 5E7D3490818E3F2A96F7A9DFC6950F9C)

powershell.exe (PID: 7012 cmdline: powershell -nologo -noprofile MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 6724 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

schtasks.exe (PID: 5760 cmdline: schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F MD5: 838D346D1D28F00783B7A6C6BD03A0DA)

conhost.exe (PID: 7136 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

schtasks.exe (PID: 6852 cmdline: schtasks /delete /tn ScheduledUpdate /f MD5: 838D346D1D28F00783B7A6C6BD03A0DA)

conhost.exe (PID: 240 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

powershell.exe (PID: 2896 cmdline: powershell -nologo -noprofile MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 5124 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

powershell.exe (PID: 1360 cmdline: powershell -nologo -noprofile MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 5788 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

TrustedInstaller.exe (PID: 6536 cmdline: C:\Windows\servicing\TrustedInstaller.exe MD5: 4578046C54A954C917BB393B70BA0AEB)

csrss.exe (PID: 6772 cmdline: "C:\Windows\rss\csrss.exe" MD5: 5E7D3490818E3F2A96F7A9DFC6950F9C)

cmd.exe (PID: 2224 cmdline: C:\Windows\Sysnative\cmd.exe /C fodhelper MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 4768 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

fodhelper.exe (PID: 6780 cmdline: fodhelper MD5: 1D1F9E564472A9698F1BE3F9FEB9864B)

fodhelper.exe (PID: 4248 cmdline: "C:\Windows\system32\fodhelper.exe" MD5: 1D1F9E564472A9698F1BE3F9FEB9864B)

fodhelper.exe (PID: 6708 cmdline: "C:\Windows\system32\fodhelper.exe" MD5: 1D1F9E564472A9698F1BE3F9FEB9864B)

csrss.exe (PID: 5596 cmdline: "C:\Windows\rss\csrss.exe" MD5: 5E7D3490818E3F2A96F7A9DFC6950F9C)

powershell.exe (PID: 1196 cmdline: powershell -nologo -noprofile MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 6740 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

csrss.exe (PID: 6316 cmdline: C:\Windows\rss\csrss.exe MD5: 5E7D3490818E3F2A96F7A9DFC6950F9C)

powershell.exe (PID: 6652 cmdline: powershell -nologo -noprofile MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 6660 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

csrss.exe (PID: 2344 cmdline: C:\Windows\rss\csrss.exe MD5: 5E7D3490818E3F2A96F7A9DFC6950F9C)

powershell.exe (PID: 1364 cmdline: powershell -nologo -noprofile MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 6720 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

csrss.exe (PID: 6216 cmdline: C:\Windows\rss\csrss.exe MD5: 5E7D3490818E3F2A96F7A9DFC6950F9C)

csrss.exe (PID: 5280 cmdline: "C:\Windows\rss\csrss.exe" MD5: 5E7D3490818E3F2A96F7A9DFC6950F9C)

cmd.exe (PID: 6104 cmdline: C:\Windows\Sysnative\cmd.exe /C fodhelper MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 6140 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

fodhelper.exe (PID: 6048 cmdline: fodhelper MD5: 1D1F9E564472A9698F1BE3F9FEB9864B)

fodhelper.exe (PID: 5708 cmdline: "C:\Windows\system32\fodhelper.exe" MD5: 1D1F9E564472A9698F1BE3F9FEB9864B)

fodhelper.exe (PID: 6216 cmdline: "C:\Windows\system32\fodhelper.exe" MD5: 1D1F9E564472A9698F1BE3F9FEB9864B)

csrss.exe (PID: 6464 cmdline: "C:\Windows\rss\csrss.exe" MD5: 5E7D3490818E3F2A96F7A9DFC6950F9C)

powershell.exe (PID: 4680 cmdline: powershell -nologo -noprofile MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 4164 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

csrss.exe (PID: 4472 cmdline: C:\Windows\rss\csrss.exe MD5: 5E7D3490818E3F2A96F7A9DFC6950F9C)

powershell.exe (PID: 2224 cmdline: powershell -nologo -noprofile MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 6532 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

powershell.exe (PID: 6184 cmdline: powershell -nologo -noprofile MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 6200 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Glupteba	Glupteba is a trojan horse malware that is one of the top ten malware variants of 2021. After infecting a system, the Glupteba malware can be used to deliver additional malware, steal user authentication information, and enroll the infected system in a cryptomining botnet.	No Attribution	http://resources.infosecinstitute.com/tdss4-part-1/ https://blog.chainalysis.com/reports/2022-crypto-crime-report-preview-malware/ https://blog.google/technology/safety-security/new-action-combat-cyber-crime/ https://blog.google/threat-analysis-group/disrupting-glupteba-operation/ https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/	https://malpedia.caad.fkie.fraunhofer.de/details/win.glupteba

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000005.00000002.400548532.0000000000843000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_Glupteba	Yara detected Glupteba	Joe Security
0000003C.00000002.570772687.0000000003843000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Glupteba	Yara detected Glupteba	Joe Security
00000005.00000002.403769101.0000000002BA3000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x798:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000029.00000002.480076167.0000000000843000.00000040.00000001.01000000.00000005.sdmp	JoeSecurity_Glupteba	Yara detected Glupteba	Joe Security
0000001C.00000002.599256866.0000000003843000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Glupteba	Yara detected Glupteba	Joe Security
00000000.00000003.342311330.0000000003760000.00000004.00001000.00020000.00000000.sdmp	SUSP_PE_Discord_Attachment_Oct21_1	Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)	Florian Roth (Nextron Systems)	0x3b7997:$x1: https://cdn.discordapp.com/attachments/
00000028.00000002.475119649.0000000000843000.00000040.00000001.01000000.00000005.sdmp	JoeSecurity_Glupteba	Yara detected Glupteba	Joe Security
00000000.00000003.342311330.0000000003BA1000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Glupteba	Yara detected Glupteba	Joe Security
0000003C.00000002.567142232.0000000003000000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x778:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000016.00000002.471247409.0000000003000000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x778:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000036.00000002.509180776.0000000000400000.00000040.00000001.01000000.00000005.sdmp	SUSP_PE_Discord_Attachment_Oct21_1	Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)	Florian Roth (Nextron Systems)	0x3b8597:$x1: https://cdn.discordapp.com/attachments/
0000003C.00000002.555538595.0000000000400000.00000040.00000001.01000000.00000005.sdmp	SUSP_PE_Discord_Attachment_Oct21_1	Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)	Florian Roth (Nextron Systems)	0x3b8597:$x1: https://cdn.discordapp.com/attachments/
00000028.00000002.510967623.0000000003000000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x778:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000029.00000002.517016941.0000000003843000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Glupteba	Yara detected Glupteba	Joe Security
0000003C.00000002.555538595.0000000000843000.00000040.00000001.01000000.00000005.sdmp	JoeSecurity_Glupteba	Yara detected Glupteba	Joe Security
00000029.00000002.480076167.0000000000400000.00000040.00000001.01000000.00000005.sdmp	SUSP_PE_Discord_Attachment_Oct21_1	Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)	Florian Roth (Nextron Systems)	0x3b8597:$x1: https://cdn.discordapp.com/attachments/
00000037.00000002.553779043.0000000003400000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000040.00000002.598741475.0000000000400000.00000040.00000001.01000000.00000005.sdmp	SUSP_PE_Discord_Attachment_Oct21_1	Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)	Florian Roth (Nextron Systems)	0x3b8597:$x1: https://cdn.discordapp.com/attachments/
00000000.00000002.364753333.00000000032B3000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Glupteba	Yara detected Glupteba	Joe Security
0000000F.00000002.624848873.0000000003400000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
0000000F.00000002.624848873.0000000003843000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Glupteba	Yara detected Glupteba	Joe Security
0000001C.00000002.594116326.0000000003000000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x778:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000016.00000002.442933383.0000000000400000.00000040.00000001.01000000.00000005.sdmp	SUSP_PE_Discord_Attachment_Oct21_1	Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)	Florian Roth (Nextron Systems)	0x3b8597:$x1: https://cdn.discordapp.com/attachments/
00000016.00000002.442933383.0000000000843000.00000040.00000001.01000000.00000005.sdmp	JoeSecurity_Glupteba	Yara detected Glupteba	Joe Security
00000036.00000002.521380153.0000000003400000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
0000000F.00000002.615156234.0000000000400000.00000040.00000001.01000000.00000005.sdmp	SUSP_PE_Discord_Attachment_Oct21_1	Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)	Florian Roth (Nextron Systems)	0x3b8597:$x1: https://cdn.discordapp.com/attachments/
00000036.00000002.509180776.0000000000843000.00000040.00000001.01000000.00000005.sdmp	JoeSecurity_Glupteba	Yara detected Glupteba	Joe Security
00000000.00000002.363521570.0000000002A72000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x798:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000000.00000002.360923805.0000000000843000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_Glupteba	Yara detected Glupteba	Joe Security
00000005.00000002.400548532.0000000000400000.00000040.00000001.01000000.00000003.sdmp	SUSP_PE_Discord_Attachment_Oct21_1	Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)	Florian Roth (Nextron Systems)	0x3b8597:$x1: https://cdn.discordapp.com/attachments/
00000040.00000002.604158371.0000000003000000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x778:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000000.00000002.360923805.0000000000400000.00000040.00000001.01000000.00000003.sdmp	SUSP_PE_Discord_Attachment_Oct21_1	Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)	Florian Roth (Nextron Systems)	0x3b8597:$x1: https://cdn.discordapp.com/attachments/
0000000F.00000002.624483863.0000000003000000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x778:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000016.00000002.474423573.0000000003843000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Glupteba	Yara detected Glupteba	Joe Security
0000000F.00000003.401909888.0000000003CF0000.00000004.00001000.00020000.00000000.sdmp	SUSP_PE_Discord_Attachment_Oct21_1	Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)	Florian Roth (Nextron Systems)	0x3b7997:$x1: https://cdn.discordapp.com/attachments/
00000029.00000002.517016941.0000000003400000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
0000003C.00000002.570772687.0000000003400000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000028.00000002.514590108.0000000003843000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Glupteba	Yara detected Glupteba	Joe Security
00000037.00000002.522989058.0000000000400000.00000040.00000001.01000000.00000005.sdmp	SUSP_PE_Discord_Attachment_Oct21_1	Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)	Florian Roth (Nextron Systems)	0x3b8597:$x1: https://cdn.discordapp.com/attachments/
00000000.00000002.364753333.0000000002E70000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000040.00000002.609271972.0000000003400000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000037.00000002.548334385.0000000003000000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x778:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000028.00000002.514590108.0000000003400000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000028.00000002.475119649.0000000000400000.00000040.00000001.01000000.00000005.sdmp	SUSP_PE_Discord_Attachment_Oct21_1	Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)	Florian Roth (Nextron Systems)	0x3b8597:$x1: https://cdn.discordapp.com/attachments/
00000037.00000002.522989058.0000000000843000.00000040.00000001.01000000.00000005.sdmp	JoeSecurity_Glupteba	Yara detected Glupteba	Joe Security
00000040.00000002.609271972.0000000003843000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Glupteba	Yara detected Glupteba	Joe Security
00000016.00000002.474423573.0000000003400000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000040.00000002.598741475.0000000000843000.00000040.00000001.01000000.00000005.sdmp	JoeSecurity_Glupteba	Yara detected Glupteba	Joe Security
00000036.00000002.521380153.0000000003843000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Glupteba	Yara detected Glupteba	Joe Security
00000005.00000003.362103364.0000000003CD1000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Glupteba	Yara detected Glupteba	Joe Security
0000001C.00000002.566670417.0000000000843000.00000040.00000001.01000000.00000005.sdmp	JoeSecurity_Glupteba	Yara detected Glupteba	Joe Security
0000000F.00000002.615156234.0000000000843000.00000040.00000001.01000000.00000005.sdmp	JoeSecurity_Glupteba	Yara detected Glupteba	Joe Security
00000005.00000003.362103364.0000000003890000.00000004.00001000.00020000.00000000.sdmp	SUSP_PE_Discord_Attachment_Oct21_1	Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)	Florian Roth (Nextron Systems)	0x3b7997:$x1: https://cdn.discordapp.com/attachments/
00000037.00000002.553779043.0000000003843000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Glupteba	Yara detected Glupteba	Joe Security
00000005.00000002.414419556.00000000033E3000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Glupteba	Yara detected Glupteba	Joe Security
0000001C.00000002.566670417.0000000000400000.00000040.00000001.01000000.00000005.sdmp	SUSP_PE_Discord_Attachment_Oct21_1	Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)	Florian Roth (Nextron Systems)	0x3b8597:$x1: https://cdn.discordapp.com/attachments/
00000028.00000003.442621501.0000000003CF0000.00000004.00001000.00020000.00000000.sdmp	SUSP_PE_Discord_Attachment_Oct21_1	Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)	Florian Roth (Nextron Systems)	0x3b7997:$x1: https://cdn.discordapp.com/attachments/
00000005.00000002.414419556.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000036.00000002.518888987.0000000003000000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x778:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000029.00000002.513462018.0000000003000000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x778:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
0000001C.00000002.599256866.0000000003400000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
0000000F.00000003.401909888.0000000004131000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Glupteba	Yara detected Glupteba	Joe Security
Process Memory Space: file.exe PID: 6760	JoeSecurity_Glupteba	Yara detected Glupteba	Joe Security
Process Memory Space: file.exe PID: 1488	JoeSecurity_Glupteba	Yara detected Glupteba	Joe Security
Process Memory Space: csrss.exe PID: 768	JoeSecurity_Glupteba	Yara detected Glupteba	Joe Security
Process Memory Space: csrss.exe PID: 4472	JoeSecurity_Glupteba	Yara detected Glupteba	Joe Security
Click to see the 61 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
22.2.csrss.exe.3a22567.14.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth (Nextron Systems)	0x39858:$s2: The Magic Word! 0x45998:$s2: The Magic Word! 0x39bb8:$s3: Software\Oracle\VirtualBox 0x39847:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
64.2.csrss.exe.a32420.4.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth (Nextron Systems)	0x29b38:$s2: The Magic Word! 0x35c78:$s2: The Magic Word! 0x29e98:$s3: Software\Oracle\VirtualBox 0x29b27:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
28.2.csrss.exe.a1cb00.3.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth (Nextron Systems)	0x3f458:$s2: The Magic Word! 0x4b598:$s2: The Magic Word! 0x3f7b8:$s3: Software\Oracle\VirtualBox 0x3f447:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
60.2.csrss.exe.3a1c967.14.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth (Nextron Systems)	0x3f458:$s2: The Magic Word! 0x4b598:$s2: The Magic Word! 0x3f7b8:$s3: Software\Oracle\VirtualBox 0x3f447:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
28.2.csrss.exe.3a32287.13.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth (Nextron Systems)	0x29b38:$s2: The Magic Word! 0x35c78:$s2: The Magic Word! 0x29e98:$s3: Software\Oracle\VirtualBox 0x29b27:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
22.2.csrss.exe.a22700.7.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth (Nextron Systems)	0x39858:$s2: The Magic Word! 0x45998:$s2: The Magic Word! 0x39bb8:$s3: Software\Oracle\VirtualBox 0x39847:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
0.3.file.exe.3d91420.4.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth (Nextron Systems)	0x29b38:$s2: The Magic Word! 0x35c78:$s2: The Magic Word! 0x29e98:$s3: Software\Oracle\VirtualBox 0x29b27:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
40.2.csrss.exe.a1cb00.1.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth (Nextron Systems)	0x3f458:$s2: The Magic Word! 0x4b598:$s2: The Magic Word! 0x3f7b8:$s3: Software\Oracle\VirtualBox 0x3f447:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
60.2.csrss.exe.3a32287.15.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth (Nextron Systems)	0x29b38:$s2: The Magic Word! 0x35c78:$s2: The Magic Word! 0x29e98:$s3: Software\Oracle\VirtualBox 0x29b27:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
55.2.csrss.exe.3a1c967.11.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth (Nextron Systems)	0x3f458:$s2: The Magic Word! 0x4b598:$s2: The Magic Word! 0x3f7b8:$s3: Software\Oracle\VirtualBox 0x3f447:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
64.2.csrss.exe.400000.0.raw.unpack	SUSP_PE_Discord_Attachment_Oct21_1	Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)	Florian Roth (Nextron Systems)	0x3b8597:$x1: https://cdn.discordapp.com/attachments/
5.2.file.exe.400000.0.raw.unpack	SUSP_PE_Discord_Attachment_Oct21_1	Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)	Florian Roth (Nextron Systems)	0x3b8597:$x1: https://cdn.discordapp.com/attachments/
40.2.csrss.exe.a22700.0.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth (Nextron Systems)	0x39858:$s2: The Magic Word! 0x45998:$s2: The Magic Word! 0x39bb8:$s3: Software\Oracle\VirtualBox 0x39847:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
54.2.csrss.exe.3a32287.15.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth (Nextron Systems)	0x29b38:$s2: The Magic Word! 0x35c78:$s2: The Magic Word! 0x29e98:$s3: Software\Oracle\VirtualBox 0x29b27:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
40.2.csrss.exe.3a1c967.14.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth (Nextron Systems)	0x3f458:$s2: The Magic Word! 0x4b598:$s2: The Magic Word! 0x3f7b8:$s3: Software\Oracle\VirtualBox 0x3f447:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
41.2.csrss.exe.3400e67.11.raw.unpack	SUSP_PE_Discord_Attachment_Oct21_1	Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)	Florian Roth (Nextron Systems)	0x3b7997:$x1: https://cdn.discordapp.com/attachments/
60.2.csrss.exe.3a22567.13.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth (Nextron Systems)	0x39858:$s2: The Magic Word! 0x45998:$s2: The Magic Word! 0x39bb8:$s3: Software\Oracle\VirtualBox 0x39847:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
15.2.csrss.exe.a22700.7.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth (Nextron Systems)	0x39858:$s2: The Magic Word! 0x45998:$s2: The Magic Word! 0x39bb8:$s3: Software\Oracle\VirtualBox 0x39847:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
55.2.csrss.exe.a32420.0.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth (Nextron Systems)	0x29b38:$s2: The Magic Word! 0x35c78:$s2: The Magic Word! 0x29e98:$s3: Software\Oracle\VirtualBox 0x29b27:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
0.2.file.exe.a1cb00.4.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth (Nextron Systems)	0x3f458:$s2: The Magic Word! 0x4b598:$s2: The Magic Word! 0x3f7b8:$s3: Software\Oracle\VirtualBox 0x3f447:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
40.3.csrss.exe.3cf0000.0.raw.unpack	SUSP_PE_Discord_Attachment_Oct21_1	Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)	Florian Roth (Nextron Systems)	0x3b7997:$x1: https://cdn.discordapp.com/attachments/
0.3.file.exe.3d7bb00.5.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth (Nextron Systems)	0x3f458:$s2: The Magic Word! 0x4b598:$s2: The Magic Word! 0x3f7b8:$s3: Software\Oracle\VirtualBox 0x3f447:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
55.2.csrss.exe.400000.3.raw.unpack	SUSP_PE_Discord_Attachment_Oct21_1	Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)	Florian Roth (Nextron Systems)	0x3b8597:$x1: https://cdn.discordapp.com/attachments/
15.3.csrss.exe.3cf0000.1.raw.unpack	SUSP_PE_Discord_Attachment_Oct21_1	Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)	Florian Roth (Nextron Systems)	0x3b7997:$x1: https://cdn.discordapp.com/attachments/
0.3.file.exe.3d81700.7.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth (Nextron Systems)	0x39858:$s2: The Magic Word! 0x45998:$s2: The Magic Word! 0x39bb8:$s3: Software\Oracle\VirtualBox 0x39847:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
60.2.csrss.exe.a22700.5.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth (Nextron Systems)	0x39858:$s2: The Magic Word! 0x45998:$s2: The Magic Word! 0x39bb8:$s3: Software\Oracle\VirtualBox 0x39847:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
22.2.csrss.exe.3a32287.15.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth (Nextron Systems)	0x29b38:$s2: The Magic Word! 0x35c78:$s2: The Magic Word! 0x29e98:$s3: Software\Oracle\VirtualBox 0x29b27:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
15.3.csrss.exe.4321420.6.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth (Nextron Systems)	0x29b38:$s2: The Magic Word! 0x35c78:$s2: The Magic Word! 0x29e98:$s3: Software\Oracle\VirtualBox 0x29b27:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
0.2.file.exe.2e70e67.12.raw.unpack	SUSP_PE_Discord_Attachment_Oct21_1	Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)	Florian Roth (Nextron Systems)	0x3b7997:$x1: https://cdn.discordapp.com/attachments/
22.2.csrss.exe.a32420.2.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth (Nextron Systems)	0x29b38:$s2: The Magic Word! 0x35c78:$s2: The Magic Word! 0x29e98:$s3: Software\Oracle\VirtualBox 0x29b27:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
40.2.csrss.exe.3a32287.12.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth (Nextron Systems)	0x29b38:$s2: The Magic Word! 0x35c78:$s2: The Magic Word! 0x29e98:$s3: Software\Oracle\VirtualBox 0x29b27:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
5.3.file.exe.3ec1420.6.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth (Nextron Systems)	0x29b38:$s2: The Magic Word! 0x35c78:$s2: The Magic Word! 0x29e98:$s3: Software\Oracle\VirtualBox 0x29b27:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
5.2.file.exe.a22700.7.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth (Nextron Systems)	0x39858:$s2: The Magic Word! 0x45998:$s2: The Magic Word! 0x39bb8:$s3: Software\Oracle\VirtualBox 0x39847:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
0.2.file.exe.34a2287.8.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth (Nextron Systems)	0x29b38:$s2: The Magic Word! 0x35c78:$s2: The Magic Word! 0x29e98:$s3: Software\Oracle\VirtualBox 0x29b27:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
41.2.csrss.exe.400000.2.raw.unpack	SUSP_PE_Discord_Attachment_Oct21_1	Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)	Florian Roth (Nextron Systems)	0x3b8597:$x1: https://cdn.discordapp.com/attachments/
55.2.csrss.exe.a22700.1.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth (Nextron Systems)	0x39858:$s2: The Magic Word! 0x45998:$s2: The Magic Word! 0x39bb8:$s3: Software\Oracle\VirtualBox 0x39847:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
22.2.csrss.exe.400000.0.raw.unpack	SUSP_PE_Discord_Attachment_Oct21_1	Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)	Florian Roth (Nextron Systems)	0x3b8597:$x1: https://cdn.discordapp.com/attachments/
22.2.csrss.exe.3400e67.9.raw.unpack	SUSP_PE_Discord_Attachment_Oct21_1	Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)	Florian Roth (Nextron Systems)	0x3b7997:$x1: https://cdn.discordapp.com/attachments/
15.2.csrss.exe.400000.2.unpack	JoeSecurity_Glupteba	Yara detected Glupteba	Joe Security
41.2.csrss.exe.a32420.7.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth (Nextron Systems)	0x29b38:$s2: The Magic Word! 0x35c78:$s2: The Magic Word! 0x29e98:$s3: Software\Oracle\VirtualBox 0x29b27:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
15.3.csrss.exe.4311700.4.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth (Nextron Systems)	0x39858:$s2: The Magic Word! 0x45998:$s2: The Magic Word! 0x39bb8:$s3: Software\Oracle\VirtualBox 0x39847:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
54.2.csrss.exe.a32420.4.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth (Nextron Systems)	0x29b38:$s2: The Magic Word! 0x35c78:$s2: The Magic Word! 0x29e98:$s3: Software\Oracle\VirtualBox 0x29b27:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
5.2.file.exe.a32420.3.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth (Nextron Systems)	0x29b38:$s2: The Magic Word! 0x35c78:$s2: The Magic Word! 0x29e98:$s3: Software\Oracle\VirtualBox 0x29b27:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
0.2.file.exe.a22700.2.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth (Nextron Systems)	0x39858:$s2: The Magic Word! 0x45998:$s2: The Magic Word! 0x39bb8:$s3: Software\Oracle\VirtualBox 0x39847:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
55.2.csrss.exe.3400e67.15.unpack	JoeSecurity_Glupteba	Yara detected Glupteba	Joe Security
15.2.csrss.exe.3a22567.10.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth (Nextron Systems)	0x39858:$s2: The Magic Word! 0x45998:$s2: The Magic Word! 0x39bb8:$s3: Software\Oracle\VirtualBox 0x39847:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
41.2.csrss.exe.a1cb00.6.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth (Nextron Systems)	0x3f458:$s2: The Magic Word! 0x4b598:$s2: The Magic Word! 0x3f7b8:$s3: Software\Oracle\VirtualBox 0x3f447:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
0.2.file.exe.400000.1.raw.unpack	SUSP_PE_Discord_Attachment_Oct21_1	Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)	Florian Roth (Nextron Systems)	0x3b8597:$x1: https://cdn.discordapp.com/attachments/
60.2.csrss.exe.3400e67.9.raw.unpack	SUSP_PE_Discord_Attachment_Oct21_1	Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)	Florian Roth (Nextron Systems)	0x3b7997:$x1: https://cdn.discordapp.com/attachments/
60.2.csrss.exe.a32420.4.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth (Nextron Systems)	0x29b38:$s2: The Magic Word! 0x35c78:$s2: The Magic Word! 0x29e98:$s3: Software\Oracle\VirtualBox 0x29b27:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
5.2.file.exe.35c2567.9.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth (Nextron Systems)	0x39858:$s2: The Magic Word! 0x45998:$s2: The Magic Word! 0x39bb8:$s3: Software\Oracle\VirtualBox 0x39847:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
60.2.csrss.exe.400000.1.raw.unpack	SUSP_PE_Discord_Attachment_Oct21_1	Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)	Florian Roth (Nextron Systems)	0x3b8597:$x1: https://cdn.discordapp.com/attachments/
0.3.file.exe.3760000.0.raw.unpack	SUSP_PE_Discord_Attachment_Oct21_1	Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)	Florian Roth (Nextron Systems)	0x3b7997:$x1: https://cdn.discordapp.com/attachments/
55.2.csrss.exe.3a32287.12.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth (Nextron Systems)	0x29b38:$s2: The Magic Word! 0x35c78:$s2: The Magic Word! 0x29e98:$s3: Software\Oracle\VirtualBox 0x29b27:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
22.2.csrss.exe.a1cb00.5.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth (Nextron Systems)	0x3f458:$s2: The Magic Word! 0x4b598:$s2: The Magic Word! 0x3f7b8:$s3: Software\Oracle\VirtualBox 0x3f447:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
5.3.file.exe.3890000.3.raw.unpack	SUSP_PE_Discord_Attachment_Oct21_1	Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)	Florian Roth (Nextron Systems)	0x3b7997:$x1: https://cdn.discordapp.com/attachments/
64.2.csrss.exe.3400e67.14.unpack	JoeSecurity_Glupteba	Yara detected Glupteba	Joe Security
5.2.file.exe.2fa0e67.12.raw.unpack	SUSP_PE_Discord_Attachment_Oct21_1	Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)	Florian Roth (Nextron Systems)	0x3b7997:$x1: https://cdn.discordapp.com/attachments/
54.2.csrss.exe.3400e67.9.unpack	JoeSecurity_Glupteba	Yara detected Glupteba	Joe Security
55.2.csrss.exe.400000.3.unpack	JoeSecurity_Glupteba	Yara detected Glupteba	Joe Security
64.2.csrss.exe.3a22567.11.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth (Nextron Systems)	0x39858:$s2: The Magic Word! 0x45998:$s2: The Magic Word! 0x39bb8:$s3: Software\Oracle\VirtualBox 0x39847:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
55.2.csrss.exe.3400e67.15.raw.unpack	SUSP_PE_Discord_Attachment_Oct21_1	Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)	Florian Roth (Nextron Systems)	0x3b7997:$x1: https://cdn.discordapp.com/attachments/
28.2.csrss.exe.400000.4.unpack	JoeSecurity_Glupteba	Yara detected Glupteba	Joe Security
54.2.csrss.exe.3a1c967.14.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth (Nextron Systems)	0x3f458:$s2: The Magic Word! 0x4b598:$s2: The Magic Word! 0x3f7b8:$s3: Software\Oracle\VirtualBox 0x3f447:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
54.2.csrss.exe.400000.0.unpack	JoeSecurity_Glupteba	Yara detected Glupteba	Joe Security
28.2.csrss.exe.3a1c967.9.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth (Nextron Systems)	0x3f458:$s2: The Magic Word! 0x4b598:$s2: The Magic Word! 0x3f7b8:$s3: Software\Oracle\VirtualBox 0x3f447:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
40.2.csrss.exe.400000.2.unpack	JoeSecurity_Glupteba	Yara detected Glupteba	Joe Security
15.2.csrss.exe.3a32287.15.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth (Nextron Systems)	0x29b38:$s2: The Magic Word! 0x35c78:$s2: The Magic Word! 0x29e98:$s3: Software\Oracle\VirtualBox 0x29b27:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
28.2.csrss.exe.a32420.7.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth (Nextron Systems)	0x29b38:$s2: The Magic Word! 0x35c78:$s2: The Magic Word! 0x29e98:$s3: Software\Oracle\VirtualBox 0x29b27:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
40.2.csrss.exe.3a22567.13.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth (Nextron Systems)	0x39858:$s2: The Magic Word! 0x45998:$s2: The Magic Word! 0x39bb8:$s3: Software\Oracle\VirtualBox 0x39847:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
64.2.csrss.exe.3a32287.8.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth (Nextron Systems)	0x29b38:$s2: The Magic Word! 0x35c78:$s2: The Magic Word! 0x29e98:$s3: Software\Oracle\VirtualBox 0x29b27:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
5.3.file.exe.3eb1700.4.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth (Nextron Systems)	0x39858:$s2: The Magic Word! 0x45998:$s2: The Magic Word! 0x39bb8:$s3: Software\Oracle\VirtualBox 0x39847:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
55.2.csrss.exe.3a22567.14.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth (Nextron Systems)	0x39858:$s2: The Magic Word! 0x45998:$s2: The Magic Word! 0x39bb8:$s3: Software\Oracle\VirtualBox 0x39847:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
54.2.csrss.exe.400000.0.raw.unpack	SUSP_PE_Discord_Attachment_Oct21_1	Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)	Florian Roth (Nextron Systems)	0x3b8597:$x1: https://cdn.discordapp.com/attachments/
28.2.csrss.exe.a22700.0.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth (Nextron Systems)	0x39858:$s2: The Magic Word! 0x45998:$s2: The Magic Word! 0x39bb8:$s3: Software\Oracle\VirtualBox 0x39847:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
54.2.csrss.exe.a1cb00.7.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth (Nextron Systems)	0x3f458:$s2: The Magic Word! 0x4b598:$s2: The Magic Word! 0x3f7b8:$s3: Software\Oracle\VirtualBox 0x3f447:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
5.2.file.exe.35bc967.8.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth (Nextron Systems)	0x3f458:$s2: The Magic Word! 0x4b598:$s2: The Magic Word! 0x3f7b8:$s3: Software\Oracle\VirtualBox 0x3f447:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
5.2.file.exe.35d2287.10.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth (Nextron Systems)	0x29b38:$s2: The Magic Word! 0x35c78:$s2: The Magic Word! 0x29e98:$s3: Software\Oracle\VirtualBox 0x29b27:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
0.2.file.exe.a32420.3.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth (Nextron Systems)	0x29b38:$s2: The Magic Word! 0x35c78:$s2: The Magic Word! 0x29e98:$s3: Software\Oracle\VirtualBox 0x29b27:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
54.2.csrss.exe.3400e67.9.raw.unpack	SUSP_PE_Discord_Attachment_Oct21_1	Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)	Florian Roth (Nextron Systems)	0x3b7997:$x1: https://cdn.discordapp.com/attachments/
64.2.csrss.exe.a22700.1.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth (Nextron Systems)	0x39858:$s2: The Magic Word! 0x45998:$s2: The Magic Word! 0x39bb8:$s3: Software\Oracle\VirtualBox 0x39847:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
28.2.csrss.exe.400000.4.raw.unpack	SUSP_PE_Discord_Attachment_Oct21_1	Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)	Florian Roth (Nextron Systems)	0x3b8597:$x1: https://cdn.discordapp.com/attachments/
5.2.file.exe.a1cb00.2.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth (Nextron Systems)	0x3f458:$s2: The Magic Word! 0x4b598:$s2: The Magic Word! 0x3f7b8:$s3: Software\Oracle\VirtualBox 0x3f447:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
60.2.csrss.exe.a1cb00.2.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth (Nextron Systems)	0x3f458:$s2: The Magic Word! 0x4b598:$s2: The Magic Word! 0x3f7b8:$s3: Software\Oracle\VirtualBox 0x3f447:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
54.2.csrss.exe.a22700.3.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth (Nextron Systems)	0x39858:$s2: The Magic Word! 0x45998:$s2: The Magic Word! 0x39bb8:$s3: Software\Oracle\VirtualBox 0x39847:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
0.2.file.exe.3492567.9.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth (Nextron Systems)	0x39858:$s2: The Magic Word! 0x45998:$s2: The Magic Word! 0x39bb8:$s3: Software\Oracle\VirtualBox 0x39847:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
41.2.csrss.exe.3a1c967.10.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth (Nextron Systems)	0x3f458:$s2: The Magic Word! 0x4b598:$s2: The Magic Word! 0x3f7b8:$s3: Software\Oracle\VirtualBox 0x3f447:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
5.3.file.exe.3890000.3.unpack	JoeSecurity_Glupteba	Yara detected Glupteba	Joe Security
5.2.file.exe.400000.0.unpack	JoeSecurity_Glupteba	Yara detected Glupteba	Joe Security
22.2.csrss.exe.3a1c967.12.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth (Nextron Systems)	0x3f458:$s2: The Magic Word! 0x4b598:$s2: The Magic Word! 0x3f7b8:$s3: Software\Oracle\VirtualBox 0x3f447:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
15.3.csrss.exe.3cf0000.1.unpack	JoeSecurity_Glupteba	Yara detected Glupteba	Joe Security
0.3.file.exe.3760000.0.unpack	JoeSecurity_Glupteba	Yara detected Glupteba	Joe Security
41.2.csrss.exe.3a22567.9.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth (Nextron Systems)	0x39858:$s2: The Magic Word! 0x45998:$s2: The Magic Word! 0x39bb8:$s3: Software\Oracle\VirtualBox 0x39847:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
5.3.file.exe.3eabb00.0.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth (Nextron Systems)	0x3f458:$s2: The Magic Word! 0x4b598:$s2: The Magic Word! 0x3f7b8:$s3: Software\Oracle\VirtualBox 0x3f447:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
0.2.file.exe.348c967.10.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth (Nextron Systems)	0x3f458:$s2: The Magic Word! 0x4b598:$s2: The Magic Word! 0x3f7b8:$s3: Software\Oracle\VirtualBox 0x3f447:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
28.2.csrss.exe.3400e67.10.raw.unpack	SUSP_PE_Discord_Attachment_Oct21_1	Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)	Florian Roth (Nextron Systems)	0x3b7997:$x1: https://cdn.discordapp.com/attachments/
60.2.csrss.exe.3400e67.9.unpack	JoeSecurity_Glupteba	Yara detected Glupteba	Joe Security
15.2.csrss.exe.3400e67.11.raw.unpack	SUSP_PE_Discord_Attachment_Oct21_1	Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)	Florian Roth (Nextron Systems)	0x3b7997:$x1: https://cdn.discordapp.com/attachments/
41.2.csrss.exe.3a32287.12.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth (Nextron Systems)	0x29b38:$s2: The Magic Word! 0x35c78:$s2: The Magic Word! 0x29e98:$s3: Software\Oracle\VirtualBox 0x29b27:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
64.2.csrss.exe.3a1c967.9.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth (Nextron Systems)	0x3f458:$s2: The Magic Word! 0x4b598:$s2: The Magic Word! 0x3f7b8:$s3: Software\Oracle\VirtualBox 0x3f447:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
15.2.csrss.exe.3400e67.11.unpack	JoeSecurity_Glupteba	Yara detected Glupteba	Joe Security
15.2.csrss.exe.a32420.6.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth (Nextron Systems)	0x29b38:$s2: The Magic Word! 0x35c78:$s2: The Magic Word! 0x29e98:$s3: Software\Oracle\VirtualBox 0x29b27:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
15.2.csrss.exe.3a1c967.13.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth (Nextron Systems)	0x3f458:$s2: The Magic Word! 0x4b598:$s2: The Magic Word! 0x3f7b8:$s3: Software\Oracle\VirtualBox 0x3f447:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
40.2.csrss.exe.400000.2.raw.unpack	SUSP_PE_Discord_Attachment_Oct21_1	Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)	Florian Roth (Nextron Systems)	0x3b8597:$x1: https://cdn.discordapp.com/attachments/
41.2.csrss.exe.3400e67.11.unpack	JoeSecurity_Glupteba	Yara detected Glupteba	Joe Security
15.3.csrss.exe.430bb00.0.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth (Nextron Systems)	0x3f458:$s2: The Magic Word! 0x4b598:$s2: The Magic Word! 0x3f7b8:$s3: Software\Oracle\VirtualBox 0x3f447:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
55.2.csrss.exe.a1cb00.6.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth (Nextron Systems)	0x3f458:$s2: The Magic Word! 0x4b598:$s2: The Magic Word! 0x3f7b8:$s3: Software\Oracle\VirtualBox 0x3f447:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
15.2.csrss.exe.a1cb00.1.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth (Nextron Systems)	0x3f458:$s2: The Magic Word! 0x4b598:$s2: The Magic Word! 0x3f7b8:$s3: Software\Oracle\VirtualBox 0x3f447:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
54.2.csrss.exe.3a22567.12.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth (Nextron Systems)	0x39858:$s2: The Magic Word! 0x45998:$s2: The Magic Word! 0x39bb8:$s3: Software\Oracle\VirtualBox 0x39847:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
40.2.csrss.exe.3400e67.15.raw.unpack	SUSP_PE_Discord_Attachment_Oct21_1	Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)	Florian Roth (Nextron Systems)	0x3b7997:$x1: https://cdn.discordapp.com/attachments/
60.2.csrss.exe.400000.1.unpack	JoeSecurity_Glupteba	Yara detected Glupteba	Joe Security
64.2.csrss.exe.400000.0.unpack	JoeSecurity_Glupteba	Yara detected Glupteba	Joe Security
41.2.csrss.exe.a22700.1.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth (Nextron Systems)	0x39858:$s2: The Magic Word! 0x45998:$s2: The Magic Word! 0x39bb8:$s3: Software\Oracle\VirtualBox 0x39847:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
40.2.csrss.exe.a32420.4.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth (Nextron Systems)	0x29b38:$s2: The Magic Word! 0x35c78:$s2: The Magic Word! 0x29e98:$s3: Software\Oracle\VirtualBox 0x29b27:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
64.2.csrss.exe.a1cb00.6.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth (Nextron Systems)	0x3f458:$s2: The Magic Word! 0x4b598:$s2: The Magic Word! 0x3f7b8:$s3: Software\Oracle\VirtualBox 0x3f447:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
22.2.csrss.exe.3400e67.9.unpack	JoeSecurity_Glupteba	Yara detected Glupteba	Joe Security
28.2.csrss.exe.3a22567.15.raw.unpack	MAL_ME_RawDisk_Agent_Jan20_2	Detects suspicious malware using ElRawDisk	Florian Roth (Nextron Systems)	0x39858:$s2: The Magic Word! 0x45998:$s2: The Magic Word! 0x39bb8:$s3: Software\Oracle\VirtualBox 0x39847:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
0.2.file.exe.400000.1.unpack	JoeSecurity_Glupteba	Yara detected Glupteba	Joe Security
15.2.csrss.exe.400000.2.raw.unpack	SUSP_PE_Discord_Attachment_Oct21_1	Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)	Florian Roth (Nextron Systems)	0x3b8597:$x1: https://cdn.discordapp.com/attachments/
40.2.csrss.exe.3400e67.15.unpack	JoeSecurity_Glupteba	Yara detected Glupteba	Joe Security
64.2.csrss.exe.3400e67.14.raw.unpack	SUSP_PE_Discord_Attachment_Oct21_1	Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)	Florian Roth (Nextron Systems)	0x3b7997:$x1: https://cdn.discordapp.com/attachments/
28.2.csrss.exe.3400e67.10.unpack	JoeSecurity_Glupteba	Yara detected Glupteba	Joe Security
0.2.file.exe.2e70e67.12.unpack	JoeSecurity_Glupteba	Yara detected Glupteba	Joe Security
Click to see the 118 entries

Sigma Signatures

Persistence and Installation Behavior

Sigma detected: Schedule system process

Source: Process started

Author: Joe Security: Data: Command: schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F, CommandLine: schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F, CommandLine|base64offset|contains: mj,, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: C:\Windows\rss\csrss.exe, ParentImage: C:\Windows\rss\csrss.exe, ParentProcessId: 768, ParentProcessName: csrss.exe, ProcessCommandLine: schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F, ProcessId: 5760, ProcessName: schtasks.exe

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: file.exe	ReversingLabs: Detection: 75%
Source: file.exe	Virustotal: Detection: 80%			Perma Link

Yara detected Glupteba

Source: Yara match	File source: 15.2.csrss.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 55.2.csrss.exe.3400e67.15.unpack, type: UNPACKEDPE
Source: Yara match	File source: 64.2.csrss.exe.3400e67.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 54.2.csrss.exe.3400e67.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 55.2.csrss.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.csrss.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 54.2.csrss.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 40.2.csrss.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.file.exe.3890000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.file.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.csrss.exe.3cf0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.file.exe.3760000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 60.2.csrss.exe.3400e67.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.csrss.exe.3400e67.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 41.2.csrss.exe.3400e67.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 60.2.csrss.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 64.2.csrss.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.csrss.exe.3400e67.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 40.2.csrss.exe.3400e67.15.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.csrss.exe.3400e67.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.2e70e67.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.400548532.0000000000843000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 0000003C.00000002.570772687.0000000003843000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.480076167.0000000000843000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.599256866.0000000003843000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000002.475119649.0000000000843000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.342311330.0000000003BA1000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.517016941.0000000003843000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003C.00000002.555538595.0000000000843000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.364753333.00000000032B3000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.624848873.0000000003843000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.442933383.0000000000843000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000036.00000002.509180776.0000000000843000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.360923805.0000000000843000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.474423573.0000000003843000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000002.514590108.0000000003843000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000037.00000002.522989058.0000000000843000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000040.00000002.609271972.0000000003843000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000040.00000002.598741475.0000000000843000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000036.00000002.521380153.0000000003843000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.362103364.0000000003CD1000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.566670417.0000000000843000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.615156234.0000000000843000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000037.00000002.553779043.0000000003843000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.414419556.00000000033E3000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.401909888.0000000004131000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 6760, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: file.exe PID: 1488, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: csrss.exe PID: 768, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: csrss.exe PID: 4472, type: MEMORYSTR

Antivirus detection for URL or domain

Source: http://un6fsy7wsdbqb54aridsmu5mtdcctatumigg37ip476tsdy2jf6ascqd.onion	Avira URL Cloud: Label: malware
Source: https://mastiakele.xyz	Avira URL Cloud: Label: malware

Multi AV Scanner detection for dropped file

Source: C:\Windows\rss\csrss.exe

ReversingLabs: Detection: 75%

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Windows\rss\csrss.exe

Joe Sandbox ML: detected

Bitcoin Miner

Yara detected Glupteba

Source: Yara match	File source: 15.2.csrss.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 55.2.csrss.exe.3400e67.15.unpack, type: UNPACKEDPE
Source: Yara match	File source: 64.2.csrss.exe.3400e67.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 54.2.csrss.exe.3400e67.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 55.2.csrss.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.csrss.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 54.2.csrss.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 40.2.csrss.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.file.exe.3890000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.file.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.csrss.exe.3cf0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.file.exe.3760000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 60.2.csrss.exe.3400e67.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.csrss.exe.3400e67.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 41.2.csrss.exe.3400e67.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 60.2.csrss.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 64.2.csrss.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.csrss.exe.3400e67.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 40.2.csrss.exe.3400e67.15.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.csrss.exe.3400e67.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.2e70e67.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.400548532.0000000000843000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 0000003C.00000002.570772687.0000000003843000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.480076167.0000000000843000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.599256866.0000000003843000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000002.475119649.0000000000843000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.342311330.0000000003BA1000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.517016941.0000000003843000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003C.00000002.555538595.0000000000843000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.364753333.00000000032B3000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.624848873.0000000003843000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.442933383.0000000000843000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000036.00000002.509180776.0000000000843000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.360923805.0000000000843000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.474423573.0000000003843000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000002.514590108.0000000003843000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000037.00000002.522989058.0000000000843000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000040.00000002.609271972.0000000003843000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000040.00000002.598741475.0000000000843000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000036.00000002.521380153.0000000003843000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.362103364.0000000003CD1000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.566670417.0000000000843000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.615156234.0000000000843000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000037.00000002.553779043.0000000003843000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.414419556.00000000033E3000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.401909888.0000000004131000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 6760, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: file.exe PID: 1488, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: csrss.exe PID: 768, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: csrss.exe PID: 4472, type: MEMORYSTR

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\file.exe	Unpacked PE file: 0.2.file.exe.400000.1.unpack
Source: C:\Users\user\Desktop\file.exe	Unpacked PE file: 5.2.file.exe.400000.0.unpack
Source: C:\Windows\rss\csrss.exe	Unpacked PE file: 15.2.csrss.exe.400000.2.unpack
Source: C:\Windows\rss\csrss.exe	Unpacked PE file: 22.2.csrss.exe.400000.0.unpack
Source: C:\Windows\rss\csrss.exe	Unpacked PE file: 28.2.csrss.exe.400000.4.unpack
Source: C:\Windows\rss\csrss.exe	Unpacked PE file: 40.2.csrss.exe.400000.2.unpack
Source: C:\Windows\rss\csrss.exe	Unpacked PE file: 41.2.csrss.exe.400000.2.unpack
Source: C:\Windows\rss\csrss.exe	Unpacked PE file: 54.2.csrss.exe.400000.0.unpack
Source: C:\Windows\rss\csrss.exe	Unpacked PE file: 55.2.csrss.exe.400000.3.unpack
Source: C:\Windows\rss\csrss.exe	Unpacked PE file: 60.2.csrss.exe.400000.1.unpack
Source: C:\Windows\rss\csrss.exe	Unpacked PE file: 64.2.csrss.exe.400000.0.unpack

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Windows\rss\csrss.exe

Registry value created: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Uninstaller

Source: C:\Users\user\Desktop\file.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Source:	Binary string: Loader.pdb source: file.exe, 00000000.00000003.342311330.0000000003BA1000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.364753333.00000000032B3000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.360923805.0000000000843000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000002.400548532.0000000000843000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000003.362103364.0000000003CD1000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.414419556.00000000033E3000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003843000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000003C.00000002.570772687.0000000003843000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: EfiGuardDxe.pdb7 source: file.exe, file.exe, 00000005.00000002.403769101.0000000002BA3000.00000040.00000020.00020000.00000000.sdmp
Source:	Binary string: Unrecognized pdb formatThis error indicates attempting to access a .pdb file with source: file.exe, 00000000.00000003.342311330.0000000003E2B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.364753333.000000000353B000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.400548532.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000002.414419556.000000000366B000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003ACB000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: A connection with the server could not be establishedAn extended error was returned from the WinHttp serverThe .pdb file is probably no longer indexed in the symbol server share location. source: file.exe, 00000000.00000003.342311330.0000000003E2B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.364753333.000000000353B000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.400548532.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000002.414419556.000000000366B000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003ACB000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\rumez\pihipifa\zuyum_n.pdb source: file.exe, 00000000.00000001.340268872.0000000000401000.00000020.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000001.360817575.0000000000401000.00000020.00000001.01000000.00000003.sdmp
Source:	Binary string: Age does not matchThe module age and .pdb age do not match. source: file.exe, 00000000.00000003.342311330.0000000003E2B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.364753333.000000000353B000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.400548532.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000002.414419556.000000000366B000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003ACB000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: symsrv.pdb source: file.exe, file.exe, 00000005.00000002.400548532.0000000000C79000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000002.414419556.0000000003819000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.615156234.0000000000C79000.00000040.00000001.01000000.00000005.sdmp
Source:	Binary string: Cvinfo is corruptThe .pdb file contains a corrupted debug codeview information. source: file.exe, 00000000.00000003.342311330.0000000003E2B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.364753333.000000000353B000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.400548532.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000002.414419556.000000000366B000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003ACB000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: Downloading symbols for [%s] %ssrvsymsrvhttp://https://_bad_pdb_file.pdb source: file.exe, 00000000.00000003.342311330.0000000003E2B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.364753333.000000000353B000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.400548532.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000002.414419556.000000000366B000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003ACB000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: The symbol server has never indexed any version of this symbol fileNo version of the .pdb file with the given name has ever been registered. source: file.exe, 00000000.00000003.342311330.0000000003E2B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.364753333.000000000353B000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.400548532.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000002.414419556.000000000366B000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003ACB000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: PDB not foundUnable to locate the .pdb file in any of the symbol search path locations. source: file.exe, 00000000.00000003.342311330.0000000003E2B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.364753333.000000000353B000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.400548532.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000002.414419556.000000000366B000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003ACB000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\Users\Admin\documents\visual studio 2015\Projects\Winmon\Release\Winmon.pdb source: file.exe, 00000000.00000003.342311330.0000000003BA1000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.364753333.00000000032B3000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.360923805.0000000000843000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000002.400548532.0000000000843000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000003.362103364.0000000003CD1000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.414419556.00000000033E3000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003843000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000003C.00000002.570772687.0000000003843000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\vbox\branch\w64-1.6\out\win.amd64\release\obj\src\VBox\HostDrivers\VBoxDrv\VBoxDrv.pdb source: file.exe, 00000000.00000003.342311330.0000000003BA1000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.364753333.00000000032B3000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.360923805.0000000000843000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000002.400548532.0000000000843000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000003.362103364.0000000003CD1000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.414419556.00000000033E3000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003843000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000003C.00000002.570772687.0000000003843000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\Users\Admin\documents\visual studio 2015\Projects\Winmon\x64\Release\Winmon.pdb source: file.exe, 00000000.00000003.342311330.0000000003BA1000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.364753333.00000000032B3000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.360923805.0000000000843000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000002.400548532.0000000000843000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000003.362103364.0000000003CD1000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.414419556.00000000033E3000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003843000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000003C.00000002.570772687.0000000003843000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: Drive not readyThis error indicates a .pdb file related failure. source: file.exe, 00000000.00000003.342311330.0000000003E2B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.364753333.000000000353B000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.400548532.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000002.414419556.000000000366B000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003ACB000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: Error while loading symbolsUnable to locate the .pdb file in any of the symbol search source: file.exe, 00000000.00000003.342311330.0000000003E2B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.364753333.000000000353B000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.400548532.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000002.414419556.000000000366B000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003ACB000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: zzz_AsmCodeRange_*FrameDatainvalid string positionstring too long.pdb source: file.exe, 00000000.00000003.342311330.0000000003E2B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.364753333.000000000353B000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.400548532.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000002.414419556.000000000366B000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003ACB000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: Pdb read access deniedYou may be attempting to access a .pdb file with read-only attributes source: file.exe, 00000000.00000003.342311330.0000000003E2B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.364753333.000000000353B000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.400548532.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000002.414419556.000000000366B000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003ACB000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: Unable to locate the .pdb file in this location source: file.exe, 00000000.00000003.342311330.0000000003E2B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.364753333.000000000353B000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.400548532.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000002.414419556.000000000366B000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003ACB000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: $BC:\rumez\pihipifa\zuyum_n.pdb source: file.exe, 00000000.00000001.340268872.0000000000401000.00000020.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000001.360817575.0000000000401000.00000020.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Users\Admin\documents\visual studio 2015\Projects\WinmonFS\x64\Release\WinmonFS.pdb source: file.exe, 00000000.00000003.342311330.0000000003BA1000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.364753333.00000000032B3000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.360923805.0000000000843000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000002.400548532.0000000000843000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000003.362103364.0000000003CD1000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.414419556.00000000033E3000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003843000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000003C.00000002.570772687.0000000003843000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: The module signature does not match with .pdb signature. source: file.exe, 00000000.00000003.342311330.0000000003E2B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.364753333.000000000353B000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.400548532.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000002.414419556.000000000366B000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003ACB000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: .pdb.dbg source: file.exe, 00000000.00000003.342311330.0000000003E2B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.364753333.000000000353B000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.400548532.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000002.414419556.000000000366B000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003ACB000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: '(EfiGuardDxe.pdbx source: file.exe, 00000000.00000003.342311330.0000000003E2B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.364753333.000000000353B000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.400548532.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000002.414419556.000000000366B000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000003.362103364.0000000003F5B000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003ACB000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: symsrv.pdbGCTL source: file.exe, 00000000.00000002.360923805.0000000000C79000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.342311330.0000000003FD8000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.364753333.00000000036E9000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.400548532.0000000000C79000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000002.414419556.0000000003819000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.615156234.0000000000C79000.00000040.00000001.01000000.00000005.sdmp
Source:	Binary string: C:\Users\admin\source\repos\driver-process-monitor-master\Release\WinmonProcessMonitor.pdb source: file.exe, 00000000.00000003.342311330.0000000003BA1000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.364753333.00000000032B3000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.360923805.0000000000843000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000002.400548532.0000000000843000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000003.362103364.0000000003CD1000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.414419556.00000000033E3000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003843000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000003C.00000002.570772687.0000000003843000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Admin\documents\visual studio 2015\Projects\WinmonFS\Release\WinmonFS.pdb source: file.exe, 00000000.00000003.342311330.0000000003BA1000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.364753333.00000000032B3000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.360923805.0000000000843000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000002.400548532.0000000000843000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000003.362103364.0000000003CD1000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.414419556.00000000033E3000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003843000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000003C.00000002.570772687.0000000003843000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: or you do not have access permission to the .pdb location. source: file.exe, 00000000.00000003.342311330.0000000003E2B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.364753333.000000000353B000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.400548532.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000002.414419556.000000000366B000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003ACB000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: An Exception happened while downloading the module .pdbPlease open a bug if this is a consistent repro. source: file.exe, 00000000.00000003.342311330.0000000003E2B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.364753333.000000000353B000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.400548532.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000002.414419556.000000000366B000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003ACB000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\admin\source\repos\driver-process-monitor-master\x64\Release\WinmonProcessMonitor.pdb source: file.exe, 00000000.00000003.342311330.0000000003BA1000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.364753333.00000000032B3000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.360923805.0000000000843000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000002.400548532.0000000000843000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000003.362103364.0000000003CD1000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.414419556.00000000033E3000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003843000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000003C.00000002.570772687.0000000003843000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: EfiGuardDxe.pdb source: file.exe, 00000000.00000003.342311330.0000000003E2B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.364753333.000000000353B000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.400548532.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000002.414419556.000000000366B000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000003.362103364.0000000003F5B000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003ACB000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: Signature does not matchThe module signature does not match with .pdb signature source: file.exe, 00000000.00000003.342311330.0000000003E2B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.364753333.000000000353B000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.400548532.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000002.414419556.000000000366B000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003ACB000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: dbghelp.pdb source: file.exe, 00000000.00000003.342311330.0000000003E2B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.364753333.000000000353B000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.400548532.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000002.414419556.000000000366B000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003ACB000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: dbghelp.pdbGCTL source: file.exe, 00000000.00000003.342311330.0000000003E2B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.364753333.000000000353B000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.400548532.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000002.414419556.000000000366B000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003ACB000.00000040.00001000.00020000.00000000.sdmp

Networking

Found Tor onion address

Source: file.exe	String found in binary or memory: .2.0edwards25519: internal error: setShortBytes called with a long stringhttp2: Transport closing idle conn %p (forSingleUse=%v, maxStream=%v)http://vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.oniontls: handshake message of length %d bytes exceeds
Source: file.exe	String found in binary or memory: nvalid checksumheadTailIndex overflowheader field %q = %q%shpack: string too longhsmiths4fyqlw5xw.onionhsmiths5mjk6uijs.onionhttp2: frame too largehttp://localhost:3433/https://duniadekho.baridna: invalid label %qinappropriate fallbackinteger divide by zeroint
Source: file.exe, 00000000.00000003.342311330.0000000003760000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: Nyiakeng_Puachue_HmongPakistan Standard TimeParaguay Standard TimeRoGetActivationFactoryRtlDeleteFunctionTableRtlGetNtVersionNumbersSafeArrayGetRecordInfoSafeArraySetRecordInfoSakhalin Standard TimeSao Tome Standard TimeSeImpersonatePrivilegeSetupDiEnumDriverInfoWSetupDiGetClassDevsExWTasmania Standard TimeTor bootstrap progressTor service is runningUnsupported Media TypeWSAGetOverlappedResultWSALookupServiceBeginWWaitForMultipleObjectsWget/1.12 (freebsd8.1)Xenu Link Sleuth/1.3.8access-control-max-ageaddress already in useadvapi32.dll not foundargument list too longassembly checks failedbad g->status in readybad sweepgen in refillbitcoin3nqy3db7c.onionbody closed by handlercannot allocate memoryclient not initializedcompileCallabck: type couldn't create devicecouldn't get file infocouldn't start servicecoulnd't write to filecreate main window: %wdecode and decrypt: %wdriver: bad connectionduplicated defer entryelectrum.leblancnet.uselectrum3.hodlister.coelectrum5.hodlister.coelectrumxhqdsmlu.onionencrypt and encode: %werror decoding messageerror parsing regexp: failed to get UUID: %wfailed to hide app: %wfailed to open key: %wfailed to open src: %wfailed to register: %wfailed to set UUID: %wframe_data_pad_too_bigfreeIndex is not validgenerate challenge: %wgetenv before env initgzip: invalid checksumheadTailIndex overflowheader field %q = %q%shpack: string too longhsmiths4fyqlw5xw.onionhsmiths5mjk6uijs.onionhttp2: frame too largehttp://localhost:3433/https://duniadekho.baridna: invalid label %qinappropriate fallbackinteger divide by zerointegrity check failedinterface conversion: internal inconsistencyinvalid Trailer key %qinvalid address familyinvalid number base %djson: unknown field %qkernel32.dll not foundmalformed HTTP versionminpc or maxpc invalidmissing ']' in addressmultiple :: in addressndndword5lpb7eex.onionnetwork is unreachableno connection providednon-Go function at pc=oldoverflow is not niloperation was canceledoverflowing coordinateozahtqwp25chjdjd.onionprotocol not availableprotocol not supportedqtornadoklbgdyww.onionread response body: %wreflect.Value.MapIndexreflect.Value.SetFloatreflectlite.Value.Elemreflectlite.Value.Typeremote address changedruntime.main not on m0runtime: work.nwait = runtime:scanstack: gp=s.freeindex > s.nelemss7clinmo4cazmhul.onionscanstack - bad statussecure boot is enabledsend on closed channelserver.peers.subscribeservice does not existservice is not runningset Tor mode to %s: %wskipping Question Nameskipping Question Typespan has no free spacesql: no Rows availablestack not a power of 2status/bootstrap-phasetrace reader (blocked)trace: alloc too largetransaction is stoppedtransaction not existsunexpected length codeunexpected method stepwirep: invalid p statewrite on closed bufferx509: malformed issuerzero length BIT STRINGzlib: invalid checksum into Go value of type ) must be a power of 2
Source: file.exe, 00000000.00000002.360923805.0000000000400000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: Nyiakeng_Puachue_HmongPakistan Standard TimeParaguay Standard TimeRoGetActivationFactoryRtlDeleteFunctionTableRtlGetNtVersionNumbersSafeArrayGetRecordInfoSafeArraySetRecordInfoSakhalin Standard TimeSao Tome Standard TimeSeImpersonatePrivilegeSetupDiEnumDriverInfoWSetupDiGetClassDevsExWTasmania Standard TimeTor bootstrap progressTor service is runningUnsupported Media TypeWSAGetOverlappedResultWSALookupServiceBeginWWaitForMultipleObjectsWget/1.12 (freebsd8.1)Xenu Link Sleuth/1.3.8access-control-max-ageaddress already in useadvapi32.dll not foundargument list too longassembly checks failedbad g->status in readybad sweepgen in refillbitcoin3nqy3db7c.onionbody closed by handlercannot allocate memoryclient not initializedcompileCallabck: type couldn't create devicecouldn't get file infocouldn't start servicecoulnd't write to filecreate main window: %wdecode and decrypt: %wdriver: bad connectionduplicated defer entryelectrum.leblancnet.uselectrum3.hodlister.coelectrum5.hodlister.coelectrumxhqdsmlu.onionencrypt and encode: %werror decoding messageerror parsing regexp: failed to get UUID: %wfailed to hide app: %wfailed to open key: %wfailed to open src: %wfailed to register: %wfailed to set UUID: %wframe_data_pad_too_bigfreeIndex is not validgenerate challenge: %wgetenv before env initgzip: invalid checksumheadTailIndex overflowheader field %q = %q%shpack: string too longhsmiths4fyqlw5xw.onionhsmiths5mjk6uijs.onionhttp2: frame too largehttp://localhost:3433/https://duniadekho.baridna: invalid label %qinappropriate fallbackinteger divide by zerointegrity check failedinterface conversion: internal inconsistencyinvalid Trailer key %qinvalid address familyinvalid number base %djson: unknown field %qkernel32.dll not foundmalformed HTTP versionminpc or maxpc invalidmissing ']' in addressmultiple :: in addressndndword5lpb7eex.onionnetwork is unreachableno connection providednon-Go function at pc=oldoverflow is not niloperation was canceledoverflowing coordinateozahtqwp25chjdjd.onionprotocol not availableprotocol not supportedqtornadoklbgdyww.onionread response body: %wreflect.Value.MapIndexreflect.Value.SetFloatreflectlite.Value.Elemreflectlite.Value.Typeremote address changedruntime.main not on m0runtime: work.nwait = runtime:scanstack: gp=s.freeindex > s.nelemss7clinmo4cazmhul.onionscanstack - bad statussecure boot is enabledsend on closed channelserver.peers.subscribeservice does not existservice is not runningset Tor mode to %s: %wskipping Question Nameskipping Question Typespan has no free spacesql: no Rows availablestack not a power of 2status/bootstrap-phasetrace reader (blocked)trace: alloc too largetransaction is stoppedtransaction not existsunexpected length codeunexpected method stepwirep: invalid p statewrite on closed bufferx509: malformed issuerzero length BIT STRINGzlib: invalid checksum into Go value of type ) must be a power of 2
Source: file.exe, 00000000.00000002.378648564.000000000C0DE000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://un6fsy7wsdbqb54aridsmu5mtdcctatumigg37ip476tsdy2jf6ascqd.onion
Source: file.exe, 00000000.00000002.378648564.000000000C0DE000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: 1c1b0732151b1d231030330b0713013107http://un6fsy7wsdbqb54aridsmu5mtdcctatumigg37ip476tsdy2jf6ascqd.onionhttp://un6fsy7wsdbqb54aridsmu5mtdcctatumigg37ip476tsdy2jf6ascqd.onionS-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\TestAppS-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8S-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8S-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8S-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8S-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8S-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8S-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8FirstInstallDateS-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8FirstInstallDateS-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8S-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8S-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8S-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8S-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8S-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8S-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8S-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8S-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8S-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8S-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8S-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8S-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzS-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8current filenname with args "C:\Users\user\Desktop\file.exe"
Source: file.exe, 00000000.00000002.364753333.0000000002E70000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: Nyiakeng_Puachue_HmongPakistan Standard TimeParaguay Standard TimeRoGetActivationFactoryRtlDeleteFunctionTableRtlGetNtVersionNumbersSafeArrayGetRecordInfoSafeArraySetRecordInfoSakhalin Standard TimeSao Tome Standard TimeSeImpersonatePrivilegeSetupDiEnumDriverInfoWSetupDiGetClassDevsExWTasmania Standard TimeTor bootstrap progressTor service is runningUnsupported Media TypeWSAGetOverlappedResultWSALookupServiceBeginWWaitForMultipleObjectsWget/1.12 (freebsd8.1)Xenu Link Sleuth/1.3.8access-control-max-ageaddress already in useadvapi32.dll not foundargument list too longassembly checks failedbad g->status in readybad sweepgen in refillbitcoin3nqy3db7c.onionbody closed by handlercannot allocate memoryclient not initializedcompileCallabck: type couldn't create devicecouldn't get file infocouldn't start servicecoulnd't write to filecreate main window: %wdecode and decrypt: %wdriver: bad connectionduplicated defer entryelectrum.leblancnet.uselectrum3.hodlister.coelectrum5.hodlister.coelectrumxhqdsmlu.onionencrypt and encode: %werror decoding messageerror parsing regexp: failed to get UUID: %wfailed to hide app: %wfailed to open key: %wfailed to open src: %wfailed to register: %wfailed to set UUID: %wframe_data_pad_too_bigfreeIndex is not validgenerate challenge: %wgetenv before env initgzip: invalid checksumheadTailIndex overflowheader field %q = %q%shpack: string too longhsmiths4fyqlw5xw.onionhsmiths5mjk6uijs.onionhttp2: frame too largehttp://localhost:3433/https://duniadekho.baridna: invalid label %qinappropriate fallbackinteger divide by zerointegrity check failedinterface conversion: internal inconsistencyinvalid Trailer key %qinvalid address familyinvalid number base %djson: unknown field %qkernel32.dll not foundmalformed HTTP versionminpc or maxpc invalidmissing ']' in addressmultiple :: in addressndndword5lpb7eex.onionnetwork is unreachableno connection providednon-Go function at pc=oldoverflow is not niloperation was canceledoverflowing coordinateozahtqwp25chjdjd.onionprotocol not availableprotocol not supportedqtornadoklbgdyww.onionread response body: %wreflect.Value.MapIndexreflect.Value.SetFloatreflectlite.Value.Elemreflectlite.Value.Typeremote address changedruntime.main not on m0runtime: work.nwait = runtime:scanstack: gp=s.freeindex > s.nelemss7clinmo4cazmhul.onionscanstack - bad statussecure boot is enabledsend on closed channelserver.peers.subscribeservice does not existservice is not runningset Tor mode to %s: %wskipping Question Nameskipping Question Typespan has no free spacesql: no Rows availablestack not a power of 2status/bootstrap-phasetrace reader (blocked)trace: alloc too largetransaction is stoppedtransaction not existsunexpected length codeunexpected method stepwirep: invalid p statewrite on closed bufferx509: malformed issuerzero length BIT STRINGzlib: invalid checksum into Go value of type ) must be a power of 2
Source: file.exe, 00000000.00000002.378648564.000000000C092000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: S-1-5-21-3853321935-2125563209-4053062332-1002https://mastiakele.xyzhttp://un6fsy7wsdbqb54aridsmu5mtdcctatumigg37ip476tsdy2jf6ascqd.onionCommonProgramW6432=C:\Program Files\Common FilesLOCALAPPDATA=C:\Users\user\AppData\LocalS-1-5-21-3853321935-2125563209-4053062332-1002
Source: file.exe, 00000000.00000002.378648564.000000000C0A2000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://un6fsy7wsdbqb54aridsmu5mtdcctatumigg37ip476tsdy2jf6ascqd.onion
Source: file.exe, 00000000.00000002.378648564.000000000C0A2000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: !This program cannoHKEY_USERS\S-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\TestAppHKEY_USERS\S-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8https://mastiakele.xyzhttp://un6fsy7wsdbqb54aridsmu5mtdcctatumigg37ip476tsdy2jf6ascqd.onionhttps://mastiakele.xyzhttp://un6fsy7wsdbqb54aridsmu5mtdcctatumigg37ip476tsdy2jf6ascqd.onionSELECT Caption FROM Win32_OperatingSystemMicrosoft Windows 10 ProPacific Standard Time2023/06/06 17:18:25 current filenname with args "C:\Users\user\Desktop\file.exe"
Source: file.exe, 00000000.00000002.378648564.000000000C0E6000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://mastiakele.xyzhttp://un6fsy7wsdbqb54aridsmu5mtdcctatumigg37ip476tsdy2jf6ascqd.onion
Source: file.exe	String found in binary or memory: .2.0edwards25519: internal error: setShortBytes called with a long stringhttp2: Transport closing idle conn %p (forSingleUse=%v, maxStream=%v)http://vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.oniontls: handshake message of length %d bytes exceeds
Source: file.exe	String found in binary or memory: nvalid checksumheadTailIndex overflowheader field %q = %q%shpack: string too longhsmiths4fyqlw5xw.onionhsmiths5mjk6uijs.onionhttp2: frame too largehttp://localhost:3433/https://duniadekho.baridna: invalid label %qinappropriate fallbackinteger divide by zeroint
Source: file.exe, 00000005.00000002.424748729.000000000C01A000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: Path=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\WindowsAppshttp://un6fsy7wsdbqb54aridsmu5mtdcctatumigg37ip476tsdy2jf6ascqd.onionC:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\WindowsAppsC:\Program Files (x86)\Common Files\Oracle\Java\javapath\powershell.comC:\Program Files (x86)\Common Files\Oracle\Java\javapath\powershell.exeC:\Program Files (x86)\Common Files\Oracle\Java\javapath\powershell.batC:\Program Files (x86)\Common Files\Oracle\Java\javapath\powershell.cmdC:\Program Files (x86)\Common Files\Oracle\Java\javapath\powershell.vbsC:\Program Files (x86)\Common Files\Oracle\Java\javapath\powershell.vbeC:\Program Files (x86)\Common Files\Oracle\Java\javapath\powershell.jsC:\Program Files (x86)\Common Files\Oracle\Java\javapath\powershell.jseC:\Program Files (x86)\Common Files\Oracle\Java\javapath\powershell.wsfC:\Program Files (x86)\Common Files\Oracle\Java\javapath\powershell.wshC:\Program Files (x86)\Common Files\Oracle\Java\javapath\powershell.mscLOCALAPPDATA=C:\Windows\system32\config\systemprofile\AppData\LocalPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\WindowsAppsPROCESSOR_IDENTIFIER=Intel64 Family 6 Model 85 Stepping 7, GenuineIntelPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\WindowsAppsC:\Program Files (x86)\Common Files\Oracle\Java\javapath\powershell.batC:\Program Files (x86)\Common Files\Oracle\Java\javapath\powershell.cmdC:\Program Files (x86)\Common Files\Oracle\Java\javapath\powershell.vbsC:\Program Files (x86)\Common Files\Oracle\Java\javapath\powershell.vbeC:\Program Files (x86)\Common Files\Oracle\Java\javapath\powershell.mscLOCALAPPDATA=C:\Windows\system32\config\systemprofile\AppData\LocalPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\WindowsAppsPROCESSOR_IDENTIFIER=Intel64 Family 6 Model 85 Stepping 7, GenuineIntelPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\
Source: file.exe, 00000005.00000002.426549971.000000000C11E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: S-1-5-21-3853321935-2125563209-4053062332-1002https://mastiakele.xyzhttp://un6fsy7wsdbqb54aridsmu5mtdcctatumigg37ip476tsdy2jf6ascqd.onionCommonProgramW6432=C:\Program Files\Common FilesCommonProgramW6432=C:\Program Files\Common Files
Source: file.exe, 00000005.00000002.400548532.0000000000400000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: Nyiakeng_Puachue_HmongPakistan Standard TimeParaguay Standard TimeRoGetActivationFactoryRtlDeleteFunctionTableRtlGetNtVersionNumbersSafeArrayGetRecordInfoSafeArraySetRecordInfoSakhalin Standard TimeSao Tome Standard TimeSeImpersonatePrivilegeSetupDiEnumDriverInfoWSetupDiGetClassDevsExWTasmania Standard TimeTor bootstrap progressTor service is runningUnsupported Media TypeWSAGetOverlappedResultWSALookupServiceBeginWWaitForMultipleObjectsWget/1.12 (freebsd8.1)Xenu Link Sleuth/1.3.8access-control-max-ageaddress already in useadvapi32.dll not foundargument list too longassembly checks failedbad g->status in readybad sweepgen in refillbitcoin3nqy3db7c.onionbody closed by handlercannot allocate memoryclient not initializedcompileCallabck: type couldn't create devicecouldn't get file infocouldn't start servicecoulnd't write to filecreate main window: %wdecode and decrypt: %wdriver: bad connectionduplicated defer entryelectrum.leblancnet.uselectrum3.hodlister.coelectrum5.hodlister.coelectrumxhqdsmlu.onionencrypt and encode: %werror decoding messageerror parsing regexp: failed to get UUID: %wfailed to hide app: %wfailed to open key: %wfailed to open src: %wfailed to register: %wfailed to set UUID: %wframe_data_pad_too_bigfreeIndex is not validgenerate challenge: %wgetenv before env initgzip: invalid checksumheadTailIndex overflowheader field %q = %q%shpack: string too longhsmiths4fyqlw5xw.onionhsmiths5mjk6uijs.onionhttp2: frame too largehttp://localhost:3433/https://duniadekho.baridna: invalid label %qinappropriate fallbackinteger divide by zerointegrity check failedinterface conversion: internal inconsistencyinvalid Trailer key %qinvalid address familyinvalid number base %djson: unknown field %qkernel32.dll not foundmalformed HTTP versionminpc or maxpc invalidmissing ']' in addressmultiple :: in addressndndword5lpb7eex.onionnetwork is unreachableno connection providednon-Go function at pc=oldoverflow is not niloperation was canceledoverflowing coordinateozahtqwp25chjdjd.onionprotocol not availableprotocol not supportedqtornadoklbgdyww.onionread response body: %wreflect.Value.MapIndexreflect.Value.SetFloatreflectlite.Value.Elemreflectlite.Value.Typeremote address changedruntime.main not on m0runtime: work.nwait = runtime:scanstack: gp=s.freeindex > s.nelemss7clinmo4cazmhul.onionscanstack - bad statussecure boot is enabledsend on closed channelserver.peers.subscribeservice does not existservice is not runningset Tor mode to %s: %wskipping Question Nameskipping Question Typespan has no free spacesql: no Rows availablestack not a power of 2status/bootstrap-phasetrace reader (blocked)trace: alloc too largetransaction is stoppedtransaction not existsunexpected length codeunexpected method stepwirep: invalid p statewrite on closed bufferx509: malformed issuerzero length BIT STRINGzlib: invalid checksum into Go value of type ) must be a power of 2
Source: file.exe, 00000005.00000003.362103364.0000000003890000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: Nyiakeng_Puachue_HmongPakistan Standard TimeParaguay Standard TimeRoGetActivationFactoryRtlDeleteFunctionTableRtlGetNtVersionNumbersSafeArrayGetRecordInfoSafeArraySetRecordInfoSakhalin Standard TimeSao Tome Standard TimeSeImpersonatePrivilegeSetupDiEnumDriverInfoWSetupDiGetClassDevsExWTasmania Standard TimeTor bootstrap progressTor service is runningUnsupported Media TypeWSAGetOverlappedResultWSALookupServiceBeginWWaitForMultipleObjectsWget/1.12 (freebsd8.1)Xenu Link Sleuth/1.3.8access-control-max-ageaddress already in useadvapi32.dll not foundargument list too longassembly checks failedbad g->status in readybad sweepgen in refillbitcoin3nqy3db7c.onionbody closed by handlercannot allocate memoryclient not initializedcompileCallabck: type couldn't create devicecouldn't get file infocouldn't start servicecoulnd't write to filecreate main window: %wdecode and decrypt: %wdriver: bad connectionduplicated defer entryelectrum.leblancnet.uselectrum3.hodlister.coelectrum5.hodlister.coelectrumxhqdsmlu.onionencrypt and encode: %werror decoding messageerror parsing regexp: failed to get UUID: %wfailed to hide app: %wfailed to open key: %wfailed to open src: %wfailed to register: %wfailed to set UUID: %wframe_data_pad_too_bigfreeIndex is not validgenerate challenge: %wgetenv before env initgzip: invalid checksumheadTailIndex overflowheader field %q = %q%shpack: string too longhsmiths4fyqlw5xw.onionhsmiths5mjk6uijs.onionhttp2: frame too largehttp://localhost:3433/https://duniadekho.baridna: invalid label %qinappropriate fallbackinteger divide by zerointegrity check failedinterface conversion: internal inconsistencyinvalid Trailer key %qinvalid address familyinvalid number base %djson: unknown field %qkernel32.dll not foundmalformed HTTP versionminpc or maxpc invalidmissing ']' in addressmultiple :: in addressndndword5lpb7eex.onionnetwork is unreachableno connection providednon-Go function at pc=oldoverflow is not niloperation was canceledoverflowing coordinateozahtqwp25chjdjd.onionprotocol not availableprotocol not supportedqtornadoklbgdyww.onionread response body: %wreflect.Value.MapIndexreflect.Value.SetFloatreflectlite.Value.Elemreflectlite.Value.Typeremote address changedruntime.main not on m0runtime: work.nwait = runtime:scanstack: gp=s.freeindex > s.nelemss7clinmo4cazmhul.onionscanstack - bad statussecure boot is enabledsend on closed channelserver.peers.subscribeservice does not existservice is not runningset Tor mode to %s: %wskipping Question Nameskipping Question Typespan has no free spacesql: no Rows availablestack not a power of 2status/bootstrap-phasetrace reader (blocked)trace: alloc too largetransaction is stoppedtransaction not existsunexpected length codeunexpected method stepwirep: invalid p statewrite on closed bufferx509: malformed issuerzero length BIT STRINGzlib: invalid checksum into Go value of type ) must be a power of 2
Source: file.exe, 00000005.00000002.424748729.000000000C00E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://un6fsy7wsdbqb54aridsmu5mtdcctatumigg37ip476tsdy2jf6ascqd.onion
Source: file.exe, 00000005.00000002.424748729.000000000C00E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: 1c1b0732151b1d231030330b0713013107http://un6fsy7wsdbqb54aridsmu5mtdcctatumigg37ip476tsdy2jf6ascqd.onionhttp://un6fsy7wsdbqb54aridsmu5mtdcctatumigg37ip476tsdy2jf6ascqd.onionS-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\TestAppS-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8S-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8http://un6fsy7wsdbqb54aridsmu5mtdcctatumigg37ip476tsdy2jf6ascqd.onionS-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8S-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8S-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8FirstInstallDateS-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8S-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8S-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8S-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8S-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8S-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8S-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8S-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8S-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8S-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8S-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzS-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8current filenname with args "C:\Users\user\Desktop\file.exe"
Source: file.exe, 00000005.00000002.414419556.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: Nyiakeng_Puachue_HmongPakistan Standard TimeParaguay Standard TimeRoGetActivationFactoryRtlDeleteFunctionTableRtlGetNtVersionNumbersSafeArrayGetRecordInfoSafeArraySetRecordInfoSakhalin Standard TimeSao Tome Standard TimeSeImpersonatePrivilegeSetupDiEnumDriverInfoWSetupDiGetClassDevsExWTasmania Standard TimeTor bootstrap progressTor service is runningUnsupported Media TypeWSAGetOverlappedResultWSALookupServiceBeginWWaitForMultipleObjectsWget/1.12 (freebsd8.1)Xenu Link Sleuth/1.3.8access-control-max-ageaddress already in useadvapi32.dll not foundargument list too longassembly checks failedbad g->status in readybad sweepgen in refillbitcoin3nqy3db7c.onionbody closed by handlercannot allocate memoryclient not initializedcompileCallabck: type couldn't create devicecouldn't get file infocouldn't start servicecoulnd't write to filecreate main window: %wdecode and decrypt: %wdriver: bad connectionduplicated defer entryelectrum.leblancnet.uselectrum3.hodlister.coelectrum5.hodlister.coelectrumxhqdsmlu.onionencrypt and encode: %werror decoding messageerror parsing regexp: failed to get UUID: %wfailed to hide app: %wfailed to open key: %wfailed to open src: %wfailed to register: %wfailed to set UUID: %wframe_data_pad_too_bigfreeIndex is not validgenerate challenge: %wgetenv before env initgzip: invalid checksumheadTailIndex overflowheader field %q = %q%shpack: string too longhsmiths4fyqlw5xw.onionhsmiths5mjk6uijs.onionhttp2: frame too largehttp://localhost:3433/https://duniadekho.baridna: invalid label %qinappropriate fallbackinteger divide by zerointegrity check failedinterface conversion: internal inconsistencyinvalid Trailer key %qinvalid address familyinvalid number base %djson: unknown field %qkernel32.dll not foundmalformed HTTP versionminpc or maxpc invalidmissing ']' in addressmultiple :: in addressndndword5lpb7eex.onionnetwork is unreachableno connection providednon-Go function at pc=oldoverflow is not niloperation was canceledoverflowing coordinateozahtqwp25chjdjd.onionprotocol not availableprotocol not supportedqtornadoklbgdyww.onionread response body: %wreflect.Value.MapIndexreflect.Value.SetFloatreflectlite.Value.Elemreflectlite.Value.Typeremote address changedruntime.main not on m0runtime: work.nwait = runtime:scanstack: gp=s.freeindex > s.nelemss7clinmo4cazmhul.onionscanstack - bad statussecure boot is enabledsend on closed channelserver.peers.subscribeservice does not existservice is not runningset Tor mode to %s: %wskipping Question Nameskipping Question Typespan has no free spacesql: no Rows availablestack not a power of 2status/bootstrap-phasetrace reader (blocked)trace: alloc too largetransaction is stoppedtransaction not existsunexpected length codeunexpected method stepwirep: invalid p statewrite on closed bufferx509: malformed issuerzero length BIT STRINGzlib: invalid checksum into Go value of type ) must be a power of 2
Source: csrss.exe, 0000000F.00000002.624321444.000000000105A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mastiakele.xyzhttp://un6fsy7wsdbqb54aridsmu5mtdcctatumigg37ip476tsdy2jf6ascqd.onion
Source: csrss.exe, 0000000F.00000002.624848873.0000000003400000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: Nyiakeng_Puachue_HmongPakistan Standard TimeParaguay Standard TimeRoGetActivationFactoryRtlDeleteFunctionTableRtlGetNtVersionNumbersSafeArrayGetRecordInfoSafeArraySetRecordInfoSakhalin Standard TimeSao Tome Standard TimeSeImpersonatePrivilegeSetupDiEnumDriverInfoWSetupDiGetClassDevsExWTasmania Standard TimeTor bootstrap progressTor service is runningUnsupported Media TypeWSAGetOverlappedResultWSALookupServiceBeginWWaitForMultipleObjectsWget/1.12 (freebsd8.1)Xenu Link Sleuth/1.3.8access-control-max-ageaddress already in useadvapi32.dll not foundargument list too longassembly checks failedbad g->status in readybad sweepgen in refillbitcoin3nqy3db7c.onionbody closed by handlercannot allocate memoryclient not initializedcompileCallabck: type couldn't create devicecouldn't get file infocouldn't start servicecoulnd't write to filecreate main window: %wdecode and decrypt: %wdriver: bad connectionduplicated defer entryelectrum.leblancnet.uselectrum3.hodlister.coelectrum5.hodlister.coelectrumxhqdsmlu.onionencrypt and encode: %werror decoding messageerror parsing regexp: failed to get UUID: %wfailed to hide app: %wfailed to open key: %wfailed to open src: %wfailed to register: %wfailed to set UUID: %wframe_data_pad_too_bigfreeIndex is not validgenerate challenge: %wgetenv before env initgzip: invalid checksumheadTailIndex overflowheader field %q = %q%shpack: string too longhsmiths4fyqlw5xw.onionhsmiths5mjk6uijs.onionhttp2: frame too largehttp://localhost:3433/https://duniadekho.baridna: invalid label %qinappropriate fallbackinteger divide by zerointegrity check failedinterface conversion: internal inconsistencyinvalid Trailer key %qinvalid address familyinvalid number base %djson: unknown field %qkernel32.dll not foundmalformed HTTP versionminpc or maxpc invalidmissing ']' in addressmultiple :: in addressndndword5lpb7eex.onionnetwork is unreachableno connection providednon-Go function at pc=oldoverflow is not niloperation was canceledoverflowing coordinateozahtqwp25chjdjd.onionprotocol not availableprotocol not supportedqtornadoklbgdyww.onionread response body: %wreflect.Value.MapIndexreflect.Value.SetFloatreflectlite.Value.Elemreflectlite.Value.Typeremote address changedruntime.main not on m0runtime: work.nwait = runtime:scanstack: gp=s.freeindex > s.nelemss7clinmo4cazmhul.onionscanstack - bad statussecure boot is enabledsend on closed channelserver.peers.subscribeservice does not existservice is not runningset Tor mode to %s: %wskipping Question Nameskipping Question Typespan has no free spacesql: no Rows availablestack not a power of 2status/bootstrap-phasetrace reader (blocked)trace: alloc too largetransaction is stoppedtransaction not existsunexpected length codeunexpected method stepwirep: invalid p statewrite on closed bufferx509: malformed issuerzero length BIT STRINGzlib: invalid checksum into Go value of type ) must be a power of 2
Source: csrss.exe, 0000000F.00000002.629197861.000000000C91E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: S-1-5-21-3853321935-2125563209-4053062332-1002https://mastiakele.xyzhttp://un6fsy7wsdbqb54aridsmu5mtdcctatumigg37ip476tsdy2jf6ascqd.onionCommonProgramW6432=C:\Program Files\Common FilesCommonProgramW6432=C:\Program Files\Common Files
Source: csrss.exe, 0000000F.00000002.627457527.000000000C80E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://un6fsy7wsdbqb54aridsmu5mtdcctatumigg37ip476tsdy2jf6ascqd.onion
Source: csrss.exe, 0000000F.00000002.627457527.000000000C80E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: 1c1b0732151b1d231030330b0713013107http://un6fsy7wsdbqb54aridsmu5mtdcctatumigg37ip476tsdy2jf6ascqd.onionhttp://un6fsy7wsdbqb54aridsmu5mtdcctatumigg37ip476tsdy2jf6ascqd.onionS-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\TestAppS-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8S-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8http://un6fsy7wsdbqb54aridsmu5mtdcctatumigg37ip476tsdy2jf6ascqd.onionS-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8S-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8S-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8FirstInstallDateS-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8S-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8S-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8S-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8S-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8S-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8S-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8S-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8S-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8S-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8S-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzS-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f82023/06/06 17:18:56 current filenname with args "C:\Windows\rss\csrss.exe"

Performs DNS queries to domains with low reputation

Source: C:\Windows\rss\csrss.exe

DNS query: 28a89d66-6769-4b6d-ad7a-64ea56a01c93.uuid.mastiakele.xyz

Source: file.exe	String found in binary or memory: Intel Mac OS X; U; en) Presto/2.6.30 Version/10.61facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)tls: internal error: handshake returned an error but is marked successfultls: received unexpected handshake message of type %T when wait equals www.facebook.com (Facebook)
Source: file.exe	String found in binary or memory: :1.6) Gecko Debian/1.6-7Mozilla/5.0 (compatible; Konqueror/3.3; Linux 2.6.8-gentoo-r3; X11;facebookscraper/1.0( http://www.facebook.com/sharescraper_help.php)269599466671506397946670150870196259404578077144243917216827223680612695994666715063979466701508701963 equals www.facebook.com (Facebook)

Source: file.exe	String found in binary or memory: http://archive.org/details/archive.org_bot)Mozilla/5.0
Source: file.exe, 00000000.00000002.363521570.0000000002A72000.00000040.00000020.00020000.00000000.sdmp, file.exe, 00000005.00000002.403769101.0000000002BA3000.00000040.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.g
Source: file.exe, 00000000.00000003.342311330.0000000003BA1000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.364753333.00000000032B3000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.360923805.0000000000843000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000002.400548532.0000000000843000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000003.362103364.0000000003CD1000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.414419556.00000000033E3000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003843000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000003C.00000002.570772687.0000000003843000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/ObjectSign.crl0
Source: file.exe, 00000000.00000003.342311330.0000000003BA1000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.364753333.00000000032B3000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.360923805.0000000000843000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000002.400548532.0000000000843000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000003.362103364.0000000003CD1000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.414419556.00000000033E3000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003843000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000003C.00000002.570772687.0000000003843000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/Root.crl0
Source: file.exe, 00000000.00000003.342311330.0000000003BA1000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.364753333.00000000032B3000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.360923805.0000000000843000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000002.400548532.0000000000843000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000003.362103364.0000000003CD1000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.414419556.00000000033E3000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003843000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000003C.00000002.570772687.0000000003843000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/primobject.crl0
Source: file.exe, file.exe, 00000005.00000002.400548532.0000000000400000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000003.362103364.0000000003890000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.414419556.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003400000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://devlog.gregarius.net/docs/ua)Links
Source: file.exe	String found in binary or memory: http://gais.cs.ccu.edu.tw/robot.php)Gulper
Source: file.exe	String found in binary or memory: http://grub.org)Mozilla/5.0
Source: file.exe	String found in binary or memory: http://help.yahoo.com/help/us/ysearch/slurp)SonyEricssonK550i/R1JD
Source: file.exe, 00000000.00000003.342311330.0000000003E2B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.364753333.000000000353B000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.400548532.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000002.414419556.000000000366B000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003ACB000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://https://_bad_pdb_file.pdb
Source: file.exe, file.exe, 00000005.00000002.400548532.0000000000400000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000003.362103364.0000000003890000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.414419556.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003400000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://invalidlog.txtlookup
Source: file.exe, file.exe, 00000005.00000002.400548532.0000000000400000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000003.362103364.0000000003890000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.414419556.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003400000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://localhost:3433/https://duniadekho.baridna:
Source: file.exe	String found in binary or memory: http://misc.yahoo.com.cn/help.html)QueryPerformanceFrequency
Source: file.exe, file.exe, 00000005.00000002.400548532.0000000000400000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000003.362103364.0000000003890000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.414419556.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003400000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://search.msn.com/msnbot.htm)msnbot/1.1
Source: file.exe	String found in binary or memory: http://search.msn.com/msnbot.htm)net/htt
Source: file.exe, 00000000.00000003.342311330.0000000003760000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.360923805.0000000000400000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000002.364753333.0000000002E70000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.400548532.0000000000400000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000003.362103364.0000000003890000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.414419556.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003400000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://search.msn.com/msnbot.htm)net/http:
Source: file.exe, file.exe, 00000005.00000002.400548532.0000000000400000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000003.362103364.0000000003890000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.414419556.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003400000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://search.msn.com/msnbot.htm)pkcs7:
Source: file.exe, 00000000.00000002.378648564.000000000C0DE000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.378648564.000000000C0A2000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.424748729.000000000C00E000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.627457527.000000000C80E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://un6fsy7wsdbqb54aridsmu5mtdcctatumigg37ip476tsdy2jf6ascqd.onion
Source: file.exe, 00000005.00000002.424748729.000000000C01A000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://un6fsy7wsdbqb54aridsmu5mtdcctatumigg37ip476tsdy2jf6ascqd.onionC:
Source: file.exe, 00000005.00000002.424748729.000000000C00E000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.627457527.000000000C80E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://un6fsy7wsdbqb54aridsmu5mtdcctatumigg37ip476tsdy2jf6ascqd.onionS-1-5-21-3853321935-2125563209-
Source: file.exe, 00000000.00000002.378648564.000000000C0DE000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.424748729.000000000C00E000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.627457527.000000000C80E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://un6fsy7wsdbqb54aridsmu5mtdcctatumigg37ip476tsdy2jf6ascqd.onionhttp://un6fsy7wsdbqb54aridsmu5m
Source: file.exe	String found in binary or memory: http://vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.oniontls:
Source: file.exe	String found in binary or memory: http://www.alexa.com/help/webmasters;
Source: file.exe	String found in binary or memory: http://www.alltheweb.com/help/webmaster/crawler)Mozilla/5.0
Source: file.exe	String found in binary or memory: http://www.archive.org/details/archive.org_bot)Opera/9.80
Source: file.exe	String found in binary or memory: http://www.avantbrowser.com
Source: file.exe, 00000000.00000003.342311330.0000000003760000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.360923805.0000000000400000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000002.364753333.0000000002E70000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.400548532.0000000000400000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000003.362103364.0000000003890000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.414419556.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003400000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.avantbrowser.com)MOT-V9mm/00.62
Source: file.exe, file.exe, 00000005.00000002.400548532.0000000000400000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000003.362103364.0000000003890000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.414419556.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003400000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.baidu.com/search/spider.htm)MobileSafari/600.1.4
Source: file.exe	String found in binary or memory: http://www.bloglines.com)Frame
Source: file.exe	String found in binary or memory: http://www.everyfeed.com)explicit
Source: file.exe	String found in binary or memory: http://www.exabot.com/go/robot)Opera/9.80
Source: file.exe	String found in binary or memory: http://www.google.
Source: file.exe	String found in binary or memory: http://www.google.com/adsbot.html)Encountered
Source: file.exe	String found in binary or memory: http://www.google.com/bot.html)Mozilla/5.0
Source: file.exe	String found in binary or memory: http://www.google.com/bot.html)crypto/ecdh:
Source: file.exe, file.exe, 00000005.00000002.400548532.0000000000400000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000003.362103364.0000000003890000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.414419556.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003400000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com/feedfetcher.html)HKLM
Source: file.exe	String found in binary or memory: http://www.googlebot.com/bot.html)Links
Source: file.exe	String found in binary or memory: http://www.spidersoft.com)Wg
Source: file.exe	String found in binary or memory: http://yandex.com/
Source: file.exe	String found in binary or memory: http://yandex.com/bots)Opera/9.51
Source: csrss.exe, 0000000F.00000002.624848873.0000000003400000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://blockchain.infoindex
Source: file.exe	String found in binary or memory: https://cdn.discordapp.com/attachments/1087398815188910163/1087399133926674453/LZ.zipreflect.Value.I
Source: file.exe	String found in binary or memory: https://github.com/Snawoot/opera-proxy/releases/download/v1.2.2/opera-p
Source: file.exe, 00000000.00000002.378648564.000000000C090000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.378648564.000000000C0A2000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.424748729.000000000C016000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.424748729.000000000C00E000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.627457527.000000000C80E000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.627457527.000000000C816000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://mastiakele.xyz
Source: file.exe, 00000005.00000002.424748729.000000000C00E000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.424748729.000000000C072000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.627457527.000000000C858000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.627457527.000000000C80E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://mastiakele.xyzMicrosoft
Source: file.exe, 00000000.00000002.378648564.000000000C0E6000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624321444.000000000105A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mastiakele.xyzhttp://un6fsy7wsdbqb54aridsmu5mtdcctatumigg37ip476tsdy2jf6ascqd.onion
Source: file.exe, 00000000.00000002.378648564.000000000C092000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.426549971.000000000C11E000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.629197861.000000000C91E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://mastiakele.xyzhttp://un6fsy7wsdbqb54aridsmu5mtdcctatumigg37ip476tsdy2jf6ascqd.onionCommonPro
Source: file.exe, 00000000.00000002.378648564.000000000C0A2000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://mastiakele.xyzhttp://un6fsy7wsdbqb54aridsmu5mtdcctatumigg37ip476tsdy2jf6ascqd.onionhttps://m
Source: file.exe, 00000005.00000002.424748729.000000000C016000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.627457527.000000000C816000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://mastiakele.xyzhttps://mastiakele.xyzRegQueryValueExWUUIDPGDSE64-bitc:
Source: file.exe, 00000000.00000002.378648564.000000000C090000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://mastiakele.xyzhttps://mastiakele.xyzRegQueryValueExWhttps://mastiakele.xyzUUIDUUIDPGDSEPGDSE
Source: file.exe	String found in binary or memory: https://raw.githubusercontent.com/spesmilo/electrum/master/electrum/servers.jsonsize
Source: file.exe, file.exe, 00000005.00000002.400548532.0000000000400000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000003.362103364.0000000003890000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.414419556.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003400000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://turnitin.com/robot/crawlerinfo.html)cannot

Source: unknown

DNS traffic detected: queries for: 28a89d66-6769-4b6d-ad7a-64ea56a01c93.uuid.mastiakele.xyz

Source: file.exe, 00000000.00000002.362994570.0000000000E7A000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud

Yara detected Glupteba

Source: Yara match	File source: 15.2.csrss.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 55.2.csrss.exe.3400e67.15.unpack, type: UNPACKEDPE
Source: Yara match	File source: 64.2.csrss.exe.3400e67.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 54.2.csrss.exe.3400e67.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 55.2.csrss.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.csrss.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 54.2.csrss.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 40.2.csrss.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.file.exe.3890000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.file.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.csrss.exe.3cf0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.file.exe.3760000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 60.2.csrss.exe.3400e67.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.csrss.exe.3400e67.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 41.2.csrss.exe.3400e67.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 60.2.csrss.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 64.2.csrss.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.csrss.exe.3400e67.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 40.2.csrss.exe.3400e67.15.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.csrss.exe.3400e67.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.2e70e67.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.400548532.0000000000843000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 0000003C.00000002.570772687.0000000003843000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.480076167.0000000000843000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.599256866.0000000003843000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000002.475119649.0000000000843000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.342311330.0000000003BA1000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.517016941.0000000003843000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003C.00000002.555538595.0000000000843000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.364753333.00000000032B3000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.624848873.0000000003843000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.442933383.0000000000843000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000036.00000002.509180776.0000000000843000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.360923805.0000000000843000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.474423573.0000000003843000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000002.514590108.0000000003843000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000037.00000002.522989058.0000000000843000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000040.00000002.609271972.0000000003843000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000040.00000002.598741475.0000000000843000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000036.00000002.521380153.0000000003843000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.362103364.0000000003CD1000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.566670417.0000000000843000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.615156234.0000000000843000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000037.00000002.553779043.0000000003843000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.414419556.00000000033E3000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.401909888.0000000004131000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 6760, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: file.exe PID: 1488, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: csrss.exe PID: 768, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: csrss.exe PID: 4472, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000005.00000002.403769101.0000000002BA3000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000003C.00000002.567142232.0000000003000000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000016.00000002.471247409.0000000003000000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000028.00000002.510967623.0000000003000000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000037.00000002.553779043.0000000003400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 0000000F.00000002.624848873.0000000003400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 0000001C.00000002.594116326.0000000003000000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000036.00000002.521380153.0000000003400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000002.363521570.0000000002A72000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000040.00000002.604158371.0000000003000000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000000F.00000002.624483863.0000000003000000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000029.00000002.517016941.0000000003400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 0000003C.00000002.570772687.0000000003400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000002.364753333.0000000002E70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000040.00000002.609271972.0000000003400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000037.00000002.548334385.0000000003000000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000028.00000002.514590108.0000000003400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000016.00000002.474423573.0000000003400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000005.00000002.414419556.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000036.00000002.518888987.0000000003000000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000029.00000002.513462018.0000000003000000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000001C.00000002.599256866.0000000003400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 22.2.csrss.exe.3a22567.14.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 64.2.csrss.exe.a32420.4.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 28.2.csrss.exe.a1cb00.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 60.2.csrss.exe.3a1c967.14.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 28.2.csrss.exe.3a32287.13.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 22.2.csrss.exe.a22700.7.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 0.3.file.exe.3d91420.4.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 40.2.csrss.exe.a1cb00.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 60.2.csrss.exe.3a32287.15.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 55.2.csrss.exe.3a1c967.11.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 64.2.csrss.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth (Nextron Systems), description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), score = , reference = Internal Research
Source: 5.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth (Nextron Systems), description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), score = , reference = Internal Research
Source: 40.2.csrss.exe.a22700.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 54.2.csrss.exe.3a32287.15.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 40.2.csrss.exe.3a1c967.14.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 41.2.csrss.exe.3400e67.11.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth (Nextron Systems), description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), score = , reference = Internal Research
Source: 60.2.csrss.exe.3a22567.13.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 15.2.csrss.exe.a22700.7.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 55.2.csrss.exe.a32420.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 0.2.file.exe.a1cb00.4.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 40.3.csrss.exe.3cf0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth (Nextron Systems), description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), score = , reference = Internal Research
Source: 0.3.file.exe.3d7bb00.5.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 55.2.csrss.exe.400000.3.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth (Nextron Systems), description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), score = , reference = Internal Research
Source: 15.3.csrss.exe.3cf0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth (Nextron Systems), description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), score = , reference = Internal Research
Source: 0.3.file.exe.3d81700.7.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 60.2.csrss.exe.a22700.5.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 22.2.csrss.exe.3a32287.15.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 15.3.csrss.exe.4321420.6.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 0.2.file.exe.2e70e67.12.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth (Nextron Systems), description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), score = , reference = Internal Research
Source: 22.2.csrss.exe.a32420.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 40.2.csrss.exe.3a32287.12.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 5.3.file.exe.3ec1420.6.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 5.2.file.exe.a22700.7.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 0.2.file.exe.34a2287.8.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 41.2.csrss.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth (Nextron Systems), description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), score = , reference = Internal Research
Source: 55.2.csrss.exe.a22700.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 22.2.csrss.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth (Nextron Systems), description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), score = , reference = Internal Research
Source: 22.2.csrss.exe.3400e67.9.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth (Nextron Systems), description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), score = , reference = Internal Research
Source: 41.2.csrss.exe.a32420.7.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 15.3.csrss.exe.4311700.4.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 54.2.csrss.exe.a32420.4.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 5.2.file.exe.a32420.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 0.2.file.exe.a22700.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 15.2.csrss.exe.3a22567.10.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 41.2.csrss.exe.a1cb00.6.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 0.2.file.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth (Nextron Systems), description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), score = , reference = Internal Research
Source: 60.2.csrss.exe.3400e67.9.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth (Nextron Systems), description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), score = , reference = Internal Research
Source: 60.2.csrss.exe.a32420.4.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 5.2.file.exe.35c2567.9.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 60.2.csrss.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth (Nextron Systems), description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), score = , reference = Internal Research
Source: 0.3.file.exe.3760000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth (Nextron Systems), description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), score = , reference = Internal Research
Source: 55.2.csrss.exe.3a32287.12.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 22.2.csrss.exe.a1cb00.5.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 5.3.file.exe.3890000.3.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth (Nextron Systems), description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), score = , reference = Internal Research
Source: 5.2.file.exe.2fa0e67.12.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth (Nextron Systems), description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), score = , reference = Internal Research
Source: 64.2.csrss.exe.3a22567.11.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 55.2.csrss.exe.3400e67.15.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth (Nextron Systems), description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), score = , reference = Internal Research
Source: 54.2.csrss.exe.3a1c967.14.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 28.2.csrss.exe.3a1c967.9.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 15.2.csrss.exe.3a32287.15.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 28.2.csrss.exe.a32420.7.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 40.2.csrss.exe.3a22567.13.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 64.2.csrss.exe.3a32287.8.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 5.3.file.exe.3eb1700.4.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 55.2.csrss.exe.3a22567.14.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 54.2.csrss.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth (Nextron Systems), description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), score = , reference = Internal Research
Source: 28.2.csrss.exe.a22700.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 54.2.csrss.exe.a1cb00.7.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 5.2.file.exe.35bc967.8.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 5.2.file.exe.35d2287.10.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 0.2.file.exe.a32420.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 54.2.csrss.exe.3400e67.9.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth (Nextron Systems), description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), score = , reference = Internal Research
Source: 64.2.csrss.exe.a22700.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 28.2.csrss.exe.400000.4.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth (Nextron Systems), description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), score = , reference = Internal Research
Source: 5.2.file.exe.a1cb00.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 60.2.csrss.exe.a1cb00.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 54.2.csrss.exe.a22700.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 0.2.file.exe.3492567.9.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 41.2.csrss.exe.3a1c967.10.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 22.2.csrss.exe.3a1c967.12.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 41.2.csrss.exe.3a22567.9.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 5.3.file.exe.3eabb00.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 0.2.file.exe.348c967.10.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 28.2.csrss.exe.3400e67.10.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth (Nextron Systems), description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), score = , reference = Internal Research
Source: 15.2.csrss.exe.3400e67.11.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth (Nextron Systems), description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), score = , reference = Internal Research
Source: 41.2.csrss.exe.3a32287.12.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 64.2.csrss.exe.3a1c967.9.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 15.2.csrss.exe.a32420.6.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 15.2.csrss.exe.3a1c967.13.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 40.2.csrss.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth (Nextron Systems), description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), score = , reference = Internal Research
Source: 15.3.csrss.exe.430bb00.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 55.2.csrss.exe.a1cb00.6.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 15.2.csrss.exe.a1cb00.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 54.2.csrss.exe.3a22567.12.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 40.2.csrss.exe.3400e67.15.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth (Nextron Systems), description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), score = , reference = Internal Research
Source: 41.2.csrss.exe.a22700.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 40.2.csrss.exe.a32420.4.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 64.2.csrss.exe.a1cb00.6.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 28.2.csrss.exe.3a22567.15.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth (Nextron Systems), description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, modified = 2022-12-21
Source: 15.2.csrss.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth (Nextron Systems), description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), score = , reference = Internal Research
Source: 64.2.csrss.exe.3400e67.14.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth (Nextron Systems), description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), score = , reference = Internal Research
Source: 00000005.00000002.403769101.0000000002BA3000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000003.342311330.0000000003760000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth (Nextron Systems), description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), score = , reference = Internal Research
Source: 0000003C.00000002.567142232.0000000003000000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000016.00000002.471247409.0000000003000000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000036.00000002.509180776.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY	Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth (Nextron Systems), description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), score = , reference = Internal Research
Source: 0000003C.00000002.555538595.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY	Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth (Nextron Systems), description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), score = , reference = Internal Research
Source: 00000028.00000002.510967623.0000000003000000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000029.00000002.480076167.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY	Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth (Nextron Systems), description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), score = , reference = Internal Research
Source: 00000037.00000002.553779043.0000000003400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000040.00000002.598741475.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY	Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth (Nextron Systems), description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), score = , reference = Internal Research
Source: 0000000F.00000002.624848873.0000000003400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 0000001C.00000002.594116326.0000000003000000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000016.00000002.442933383.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY	Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth (Nextron Systems), description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), score = , reference = Internal Research
Source: 00000036.00000002.521380153.0000000003400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 0000000F.00000002.615156234.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY	Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth (Nextron Systems), description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), score = , reference = Internal Research
Source: 00000000.00000002.363521570.0000000002A72000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000005.00000002.400548532.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth (Nextron Systems), description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), score = , reference = Internal Research
Source: 00000040.00000002.604158371.0000000003000000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.360923805.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth (Nextron Systems), description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), score = , reference = Internal Research
Source: 0000000F.00000002.624483863.0000000003000000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000000F.00000003.401909888.0000000003CF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth (Nextron Systems), description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), score = , reference = Internal Research
Source: 00000029.00000002.517016941.0000000003400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 0000003C.00000002.570772687.0000000003400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000037.00000002.522989058.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY	Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth (Nextron Systems), description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), score = , reference = Internal Research
Source: 00000000.00000002.364753333.0000000002E70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000040.00000002.609271972.0000000003400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000037.00000002.548334385.0000000003000000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000028.00000002.514590108.0000000003400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000028.00000002.475119649.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY	Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth (Nextron Systems), description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), score = , reference = Internal Research
Source: 00000016.00000002.474423573.0000000003400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000005.00000003.362103364.0000000003890000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth (Nextron Systems), description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), score = , reference = Internal Research
Source: 0000001C.00000002.566670417.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY	Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth (Nextron Systems), description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), score = , reference = Internal Research
Source: 00000028.00000003.442621501.0000000003CF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth (Nextron Systems), description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), score = , reference = Internal Research
Source: 00000005.00000002.414419556.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000036.00000002.518888987.0000000003000000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000029.00000002.513462018.0000000003000000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000001C.00000002.599256866.0000000003400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File deleted: C:\Windows\Temp\__PSScriptPolicyTest_txvnygx2.3pj.ps1

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

File created: C:\Windows\rss

Jump to behavior

Source: file.exe	Binary or memory string: OriginalFilename vs file.exe
Source: file.exe, 00000000.00000003.342311330.0000000003BA1000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameWinmonFS.sysZ vs file.exe
Source: file.exe, 00000000.00000003.342311330.0000000003BA1000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedsefix.exe. vs file.exe
Source: file.exe, 00000000.00000002.364753333.00000000032B3000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameWinmonFS.sysZ vs file.exe
Source: file.exe, 00000000.00000002.364753333.00000000032B3000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedsefix.exe. vs file.exe
Source: file.exe, 00000000.00000002.360923805.0000000000C79000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameDBGHELP.DLLj% vs file.exe
Source: file.exe, 00000000.00000002.360923805.0000000000C79000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamesymsrv.dllj% vs file.exe
Source: file.exe, 00000000.00000002.360923805.0000000000843000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameWinmonFS.sysZ vs file.exe
Source: file.exe, 00000000.00000002.360923805.0000000000843000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamedsefix.exe. vs file.exe
Source: file.exe, 00000000.00000003.342311330.0000000003FD8000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameDBGHELP.DLLj% vs file.exe
Source: file.exe, 00000000.00000003.342311330.0000000003FD8000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesymsrv.dllj% vs file.exe
Source: file.exe, 00000000.00000002.364753333.00000000036E9000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameDBGHELP.DLLj% vs file.exe
Source: file.exe, 00000000.00000002.364753333.00000000036E9000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesymsrv.dllj% vs file.exe
Source: file.exe	Binary or memory string: OriginalFilename vs file.exe
Source: file.exe, 00000005.00000002.400548532.0000000000843000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameWinmonFS.sysZ vs file.exe
Source: file.exe, 00000005.00000002.400548532.0000000000843000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamedsefix.exe. vs file.exe
Source: file.exe, 00000005.00000002.400548532.0000000000C79000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameDBGHELP.DLLj% vs file.exe
Source: file.exe, 00000005.00000002.400548532.0000000000C79000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamesymsrv.dllj% vs file.exe
Source: file.exe, 00000005.00000002.414419556.0000000003819000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameDBGHELP.DLLj% vs file.exe
Source: file.exe, 00000005.00000002.414419556.0000000003819000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesymsrv.dllj% vs file.exe
Source: file.exe, 00000005.00000003.362103364.0000000003CD1000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameWinmonFS.sysZ vs file.exe
Source: file.exe, 00000005.00000003.362103364.0000000003CD1000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedsefix.exe. vs file.exe
Source: file.exe, 00000005.00000002.414419556.00000000033E3000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameWinmonFS.sysZ vs file.exe
Source: file.exe, 00000005.00000002.414419556.00000000033E3000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedsefix.exe. vs file.exe

Source: file.exe

Static PE information: invalid certificate

Source: file.exe	ReversingLabs: Detection: 75%
Source: file.exe	Virustotal: Detection: 80%

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\servicing\TrustedInstaller.exe C:\Windows\servicing\TrustedInstaller.exe
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\rss\csrss.exe C:\Windows\rss\csrss.exe
Source: C:\Windows\rss\csrss.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\rss\csrss.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
Source: unknown	Process created: C:\Windows\rss\csrss.exe "C:\Windows\rss\csrss.exe"
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\rss\csrss.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /delete /tn ScheduledUpdate /f
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\rss\csrss.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\rss\csrss.exe C:\Windows\rss\csrss.exe
Source: C:\Windows\rss\csrss.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\Sysnative\cmd.exe /C fodhelper
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\fodhelper.exe fodhelper
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\fodhelper.exe "C:\Windows\system32\fodhelper.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\fodhelper.exe "C:\Windows\system32\fodhelper.exe"
Source: C:\Windows\rss\csrss.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\fodhelper.exe	Process created: C:\Windows\rss\csrss.exe "C:\Windows\rss\csrss.exe"
Source: unknown	Process created: C:\Windows\rss\csrss.exe "C:\Windows\rss\csrss.exe"
Source: C:\Windows\rss\csrss.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\rss\csrss.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\rss\csrss.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\Sysnative\cmd.exe /C fodhelper
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\fodhelper.exe fodhelper
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\fodhelper.exe "C:\Windows\system32\fodhelper.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\fodhelper.exe "C:\Windows\system32\fodhelper.exe"
Source: C:\Windows\rss\csrss.exe	Process created: C:\Windows\rss\csrss.exe C:\Windows\rss\csrss.exe
Source: C:\Windows\System32\fodhelper.exe	Process created: C:\Windows\rss\csrss.exe "C:\Windows\rss\csrss.exe"
Source: C:\Windows\rss\csrss.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\rss\csrss.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\rss\csrss.exe	Process created: C:\Windows\rss\csrss.exe C:\Windows\rss\csrss.exe
Source: C:\Windows\rss\csrss.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\rss\csrss.exe	Process created: C:\Windows\rss\csrss.exe C:\Windows\rss\csrss.exe
Source: C:\Windows\rss\csrss.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\rss\csrss.exe C:\Windows\rss\csrss.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
Source: C:\Windows\rss\csrss.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
Source: C:\Windows\rss\csrss.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
Source: C:\Windows\rss\csrss.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
Source: C:\Windows\rss\csrss.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\Sysnative\cmd.exe /C fodhelper
Source: C:\Windows\rss\csrss.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\fodhelper.exe fodhelper
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\fodhelper.exe "C:\Windows\system32\fodhelper.exe"
Source: C:\Windows\System32\fodhelper.exe	Process created: C:\Windows\rss\csrss.exe "C:\Windows\rss\csrss.exe"
Source: C:\Windows\rss\csrss.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
Source: C:\Windows\rss\csrss.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\Sysnative\cmd.exe /C fodhelper
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\fodhelper.exe fodhelper
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\fodhelper.exe "C:\Windows\system32\fodhelper.exe"
Source: C:\Windows\System32\fodhelper.exe	Process created: C:\Windows\rss\csrss.exe "C:\Windows\rss\csrss.exe"
Source: C:\Windows\rss\csrss.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
Source: C:\Windows\rss\csrss.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
Source: C:\Windows\rss\csrss.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
Source: C:\Windows\rss\csrss.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}\InProcServer32

Source: C:\Users\user\Desktop\file.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name FROM Win32_Processor

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_s4hshgl2.ban.ps1

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@79/32@1/0

Source: C:\Windows\System32\cmd.exe

File read: C:\Users\user\Desktop\desktop.ini

Source: file.exe, 00000000.00000002.378648564.000000000C0B6000.00000004.00001000.00020000.00000000.sdmp

Binary or memory string: SELECT OSArchitecture FROM Win32_OperatingSystem.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCDriverData=C:\Windows\System32\Drivers\DriverData

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: C:\Users\user\Desktop\file.exe

Code function: 5_2_02BA37C6 CreateToolhelp32Snapshot,Module32First,

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6720:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6660:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6892:120:WilError_01
Source: C:\Windows\rss\csrss.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\h48yorbq6rm87zot
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3432:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6740:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6200:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5124:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5984:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6724:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4164:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6532:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7136:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:240:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4768:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5788:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6140:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6816:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3372:120:WilError_01

Source: file.exe	String found in binary or memory: yscalltick= work.nproc= work.nwait= %s/rawaddr/%s%s\%s\drivers, gp->status=, not pointer-bind-address-byte block (3814697265625: unknown pc Accept-RangesAuthorizationCLIENT_RANDOMCONNECTION-IDCONNECT_ERRORCache-ControlCertOpenStoreCoTaskMemFreeConnectServerCo
Source: file.exe	String found in binary or memory: PED-ADDRESSMAX_FRAME_SIZEMB; allocated MakeAbsoluteSDMissing quotesModule32FirstWNetUserGetInfoNot AcceptableNtResumeThreadOSArchitectureOpenSCManagerWOther_ID_StartPROTOCOL_ERRORPattern_SyntaxProcess32NextWProtection DirQuotation_MarkRCodeNameErrorREFUSED_STR
Source: file.exe	String found in binary or memory: current modeTor is dowloadedTranslateMessageTrustedInstallerUnregisterClassWUpgrade RequiredUser-Agent: %s VirtualProtectExWinVerifyTrustExWindows DefenderWww-AuthenticateXOR-PEER-ADDRESSZanabazar_Square\windefender.exe runtime stack: address is emptyafter ob
Source: file.exe	String found in binary or memory: unknown network unpacking headerworkbuf is emptywrite config: %wwww-authenticate spinningthreads=%%!%c(big.Int=%s)%s/address/%s/txs, p.searchAddr = 0123456789ABCDEFX0123456789abcdefx060102150405Z07001192092895507812559604644775390625: missing method AdjustToke
Source: file.exe	String found in binary or memory: Temporary RedirectTerminateJobObjectTime.MarshalJSON: Time.MarshalText: UNKNOWN-ATTRIBUTESUNKNOWN_SETTING_%dUnknown value typeVariation_SelectorWeb Downloader/6.9WriteProcessMemoryXOR-MAPPED-ADDRESSadaptivestackstartbad Content-Lengthbad manualFreeListbufio: b
Source: file.exe	String found in binary or memory: 1.6.2WSALookupServiceEndWaitForSingleObjectWindowsCreateStringWindowsDeleteStringWinmonSystemMonitorXOR-RELAYED-ADDRESSYukon Standard Timeadjusttimers: bad pafter array elementattribute not foundbad ABI descriptionbad file descriptorbad kind in runfinqbad noti
Source: file.exe	String found in binary or memory: REQUESTED-ADDRESS-FAMILYRequest Entity Too LargeSA Eastern Standard TimeSA Pacific Standard TimeSA Western Standard TimeSafeArrayAllocDescriptorSetConsoleCursorPositionSetDefaultDllDirectoriesSetupDiCreateDeviceInfoWSetupDiGetSelectedDeviceSetupDiSetSelectedDe
Source: file.exe	String found in binary or memory: yscalltick= work.nproc= work.nwait= %s/rawaddr/%s%s\%s\drivers, gp->status=, not pointer-bind-address-byte block (3814697265625: unknown pc Accept-RangesAuthorizationCLIENT_RANDOMCONNECTION-IDCONNECT_ERRORCache-ControlCertOpenStoreCoTaskMemFreeConnectServerCo
Source: file.exe	String found in binary or memory: PED-ADDRESSMAX_FRAME_SIZEMB; allocated MakeAbsoluteSDMissing quotesModule32FirstWNetUserGetInfoNot AcceptableNtResumeThreadOSArchitectureOpenSCManagerWOther_ID_StartPROTOCOL_ERRORPattern_SyntaxProcess32NextWProtection DirQuotation_MarkRCodeNameErrorREFUSED_STR
Source: file.exe	String found in binary or memory: current modeTor is dowloadedTranslateMessageTrustedInstallerUnregisterClassWUpgrade RequiredUser-Agent: %s VirtualProtectExWinVerifyTrustExWindows DefenderWww-AuthenticateXOR-PEER-ADDRESSZanabazar_Square\windefender.exe runtime stack: address is emptyafter ob
Source: file.exe	String found in binary or memory: unknown network unpacking headerworkbuf is emptywrite config: %wwww-authenticate spinningthreads=%%!%c(big.Int=%s)%s/address/%s/txs, p.searchAddr = 0123456789ABCDEFX0123456789abcdefx060102150405Z07001192092895507812559604644775390625: missing method AdjustToke
Source: file.exe	String found in binary or memory: Temporary RedirectTerminateJobObjectTime.MarshalJSON: Time.MarshalText: UNKNOWN-ATTRIBUTESUNKNOWN_SETTING_%dUnknown value typeVariation_SelectorWeb Downloader/6.9WriteProcessMemoryXOR-MAPPED-ADDRESSadaptivestackstartbad Content-Lengthbad manualFreeListbufio: b
Source: file.exe	String found in binary or memory: 1.6.2WSALookupServiceEndWaitForSingleObjectWindowsCreateStringWindowsDeleteStringWinmonSystemMonitorXOR-RELAYED-ADDRESSYukon Standard Timeadjusttimers: bad pafter array elementattribute not foundbad ABI descriptionbad file descriptorbad kind in runfinqbad noti
Source: file.exe	String found in binary or memory: REQUESTED-ADDRESS-FAMILYRequest Entity Too LargeSA Eastern Standard TimeSA Pacific Standard TimeSA Western Standard TimeSafeArrayAllocDescriptorSetConsoleCursorPositionSetDefaultDllDirectoriesSetupDiCreateDeviceInfoWSetupDiGetSelectedDeviceSetupDiSetSelectedDe

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: file.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: C:\Windows\System32\fodhelper.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Office\16.0\Outlook\Capabilities\UrlAssociations

Source: C:\Windows\rss\csrss.exe

Registry value created: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Uninstaller

Source: C:\Users\user\Desktop\file.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Source: file.exe

Static file information: File size 4377472 > 1048576

Source: file.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x40ac00

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: Loader.pdb source: file.exe, 00000000.00000003.342311330.0000000003BA1000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.364753333.00000000032B3000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.360923805.0000000000843000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000002.400548532.0000000000843000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000003.362103364.0000000003CD1000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.414419556.00000000033E3000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003843000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000003C.00000002.570772687.0000000003843000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: EfiGuardDxe.pdb7 source: file.exe, file.exe, 00000005.00000002.403769101.0000000002BA3000.00000040.00000020.00020000.00000000.sdmp
Source:	Binary string: Unrecognized pdb formatThis error indicates attempting to access a .pdb file with source: file.exe, 00000000.00000003.342311330.0000000003E2B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.364753333.000000000353B000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.400548532.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000002.414419556.000000000366B000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003ACB000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: A connection with the server could not be establishedAn extended error was returned from the WinHttp serverThe .pdb file is probably no longer indexed in the symbol server share location. source: file.exe, 00000000.00000003.342311330.0000000003E2B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.364753333.000000000353B000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.400548532.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000002.414419556.000000000366B000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003ACB000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\rumez\pihipifa\zuyum_n.pdb source: file.exe, 00000000.00000001.340268872.0000000000401000.00000020.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000001.360817575.0000000000401000.00000020.00000001.01000000.00000003.sdmp
Source:	Binary string: Age does not matchThe module age and .pdb age do not match. source: file.exe, 00000000.00000003.342311330.0000000003E2B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.364753333.000000000353B000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.400548532.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000002.414419556.000000000366B000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003ACB000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: symsrv.pdb source: file.exe, file.exe, 00000005.00000002.400548532.0000000000C79000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000002.414419556.0000000003819000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.615156234.0000000000C79000.00000040.00000001.01000000.00000005.sdmp
Source:	Binary string: Cvinfo is corruptThe .pdb file contains a corrupted debug codeview information. source: file.exe, 00000000.00000003.342311330.0000000003E2B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.364753333.000000000353B000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.400548532.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000002.414419556.000000000366B000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003ACB000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: Downloading symbols for [%s] %ssrvsymsrvhttp://https://_bad_pdb_file.pdb source: file.exe, 00000000.00000003.342311330.0000000003E2B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.364753333.000000000353B000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.400548532.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000002.414419556.000000000366B000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003ACB000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: The symbol server has never indexed any version of this symbol fileNo version of the .pdb file with the given name has ever been registered. source: file.exe, 00000000.00000003.342311330.0000000003E2B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.364753333.000000000353B000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.400548532.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000002.414419556.000000000366B000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003ACB000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: PDB not foundUnable to locate the .pdb file in any of the symbol search path locations. source: file.exe, 00000000.00000003.342311330.0000000003E2B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.364753333.000000000353B000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.400548532.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000002.414419556.000000000366B000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003ACB000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\Users\Admin\documents\visual studio 2015\Projects\Winmon\Release\Winmon.pdb source: file.exe, 00000000.00000003.342311330.0000000003BA1000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.364753333.00000000032B3000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.360923805.0000000000843000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000002.400548532.0000000000843000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000003.362103364.0000000003CD1000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.414419556.00000000033E3000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003843000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000003C.00000002.570772687.0000000003843000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\vbox\branch\w64-1.6\out\win.amd64\release\obj\src\VBox\HostDrivers\VBoxDrv\VBoxDrv.pdb source: file.exe, 00000000.00000003.342311330.0000000003BA1000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.364753333.00000000032B3000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.360923805.0000000000843000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000002.400548532.0000000000843000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000003.362103364.0000000003CD1000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.414419556.00000000033E3000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003843000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000003C.00000002.570772687.0000000003843000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\Users\Admin\documents\visual studio 2015\Projects\Winmon\x64\Release\Winmon.pdb source: file.exe, 00000000.00000003.342311330.0000000003BA1000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.364753333.00000000032B3000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.360923805.0000000000843000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000002.400548532.0000000000843000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000003.362103364.0000000003CD1000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.414419556.00000000033E3000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003843000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000003C.00000002.570772687.0000000003843000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: Drive not readyThis error indicates a .pdb file related failure. source: file.exe, 00000000.00000003.342311330.0000000003E2B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.364753333.000000000353B000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.400548532.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000002.414419556.000000000366B000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003ACB000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: Error while loading symbolsUnable to locate the .pdb file in any of the symbol search source: file.exe, 00000000.00000003.342311330.0000000003E2B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.364753333.000000000353B000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.400548532.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000002.414419556.000000000366B000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003ACB000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: zzz_AsmCodeRange_*FrameDatainvalid string positionstring too long.pdb source: file.exe, 00000000.00000003.342311330.0000000003E2B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.364753333.000000000353B000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.400548532.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000002.414419556.000000000366B000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003ACB000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: Pdb read access deniedYou may be attempting to access a .pdb file with read-only attributes source: file.exe, 00000000.00000003.342311330.0000000003E2B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.364753333.000000000353B000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.400548532.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000002.414419556.000000000366B000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003ACB000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: Unable to locate the .pdb file in this location source: file.exe, 00000000.00000003.342311330.0000000003E2B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.364753333.000000000353B000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.400548532.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000002.414419556.000000000366B000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003ACB000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: $BC:\rumez\pihipifa\zuyum_n.pdb source: file.exe, 00000000.00000001.340268872.0000000000401000.00000020.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000001.360817575.0000000000401000.00000020.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Users\Admin\documents\visual studio 2015\Projects\WinmonFS\x64\Release\WinmonFS.pdb source: file.exe, 00000000.00000003.342311330.0000000003BA1000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.364753333.00000000032B3000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.360923805.0000000000843000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000002.400548532.0000000000843000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000003.362103364.0000000003CD1000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.414419556.00000000033E3000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003843000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000003C.00000002.570772687.0000000003843000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: The module signature does not match with .pdb signature. source: file.exe, 00000000.00000003.342311330.0000000003E2B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.364753333.000000000353B000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.400548532.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000002.414419556.000000000366B000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003ACB000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: .pdb.dbg source: file.exe, 00000000.00000003.342311330.0000000003E2B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.364753333.000000000353B000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.400548532.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000002.414419556.000000000366B000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003ACB000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: '(EfiGuardDxe.pdbx source: file.exe, 00000000.00000003.342311330.0000000003E2B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.364753333.000000000353B000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.400548532.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000002.414419556.000000000366B000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000003.362103364.0000000003F5B000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003ACB000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: symsrv.pdbGCTL source: file.exe, 00000000.00000002.360923805.0000000000C79000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.342311330.0000000003FD8000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.364753333.00000000036E9000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.400548532.0000000000C79000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000002.414419556.0000000003819000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.615156234.0000000000C79000.00000040.00000001.01000000.00000005.sdmp
Source:	Binary string: C:\Users\admin\source\repos\driver-process-monitor-master\Release\WinmonProcessMonitor.pdb source: file.exe, 00000000.00000003.342311330.0000000003BA1000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.364753333.00000000032B3000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.360923805.0000000000843000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000002.400548532.0000000000843000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000003.362103364.0000000003CD1000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.414419556.00000000033E3000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003843000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000003C.00000002.570772687.0000000003843000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Admin\documents\visual studio 2015\Projects\WinmonFS\Release\WinmonFS.pdb source: file.exe, 00000000.00000003.342311330.0000000003BA1000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.364753333.00000000032B3000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.360923805.0000000000843000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000002.400548532.0000000000843000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000003.362103364.0000000003CD1000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.414419556.00000000033E3000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003843000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000003C.00000002.570772687.0000000003843000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: or you do not have access permission to the .pdb location. source: file.exe, 00000000.00000003.342311330.0000000003E2B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.364753333.000000000353B000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.400548532.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000002.414419556.000000000366B000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003ACB000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: An Exception happened while downloading the module .pdbPlease open a bug if this is a consistent repro. source: file.exe, 00000000.00000003.342311330.0000000003E2B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.364753333.000000000353B000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.400548532.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000002.414419556.000000000366B000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003ACB000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\admin\source\repos\driver-process-monitor-master\x64\Release\WinmonProcessMonitor.pdb source: file.exe, 00000000.00000003.342311330.0000000003BA1000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.364753333.00000000032B3000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.360923805.0000000000843000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000002.400548532.0000000000843000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000003.362103364.0000000003CD1000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.414419556.00000000033E3000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003843000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000003C.00000002.570772687.0000000003843000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: EfiGuardDxe.pdb source: file.exe, 00000000.00000003.342311330.0000000003E2B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.364753333.000000000353B000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.400548532.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000002.414419556.000000000366B000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000003.362103364.0000000003F5B000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003ACB000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: Signature does not matchThe module signature does not match with .pdb signature source: file.exe, 00000000.00000003.342311330.0000000003E2B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.364753333.000000000353B000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.400548532.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000002.414419556.000000000366B000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003ACB000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: dbghelp.pdb source: file.exe, 00000000.00000003.342311330.0000000003E2B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.364753333.000000000353B000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.400548532.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000002.414419556.000000000366B000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003ACB000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: dbghelp.pdbGCTL source: file.exe, 00000000.00000003.342311330.0000000003E2B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.364753333.000000000353B000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.400548532.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000002.414419556.000000000366B000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003ACB000.00000040.00001000.00020000.00000000.sdmp

Data Obfuscation

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\file.exe	Unpacked PE file: 0.2.file.exe.400000.1.unpack
Source: C:\Users\user\Desktop\file.exe	Unpacked PE file: 5.2.file.exe.400000.0.unpack
Source: C:\Windows\rss\csrss.exe	Unpacked PE file: 15.2.csrss.exe.400000.2.unpack
Source: C:\Windows\rss\csrss.exe	Unpacked PE file: 22.2.csrss.exe.400000.0.unpack
Source: C:\Windows\rss\csrss.exe	Unpacked PE file: 28.2.csrss.exe.400000.4.unpack
Source: C:\Windows\rss\csrss.exe	Unpacked PE file: 40.2.csrss.exe.400000.2.unpack
Source: C:\Windows\rss\csrss.exe	Unpacked PE file: 41.2.csrss.exe.400000.2.unpack
Source: C:\Windows\rss\csrss.exe	Unpacked PE file: 54.2.csrss.exe.400000.0.unpack
Source: C:\Windows\rss\csrss.exe	Unpacked PE file: 55.2.csrss.exe.400000.3.unpack
Source: C:\Windows\rss\csrss.exe	Unpacked PE file: 60.2.csrss.exe.400000.1.unpack
Source: C:\Windows\rss\csrss.exe	Unpacked PE file: 64.2.csrss.exe.400000.0.unpack

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\file.exe	Unpacked PE file: 0.2.file.exe.400000.1.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.idata:W;.reloc:R;.symtab:R;
Source: C:\Users\user\Desktop\file.exe	Unpacked PE file: 5.2.file.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.idata:W;.reloc:R;.symtab:R;
Source: C:\Windows\rss\csrss.exe	Unpacked PE file: 15.2.csrss.exe.400000.2.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.idata:W;.reloc:R;.symtab:R;
Source: C:\Windows\rss\csrss.exe	Unpacked PE file: 22.2.csrss.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.idata:W;.reloc:R;.symtab:R;
Source: C:\Windows\rss\csrss.exe	Unpacked PE file: 28.2.csrss.exe.400000.4.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.idata:W;.reloc:R;.symtab:R;
Source: C:\Windows\rss\csrss.exe	Unpacked PE file: 40.2.csrss.exe.400000.2.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.idata:W;.reloc:R;.symtab:R;
Source: C:\Windows\rss\csrss.exe	Unpacked PE file: 41.2.csrss.exe.400000.2.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.idata:W;.reloc:R;.symtab:R;
Source: C:\Windows\rss\csrss.exe	Unpacked PE file: 54.2.csrss.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.idata:W;.reloc:R;.symtab:R;
Source: C:\Windows\rss\csrss.exe	Unpacked PE file: 55.2.csrss.exe.400000.3.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.idata:W;.reloc:R;.symtab:R;
Source: C:\Windows\rss\csrss.exe	Unpacked PE file: 60.2.csrss.exe.400000.1.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.idata:W;.reloc:R;.symtab:R;
Source: C:\Windows\rss\csrss.exe	Unpacked PE file: 64.2.csrss.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.idata:W;.reloc:R;.symtab:R;

Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_02BA7C7E pushad ; ret
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_02BA516A pushfd ; ret
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_02BA7D59 pushad ; ret

Source: csrss.exe.5.dr	Static PE information: real checksum: 0x43a16c should be: 0x42d1a9
Source: file.exe	Static PE information: real checksum: 0x43a16c should be: 0x42d1a9

Persistence and Installation Behavior

Creates files in the system32 config directory

Source: C:\Windows\System32\netsh.exe

File created: C:\Windows\system32\config\systemprofile\AppData\Local\PeerDistRepub

Jump to behavior

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Windows\System32\fodhelper.exe

Executable created and started: C:\Windows\rss\csrss.exe

Drops PE files with benign system names

Source: C:\Users\user\Desktop\file.exe

File created: C:\Windows\rss\csrss.exe

Jump to dropped file

Source: C:\Users\user\Desktop\file.exe

File created: C:\Windows\rss\csrss.exe

Jump to dropped file

Source: C:\Users\user\Desktop\file.exe

File created: C:\Windows\rss\csrss.exe

Jump to dropped file

Boot Survival

Creates an autostart registry key pointing to binary in C:\Windows

Source: C:\Users\user\Desktop\file.exe

Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run csrss

Jump to behavior

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Windows\rss\csrss.exe

Process created: C:\Windows\System32\schtasks.exe schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

Source: C:\Users\user\Desktop\file.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run csrss			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run csrss			Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\file.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\file.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\file.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\rss\csrss.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\rss\csrss.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: file.exe, 00000000.00000003.342311330.0000000003760000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.360923805.0000000000400000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000002.364753333.0000000002E70000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.400548532.0000000000400000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000003.362103364.0000000003890000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.414419556.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003400000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: RTP.EXESYSTEMROOT=SETFILETIMESIGNWRITINGSOFT_DOTTEDSYSTEMDRIVETTL EXPIREDUNINSTALLERVBOXSERVICEVMUSRVC.EXEVARIANTINITVIRTUALFREEVIRTUALLOCKWSARECVFROMWARANG_CITIWHITE_SPACEWINDEFENDER[:^XDIGIT:]\DSEFIX.EXEADDITIONALSALARM CLOCKAPPLICATIONASSISTQUEUEAUTHORITIESBAD ADDRESSBAD ARGSIZEBAD M VALUEBAD MESSAGEBAD TIMEDIVBITCOINS.SKBROKEN PIPECAMPAIGN_IDCGOCALL NILCLOBBERFREECLOSESOCKETCOMBASE.DLLCREATED BY CRYPT32.DLLE2.KEFF.ORGEMBEDDED/%SEXTERNAL IPFILE EXISTSFINAL TOKENFLOAT32NAN2FLOAT64NAN1FLOAT64NAN2FLOAT64NAN3GCCHECKMARKGENERALIZEDGET CDN: %WGETPEERNAMEGETSOCKNAMEGLOBALALLOCHTTP2CLIENTHTTP2SERVERHTTPS_PROXYI/O TIMEOUTLOCAL ERRORMSPANMANUALMETHODARGS(MINTRIGGER=MOVE %S: %WMSWSOCK.DLLNETPOLLINITNEXT SERVERNIL CONTEXTOPERA-PROXYORANNIS.COMOUT OF SYNCPARSE ERRORPROCESS: %SREFLECT.SETREFLECTOFFSRETRY-AFTERRUNTIME: P RUNTIME: G RUNTIME: P SCHEDDETAILSECHOST.DLLSECUR32.DLLSERVICE: %SSHELL32.DLLSHORT WRITESTACK TRACESTART PROXYTASKMGR.EXETLS: ALERT(TRACEALLOC(TRAFFIC UPDUNREACHABLEUSERENV.DLLVERSION.DLLVERSION=195WININET.DLLWUP_PROCESS (SENSITIVE) B (
Source: file.exe, 00000005.00000002.428126829.000000000C19C000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.424748729.000000000C08A000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: VMUSRVC.EXE
Source: file.exe, 00000005.00000002.428126829.000000000C19C000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: C:\USERS\user\APPDATA\LOCAL\TEMPC:\USERS\user\APPDATA\LOCAL\TEMP\CSRSSC:\USERS\user\DESKTOP\FILE.EXEC:\USERS\user\DESKTOP\FILE.EXE"C:\USERS\user\APPDATA\LOCAL\TEMP\CSRSS""CSRSS.EXE", "WINDEFENDER.EXE", "FILE.EXE"C:\WINDOWS\SYSTEM32\WBEM\POWERSHELLC:\WINDOWS\SYSTEM32\WBEM\POWERSHELL.COMC:\WINDOWS\SYSTEM32\WBEM\POWERSHELL.EXEC:\WINDOWS\SYSTEM32\WBEM\POWERSHELL.BATC:\WINDOWS\SYSTEM32\WBEM\POWERSHELL.CMDC:\WINDOWS\SYSTEM32\WBEM\POWERSHELL.VBSC:\WINDOWS\SYSTEM32\WBEM\POWERSHELL.VBEC:\WINDOWS\SYSTEM32\WBEM\POWERSHELL.JSC:\WINDOWS\SYSTEM32\WBEM\POWERSHELL.JSEC:\WINDOWS\SYSTEM32\WBEM\POWERSHELL.WSFC:\WINDOWS\SYSTEM32\WBEM\POWERSHELL.WSHC:\WINDOWS\SYSTEM32\WBEM\POWERSHELL.MSCC:\WINDOWS\SYSTEM32\WINDOWSPOWERSHELL\V1.0\OQNDYQLSNS.EXEVMSRVC.EXEVMUSRVC.EXEOQNDYQLSNS.EXEVMSRVC.EXEVMUSRVC.EXEOQNDYQLSNS.EXEVMSRVC.EXEVMUSRVC.EXEOQNDYQLSNS.EXEVMSRVC.EXEVMUSRVC.EXEOQNDYQLSNS.EXEVMSRVC.EXEVMUSRVC.EXEOQNDYQLSNS.EXEVMSRVC.EXEVMUSRVC.EXEOQNDYQLSNS.EXEVMSRVC.EXEVMUSRVC.EXEOQNDYQLSNS.EXEVMSRVC.EXEVMUSRVC.EXEOQNDYQLSNS.EXEVMSRVC.EXEVMUSRVC.EXEOQNDYQLSNS.EXEVMSRVC.EXEVMUSRVC.EXEOQNDYQLSNS.EXEVMSRVC.EXEVMUSRVC.EXEOQNDYQLSNS.EXEVMSRVC.EXEVMUSRVC.EXEOQNDYQLSNS.EXEVMSRVC.EXEVMUSRVC.EXEOQNDYQLSNS.EXEVMSRVC.EXEVMUSRVC.EXEOQNDYQLSNS.EXEVMSRVC.EXEVMUSRVC.EXEOQNDYQLSNS.EXEVMSRVC.EXEVMUSRVC.EXEOQNDYQLSNS.EXEVMSRVC.EXEVMUSRVC.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXEVMSRVC.EXEVMUSRVC.EXEWMIPRVSE.EXEWMIPRVSE.EXEVMSRVC.EXEVMUSRVC.EXEVMSRVC.EXEVMUSRVC.EXEFILE.EXEVMSRVC.EXEVMUSRVC.EXE$
Source: file.exe, 00000005.00000002.424748729.000000000C08A000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: VMSRVC.EXEVMUSRVC.EXESMSS.EXEVMSRVC.EXEVMUSRVC.EXECSRSS.EXEVMSRVC.EXEVMUSRVC.EXEWININIT.EXEVMSRVC.EXEVMUSRVC.EXECSRSS.EXEVMSRVC.EXEVMUSRVC.EXESERVICES.EXEVMSRVC.EXEVMUSRVC.EXEWINLOGON.EXEVMSRVC.EXEVMUSRVC.EXELSASS.EXEVMSRVC.EXEVMUSRVC.EXEVMSRVC.EXEVMUSRVC.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXESVCHOST.EXEVMSRVC.EXEVMUSRVC.EXEPOWERSHELL.JSEPOWERSHELL.WSFPOWERSHELL.WSHPOWERSHELL.MSCC:\WINDOWS\HOMEDRIVE=C:OS=WINDOWS_NTUSERPROFILEUSERNAMETMPTEMPUSERDOMAINSYSTEMROOTPUBLICSYSTEMDRIVEPSMODULEPATHPROGRAMW6432PROGRAMFILESPROGRAMDATAPROCESSOR_LEVELPATHEXTPATHOSLOCALAPPDATAHOMEPATHCOMSPECHOMEDRIVEDRIVERDATACOMPUTERNAMEAPPDATA
Source: file.exe, 00000000.00000003.342311330.0000000003760000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.360923805.0000000000400000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000002.364753333.0000000002E70000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.400548532.0000000000400000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000003.362103364.0000000003890000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.414419556.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003400000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: TOO MANY LINKSTOO MANY USERSTORRC FILENAMEUNEXPECTED EOFUNKNOWN CODE: UNKNOWN ERROR UNKNOWN METHODUNKNOWN MODE: UNREACHABLE: UNSAFE.POINTERUSERARENASTATEVIRTUALBOX: %WVMWARETRAY.EXEVMWAREUSER.EXEWII LIBNUP/1.0WINAPI ERROR #WINDOW CREATEDWORK.FULL != 0XENSERVICE.EXEZERO PARAMETER WITH GC PROG
Source: file.exe, 00000000.00000003.342311330.0000000003760000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.360923805.0000000000400000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000002.364753333.0000000002E70000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.400548532.0000000000400000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000003.362103364.0000000003890000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.414419556.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003400000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: ... OMITTING ACCEPT-CHARSETAFTER EFIGUARDALLOCFREETRACEBAD ALLOCCOUNTBAD RECORD MACBAD RESTART PCBAD SPAN STATEBTC.USEBSV.COMCERT INSTALLEDCHECKSUM ERRORCONTENT-LENGTHCOULDN'T PATCHDATA TRUNCATEDDISTRIBUTOR_IDDRIVER REMOVEDERROR RESPONSEFILE TOO LARGEFINALIZER WAITGCSTOPTHEWORLDGET UPTIME: %WGETPROTOBYNAMEGOT SYSTEM PIDINITIAL SERVERINTERNAL ERRORINVALID SYNTAXIS A DIRECTORYKEY SIZE WRONGLEVEL 2 HALTEDLEVEL 3 HALTEDMEMPROFILERATEMULTIPARTFILESNEED MORE DATANIL ELEM TYPE!NO MODULE DATANO SUCH DEVICEOPEN EVENT: %WPARSE CERT: %WPROTOCOL ERRORREAD CERTS: %WREAD_FRAME_EOFREFLECT.VALUE.REMOVE APP: %WRUNTIME: FULL=RUNTIME: WANT=S.ALLOCCOUNT= SEMAROOT QUEUESERVER.VERSIONSTACK OVERFLOWSTOPM SPINNINGSTORE64 FAILEDSYNC.COND.WAITTEXT FILE BUSYTIME.LOCATION(TIMEENDPERIODTOO MANY LINKSTOO MANY USERSTORRC FILENAMEUNEXPECTED EOFUNKNOWN CODE: UNKNOWN ERROR UNKNOWN METHODUNKNOWN MODE: UNREACHABLE: UNSAFE.POINTERUSERARENASTATEVIRTUALBOX: %WVMWARETRAY.EXEVMWAREUSER.EXEWII LIBNUP/1.0WINAPI ERROR #WINDOW CREATEDWORK.FULL != 0XENSERVICE.EXEZERO PARAMETER WITH GC PROG
Source: file.exe	Binary or memory string: RTP.EXESYSTEMROOT=SETFILETIMESIGNWRITINGSOFT_DOTTEDSYSTEMDRIVETTL EXPIREDUNINSTALLERVBOXSERVICEVMUSRVC.EXEVARIANTINITVIRTUALFREEVIRTUALLOCKWSARECVFROMWARANG_CITIWHITE_SPACEWINDEFENDER[:^XDIGIT:]\DSEFIX.EXEADDITIONALSALARM CLOCKAPPLICATIONASSISTQUEUEAUTHORITIES

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7136	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5764	Thread sleep time: -7378697629483816s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3376	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1540	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5576	Thread sleep time: -5534023222112862s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2220	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6164	Thread sleep time: -7378697629483816s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5344	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1368	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7148	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4872	Thread sleep count: 9184 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2348	Thread sleep time: -4611686018427385s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7040	Thread sleep time: -4611686018427385s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7120	Thread sleep time: -4611686018427385s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9133
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9393
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9112
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9001
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9301
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8766
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7315
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9160
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8648
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8899
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9184
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9096
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8550

Source: C:\Users\user\Desktop\file.exe	File opened / queried: VBoxGuest
Source: C:\Users\user\Desktop\file.exe	File opened / queried: vmci
Source: C:\Users\user\Desktop\file.exe	File opened / queried: HGFS
Source: C:\Users\user\Desktop\file.exe	File opened / queried: VBoxTrayIPC
Source: C:\Users\user\Desktop\file.exe	File opened / queried: \pipe\VBoxTrayIPC
Source: C:\Users\user\Desktop\file.exe	File opened / queried: VBoxMiniRdrDN

Source: C:\Users\user\Desktop\file.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name FROM Win32_Processor

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: csrss.exe, 0000000F.00000002.624848873.0000000003400000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: entersyscallexit status failed to %wfound av: %sgcBitsArenasgcpacertracegetaddrinfowgot TI tokenguid_machineharddecommithost is downhttp2debug=1http2debug=2illegal seekinjector.exeinstall_dateinvalid baseinvalid pathinvalid portinvalid slotiphlpapi.dllkernel32.dllmachine_guidmadvdontneedmax-forwardsmheapSpecialmsftedit.dllmspanSpecialnetapi32.dllno such hostnon-existentnot pollableoleaut32.dllout of rangeparse PE: %wproxyconnectrandautoseedrecv_goaway_reflect.Copyreleasep: m=remote errorremoving appruntime: gp=runtime: sp=s ap traffics hs trafficself-preemptsetupapi.dllshort bufferspanSetSpinesweepWaiterstraceStringstraffic/readtransmitfileulrichard.chunexpected )unknown portunknown typevmacthlp.exevmtoolsd.exewatchdog.exewinlogon.exewintrust.dllwirep: p->m=worker mode wtsapi32.dll != sweepgen (default %q) (default %v) MB globals, MB) workers= called from flushedWork idlethreads= in host name is nil, not nStackRoots= out of range pluginpath= s.spanclass= span.base()= syscalltick= work.nproc= work.nwait= %s/rawaddr/%s%s\%s\drivers, gp->status=, not pointer-bind-address-byte block (3814697265625: unknown pc Accept-RangesAuthorizationCLIENT_RANDOMCONNECTION-IDCONNECT_ERRORCache-ControlCertOpenStoreCoTaskMemFreeConnectServerContent-RangeDONT-FRAGMENTDeleteServiceDestroyWindowDistributorIDECDSAWithSHA1EnumProcessesExitWindowsExFQDN too longFindFirstFileFindNextFileWFindResourceWFreeAddrInfoWGC sweep waitGeoIPFile %s
Source: file.exe, 00000000.00000003.342311330.0000000003760000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.360923805.0000000000400000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000002.364753333.0000000002E70000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.400548532.0000000000400000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000003.362103364.0000000003890000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.414419556.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003400000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: DnsRecordListFreeENHANCE_YOUR_CALMEnumThreadWindowsFLE Standard TimeFailed DependencyGC assist markingGMT Standard TimeGTB Standard TimeGetCurrentProcessGetShortPathNameWHEADER_TABLE_SIZEHKEY_CLASSES_ROOTHKEY_CURRENT_USERHTTP_1_1_REQUIREDIf-Modified-SinceIsTokenRestrictedLookupAccountSidWMESSAGE-INTEGRITYMoved PermanentlyOld_North_ArabianOld_South_ArabianOther_ID_ContinuePython-urllib/2.5QueryWorkingSetExRESERVATION-TOKENReadProcessMemoryRegLoadMUIStringWRtlGetCurrentPebSafeArrayCopyDataSafeArrayCreateExSentence_TerminalSysAllocStringLenSystemFunction036Too Many RequestsTransfer-EncodingUnexpected escapeUnified_IdeographUnknown AttributeVGAuthService.exeWSAEnumProtocolsWWTSQueryUserTokenWrite after CloseWrong CredentialsX-Idempotency-Key\System32\drivers\\.\VBoxMiniRdrDN
Source: csrss.exe, 0000000F.00000002.624848873.0000000003400000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: IP addressIsValidSidKeep-AliveKharoshthiLocalAllocLockFileExLogonUserWManichaeanMessage-IdNo ContentOld_ItalicOld_PermicOld_TurkicOpenEventWOpenMutexWOpenThreadOther_MathPOSTALCODEParseAddr(ParseFloatPhoenicianProcessingPulseEventRIPEMD-160RST_STREAMResetEventSHA256-RSASHA384-RSASHA512-RSASYSTEMROOTSaurashtraSecureBootSet-CookieShowWindowTor uptimeUser-AgentVMSrvc.exeWSACleanupWSASocketWWSAStartupWget/1.9.1Windows 10Windows 11[:^alnum:][:^alpha:][:^ascii:][:^blank:][:^cntrl:][:^digit:][:^graph:][:^lower:][:^print:][:^punct:][:^space:][:^upper:][:xdigit:]\\.\WinMon\patch.exe^{[\w-]+}$app_%d.txtatomicand8attr%d=%s cmd is nilcomplex128connectiondebug calldnsapi.dlldsefix.exedwmapi.dlle.keff.orgexecerrdotexitThreadexp masterfloat32nanfloat64nangetsockoptgoroutine http_proxyimage/avifimage/jpegimage/webpimpossibleindicationinvalid IPinvalidptrkeep-alivemSpanInUsemyhostnameno resultsnot a boolnot signednotifyListowner diedpowershellprl_cc.exeprofInsertres binderres masterresumptionrune <nil>runtime: gs.state = schedtracesemacquiresend stateset-cookiesetsockoptskipping: socks bindstackLarget.Kind == terminatedtext/plaintime.Date(time.Localtracefree(tracegc()
Source: file.exe, 00000005.00000002.428126829.000000000C190000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: smartscreen.exeSgrmBroker.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exe\\.\VBoxGuest\\.\VBoxTrayIPC[System Process]fontdrvhost.exefontdrvhost.exesmartscreen.exeSgrmBroker.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeOQndYQLsns.exeS-1-5-18CreateToolhelp32SnapshotShellExperienceHost.exebackgroundTaskHost.exebackgroundTaskHost.exefile.exeVBoxSFRegistrysmss.exedwm.exeShellExperienceHost.exebackgroundTaskHost.exebackgroundTaskHost.exefile.exevmhgfsvmmousevmxnetRegistrysmss.exedwm.exeShellExperienceHost.exebackgroundTaskHost.exebackgroundTaskHost.exefile.exevpc-s3vpcuhubRegistrysmss.exedwm.exeShellExperienceHost.exebackgroundTaskHost.exebackgroundTaskHost.exefile.exexennetxennet6xensvcxenvdbC:\Windows\Sysnative\cmd.exeC:\Windows\Sysnative\cmd.exePATHEXTCOMPUTERNAME=computerHOMEPATH=\Windows\system32NUMBER_OF_PROCESSORS=2PROCESSOR_ARCHITECTURE=x86PROCESSOR_ARCHITEW6432=AMD64PROCESSOR_REVISION=5507ProgramData=C:\ProgramDataProgramW6432=C:\Program FilesPUBLIC=C:\Users\PublicUSERNAME=computer$C:\Windows\windefender.exeC:\Windows\System32\drivers"C:\Windows\windefender.exe""C:\Windows\System32\drivers"PATHEXTPATHEXTC:\Windows\powershell.cmdC:\Windows\powershell.vbsC:\Windows\powershell.vbeC:\Windows\powershell.jseC:\Windows\powershell.wsfC:\Windows\powershell.wshC:\Windows\powershell.msc
Source: csrss.exe, 0000000F.00000002.624848873.0000000003400000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: acceptactivechan<-closedcookiedirectdomainefenceempty exec: expectfamilygeoip6gopherhangupheaderinternip+netkilledlistenminutenetdnsnumberobjectoriginpopcntrdtscpreadatreasonremoverenamereturnrun-v3rune1 secondselectsendtoserversocketsocks socks5statusstringstructsweep sysmontelnettimersuint16uint32uint64unuseduptimevmhgfsvmxnetvpc-s3wup_hsxennetxensvcxenvdb %v=%v, (conn) (scan (scan) MB in Value> allocs dying= flags= len=%d locks= m->g0= nmsys= pad1= pad2= s=nil
Source: file.exe, 00000005.00000002.428126829.000000000C19C000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.424748729.000000000C08A000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmusrvc.exe
Source: csrss.exe, 0000000F.00000002.624848873.0000000003400000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: (MISSING)(unknown), newval=, oldval=, size = , tail = -07:00:00/api/cdn?/api/poll127.0.0.1244140625: status=AuthorityBassa_VahBhaiksukiClassINETCuneiformDiacriticEVEN-PORTExecQueryFindCloseForbiddenGetDIBitsHex_DigitInheritedInstMatchInstRune1InterfaceKhudawadiLocalFreeMalayalamMongolianMoveFileWNabataeanNot FoundOP_RETURNOSCaptionPalmyreneParseUintPatchTimePublisherReleaseDCRemoveAllSTUN addrSamaritanSee OtherSeptemberSundaneseSysnativeToo EarlyTrailer: TypeCNAMETypeHINFOTypeMINFOUse ProxyVBoxGuestVBoxMouseVBoxVideoWSASendToWednesdayWindows 7WriteFileZ07:00:00[%v = %d][:^word:][:alnum:][:alpha:][:ascii:][:blank:][:cntrl:][:digit:][:graph:][:lower:][:print:][:punct:][:space:][:upper:]_outboundatomicor8attributeb.ooze.ccbad indirbus errorchallengechan sendcomplex64connectexcopystackcsrss.exectxt != 0d.nx != 0dns,filesecdsa.netempty urlfiles,dnsfn.48.orgfodhelperfork/execfuncargs(gdi32.dllhchanLeafimage/gifimage/pnginittraceinterfaceinterruptinvalid nipv6-icmplocalhostmSpanDeadnew tokennil errorntdll.dllole32.dllomitemptyop_returnpanicwaitpatch.exepclmulqdqpreemptedprintableprofBlockprotocol proxy.exepsapi.dllquestionsreboot inrecover: reflect: rwxrwxrwxscavtracestackpoolsucceededtask %+v
Source: file.exe, 00000005.00000002.403769101.0000000002BA3000.00000040.00000020.00020000.00000000.sdmp	Binary or memory string: aryvmcixn-SE-
Source: file.exe, 00000005.00000002.403486156.0000000000E37000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\pipe\VBoxTrayIPCi
Source: csrss.exe, 0000000F.00000002.624848873.0000000003400000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: VirtualUnlockWINDOW_UPDATEWTSFreeMemoryWriteConsoleW[FrameHeader \\.\VBoxGuestaccept-rangesaccess deniedadvapi32.dll
Source: file.exe, 00000005.00000002.428126829.000000000C19C000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: C:\Users\user\AppData\Local\TempC:\Users\user\AppData\Local\Temp\csrssC:\Users\user\Desktop\file.exec:\users\user\desktop\file.exe"C:\Users\user\AppData\Local\Temp\csrss""csrss.exe", "windefender.exe", "file.exe"C:\Windows\System32\Wbem\powershellC:\Windows\System32\Wbem\powershell.comC:\Windows\System32\Wbem\powershell.exeC:\Windows\System32\Wbem\powershell.batC:\Windows\System32\Wbem\powershell.cmdC:\Windows\System32\Wbem\powershell.vbsC:\Windows\System32\Wbem\powershell.vbeC:\Windows\System32\Wbem\powershell.jsC:\Windows\System32\Wbem\powershell.jseC:\Windows\System32\Wbem\powershell.wsfC:\Windows\System32\Wbem\powershell.wshC:\Windows\System32\Wbem\powershell.mscC:\Windows\System32\WindowsPowerShell\v1.0\oqndyqlsns.exevmsrvc.exevmusrvc.exeoqndyqlsns.exevmsrvc.exevmusrvc.exeoqndyqlsns.exevmsrvc.exevmusrvc.exeoqndyqlsns.exevmsrvc.exevmusrvc.exeoqndyqlsns.exevmsrvc.exevmusrvc.exeoqndyqlsns.exevmsrvc.exevmusrvc.exeoqndyqlsns.exevmsrvc.exevmusrvc.exeoqndyqlsns.exevmsrvc.exevmusrvc.exeoqndyqlsns.exevmsrvc.exevmusrvc.exeoqndyqlsns.exevmsrvc.exevmusrvc.exeoqndyqlsns.exevmsrvc.exevmusrvc.exeoqndyqlsns.exevmsrvc.exevmusrvc.exeoqndyqlsns.exevmsrvc.exevmusrvc.exeoqndyqlsns.exevmsrvc.exevmusrvc.exeoqndyqlsns.exevmsrvc.exevmusrvc.exeoqndyqlsns.exevmsrvc.exevmusrvc.exeoqndyqlsns.exevmsrvc.exevmusrvc.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exevmsrvc.exevmusrvc.exeWmiPrvSE.exewmiprvse.exevmsrvc.exevmusrvc.exevmsrvc.exevmusrvc.exefile.exevmsrvc.exevmusrvc.exe$
Source: file.exe, 00000005.00000002.428126829.000000000C18A000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: qemuvirtual
Source: file.exe, 00000000.00000002.363521570.0000000002A72000.00000040.00000020.00020000.00000000.sdmp, file.exe, 00000005.00000002.403769101.0000000002BA3000.00000040.00000020.00020000.00000000.sdmp	Binary or memory string: ameNewaPINGPOSTPathQEMUROOTH
Source: csrss.exe, 0000000F.00000002.624848873.0000000003400000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: too many linkstoo many userstorrc filenameunexpected EOFunknown code: unknown error unknown methodunknown mode: unreachable: unsafe.PointeruserArenaStatevirtualbox: %wvmwaretray.exevmwareuser.exewii libnup/1.0winapi error #window createdwork.full != 0xenservice.exezero parameter with GC prog
Source: file.exe	Binary or memory string: popcntrdtscpreadatreasonremoverenamereturnrun-v3rune1 secondselectsendtoserversocketsocks socks5statusstringstructsweep sysmontelnettimersuint16uint32uint64unuseduptimevmhgfsvmxnetvpc-s3wup_hsxennetxensvcxenvdb %v=%v, (conn) (scan (scan) MB in Value> allocs
Source: file.exe	Binary or memory string: arecvwsasendwup_verxen: %wxennet6 bytes, data=%q etypes incr=%v is not maxpc= mcount= minLC= minutes nalloc= newval= nfreed= ping=%q pointer stack=[ status %!Month(%02d%02d%s %s:%d%s: 0x%x-cleanup2.5.4.102.5.4.112.5.4.1748828125?4#?'1#0AcceptExAcceptedAll
Source: file.exe, 00000005.00000002.428126829.000000000C19A000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: RuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeTrustedInstaller.exe\\.\VBoxMiniRdrDNMemory CompressionRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeTrustedInstaller.exeMemory CompressionRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeTrustedInstaller.exeMemory CompressionRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeTrustedInstaller.exeAPPDATA=C:\Windows\system32\config\systemprofile\AppData\RoamingLOCALAPPDATA=C:\Windows\system32\config\systemprofile\AppData\LocalPROCESSOR_IDENTIFIER=Intel64 Family 6 Model 85 Stepping 7, GenuineIntelPROCESSOR_LEVEL=6TEMP=C:\Windows\TEMPTMP=C:\Windows\TEMPUSERDOMAIN=WORKGROUPwindir=C:\WindowsLOCALAPPDATA=C:\Windows\system32\config\systemprofile\AppData\LocalPROCESSOR_IDENTIFIER=Intel64 Family 6 Model 85 Stepping 7, GenuineIntelAdd-MpPreference -ExclusionProcess "csrss.exe", "windefender.exe", "file.exe"C:\Program Files (x86)\Common Files\Oracle\Java\javapath\powershell.comC:\Program Files (x86)\Common Files\Oracle\Java\javapath\powershell.exeC:\Program Files (x86)\Common Files\Oracle\Java\javapath\powershell.jsC:\Program Files (x86)\Common Files\Oracle\Java\javapath\powershell.jseC:\Program Files (x86)\Common Files\Oracle\Java\javapath\powershell.wsfC:\Program Files (x86)\Common Files\Oracle\Java\javapath\powershell.wsh
Source: file.exe, 00000005.00000002.403769101.0000000002BA3000.00000040.00000020.00020000.00000000.sdmp	Binary or memory string: 11VBoxSFWINDIRWD
Source: file.exe, 00000005.00000002.424748729.000000000C08A000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmsrvc.exevmusrvc.exesmss.exevmsrvc.exevmusrvc.execsrss.exevmsrvc.exevmusrvc.exewininit.exevmsrvc.exevmusrvc.execsrss.exevmsrvc.exevmusrvc.exeservices.exevmsrvc.exevmusrvc.exewinlogon.exevmsrvc.exevmusrvc.exelsass.exevmsrvc.exevmusrvc.exevmsrvc.exevmusrvc.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exesvchost.exevmsrvc.exevmusrvc.exepowershell.jsepowershell.wsfpowershell.wshpowershell.mscC:\Windows\HOMEDRIVE=C:OS=Windows_NTuserprofileusernametmptempuserdomainsystemrootpublicsystemdrivepsmodulepathprogramw6432programfilesprogramdataprocessor_levelpathextpathoslocalappdatahomepathcomspechomedrivedriverdatacomputernameappdata
Source: file.exe	Binary or memory string: pclmulqdqpreemptedprintableprofBlockprotocol proxy.exepsapi.dllquestionsreboot inrecover: reflect: rwxrwxrwxscavtracestackpoolsucceededtask %+v tracebackunderflowunhandleduninstallunzip Torunzip: %wurn:uuid:w3m/0.5.1wbufSpanswebsocketxenevtchn} stack=[ netGo
Source: file.exe	Binary or memory string: sse41sse42ssse3sudogsweeptext/tls: torrctotaltraceuint8unameusageuser=utf-8valuevmusbvmx86write B -> Value addr= alloc base code= ctxt: curg= free goid jobs= list= m->p= max= min= next= p->m= prev= span=% util%s.exe%s.sys%s: %s(...) , i = , not , val -BE
Source: csrss.exe, 0000000F.00000002.624848873.0000000003400000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: ... omitting accept-charsetafter EfiGuardallocfreetracebad allocCountbad record MACbad restart PCbad span statebtc.usebsv.comcert installedchecksum errorcontent-lengthcouldn't patchdata truncateddistributor_iddriver removederror responsefile too largefinalizer waitgcstoptheworldget uptime: %wgetprotobynamegot system PIDinitial serverinternal errorinvalid syntaxis a directorykey size wronglevel 2 haltedlevel 3 haltedmemprofileratemultipartfilesneed more datanil elem type!no module datano such deviceopen event: %wparse cert: %wprotocol errorread certs: %wread_frame_eofreflect.Value.remove app: %wruntime: full=runtime: want=s.allocCount= semaRoot queueserver.versionstack overflowstopm spinningstore64 failedsync.Cond.Waittext file busytime.Location(timeEndPeriodtoo many linkstoo many userstorrc filenameunexpected EOFunknown code: unknown error unknown methodunknown mode: unreachable: unsafe.PointeruserArenaStatevirtualbox: %wvmwaretray.exevmwareuser.exewii libnup/1.0winapi error #window createdwork.full != 0xenservice.exezero parameter with GC prog
Source: file.exe, 00000005.00000002.403486156.0000000000E56000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\vmci
Source: csrss.exe, 0000000F.00000002.624848873.0000000003400000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: tracebackunderflowunhandleduninstallunzip Torunzip: %wurn:uuid:w3m/0.5.1wbufSpanswebsocketxenevtchn} stack=[ netGo = MB goal, flushGen for type gfreecnt= heapGoal= pages at ptrSize= runqsize= runqueue= s.base()= spinning= stopwait= stream=%d sweepgen sweepgen= targetpc= throwing= until pc=%!(NOVERB)%!Weekday(%s.uuid.%s%s\|%s%s\|%s(BADINDEX), bound = , limit = -noprofile-uninstall.localhost/dev/stdin/etc/hosts/show-eula12207031256103515625: parsing :authorityAdditionalBad varintCampaignIDCancelIoExChorasmianClassCHAOSClassCSNETConnectionContent-IdCreateFileCreatePipeDSA-SHA256DeprecatedDevanagariDnsQuery_WECDSA-SHA1END_STREAMERROR-CODEException GC forced
Source: file.exe	Binary or memory string: pi.dllquestionsreboot inrecover: reflect: rwxrwxrwxscavtracestackpoolsucceededtask %+v tracebackunderflowunhandleduninstallunzip Torunzip: %wurn:uuid:w3m/0.5.1wbufSpanswebsocketxenevtchn} stack=[ netGo = MB goal, flushGen for type gfreecnt= heapGoal= page
Source: csrss.exe, 0000003C.00000002.570772687.0000000003843000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: main.isRunningInsideVMWare
Source: file.exe	Binary or memory string: myreneParseUintPatchTimePublisherReleaseDCRemoveAllSTUN addrSamaritanSee OtherSeptemberSundaneseSysnativeToo EarlyTrailer: TypeCNAMETypeHINFOTypeMINFOUse ProxyVBoxGuestVBoxMouseVBoxVideoWSASendToWednesdayWindows 7WriteFileZ07:00:00[%v = %d][:^word:][:alnum:][:
Source: file.exe	Binary or memory string: hPOSTALCODEParseAddr(ParseFloatPhoenicianProcessingPulseEventRIPEMD-160RST_STREAMResetEventSHA256-RSASHA384-RSASHA512-RSASYSTEMROOTSaurashtraSecureBootSet-CookieShowWindowTor uptimeUser-AgentVMSrvc.exeWSACleanupWSASocketWWSAStartupWget/1.9.1Windows 10Windows 1
Source: file.exe	Binary or memory string: s5cas6chandatedeaddialdoneermsetagethmfailfileflagfromftpsfuncgziphosthourhttpicmpidleigmpint8itabjsonkindlinkmdnsnullopenpathpipepop3quitreadrootsbrkseeksid=sizesmtpsse3tag:tcp4texttruetypeudp4uintunixuuidvaryvmcixn-- -%s (at ... MB, \" and got= max= m
Source: file.exe	Binary or memory string: rSetEndOfFileSetErrorModeSetStdHandleSora_SompengSyloti_NagriSysStringLenThread32NextTor mode setTransmitFileUnauthorizedUnlockFileExVBoxTray.exeVariantClearVirtualAllocVirtualQueryWinmon32.sysWinmon64.sysWintrust.dllX-ImforwardsX-Powered-By[[:^ascii:]]\/(\d+)
Source: file.exe, 00000005.00000002.403486156.0000000000E71000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: msvmmouf?
Source: file.exe, 00000005.00000002.428126829.000000000C18A000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: exit status 1exit status 1: nehalemS-1-5-18kvmqemuvirtualpersocon$
Source: file.exe, 00000005.00000002.424748729.000000000C08A000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmsrvc.exe
Source: csrss.exe, 0000000F.00000002.624848873.0000000003400000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: , i = , not , val -BEFV--DYOR--FMLD--FZTA--IRXC--JFQI--JQGP--JSKV--JZUF--KGQJ--KSFO--MKND--MOHU--NSFS--PFQJ--PLND--RTMD--VRSM--XQVL-.local.onion/%d-%s370000390625:31461<-chanAcceptAnswerArabicAugustBUTTONBasic BitBltBrahmiCANCELCONIN$CancelCarianChakmaCommonCookieCopticExpectFltMgrFormatFridayGOAWAYGetACPGothicHangulHatranHebrewHyphenKaithiKhojkiLengthLepchaLockedLycianLydianMondayPADDEDPcaSvcPragmaRejangSCHED STREETServerStringSundaySyriacTai_LeTangutTeluguThaanaTypeMXTypeNSUTC+12UTC+13UTC-02UTC-08UTC-09UTC-11VBoxSFWINDIRWanchoWinMonWinmonX25519Yezidi[]byte\??\%s\csrss\ufffd
Source: file.exe, 00000005.00000002.428126829.000000000C18A000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vboxservice.exe
Source: csrss.exe, 0000000F.00000002.624848873.0000000003400000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: and got= max= ms, ptr tab= top=%s %q%s %s%s%d%s/%s%s:%d%s=%s"'&+0330+0430+0530+0545+0630+0845+1030+1245+1345, fp:-0930.avif.html.jpeg.json.wasm.webp1.4.2156253.2.250001500025000350004500055000650512560015600278125:**@:path<nil>AdlamAprilBamumBatakBuhidCall ClassCountDograECDSAErrorFlagsFoundGetDCGreekHTTP/KhmerLatinLimbuLocalLstatMarchNONCENushuOghamOriyaOsageP-224P-256P-384P-521PGDSEREALMRangeRealmRunicSHA-1STermTakriTamilTypeAUSTARUUID=\u202] = (allowarrayatimebad nchdirchmodclosecsrssctimedeferfalsefaultfilesfloatgcinggeoipgnamegscanhchanhostshttpsimap2imap3imapsinit int16int32int64matchmheapmkdirmonthmtimentohspanicparsepgdsepop3sproxyrangermdirrouterune scav schedsdsetsleepslicesockssse41sse42ssse3sudogsweeptext/tls: torrctotaltraceuint8unameusageuser=utf-8valuevmusbvmx86write B -> Value addr= alloc base code= ctxt: curg= free goid jobs= list= m->p= max= min= next= p->m= prev= span=% util%s.exe%s.sys%s: %s(...)
Source: file.exe, 00000005.00000002.403769101.0000000002BA3000.00000040.00000020.00020000.00000000.sdmp	Binary or memory string: tVMSrvcs\|!
Source: file.exe, 00000000.00000003.342311330.0000000003760000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.360923805.0000000000400000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000002.364753333.0000000002E70000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.400548532.0000000000400000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000003.362103364.0000000003890000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.414419556.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003400000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: 100-continue127.0.0.1:%d127.0.0.1:53152587890625762939453125AUTHENTICATEBidi_ControlCIDR addressCONTINUATIONCfgMgr32.dllCoCreateGuidCoInitializeContent TypeContent-TypeCookie.ValueCreateEventWCreateMutexWDeleteObjectECDSA-SHA256ECDSA-SHA384ECDSA-SHA512ErrUnknownPCFindNextFileGetAddrInfoWGetConsoleCPGetLastErrorGetLengthSidGetProcessIdGetStdHandleGetTempPathWGetUserGeoIDGlobalUnlockGlobal\csrssI'm a teapotInstAltMatchJoin_ControlLittleEndianLoadLibraryWLoadResourceLockResourceMax-ForwardsMeetei_MayekMime-VersionMulti-StatusNot ExtendedNot ModifiedNtCreateFileOpenServiceWPUSH_PROMISEPahawh_HmongRCodeRefusedRCodeSuccessReadConsoleWReleaseMutexReportEventWResumeThreadRevertToSelfRoInitializeS-1-5-32-544SERIALNUMBERSelectObjectServer ErrorSetEndOfFileSetErrorModeSetStdHandleSora_SompengSyloti_NagriSysStringLenThread32NextTor mode setTransmitFileUnauthorizedUnlockFileExVBoxTray.exeVariantClearVirtualAllocVirtualQueryWinmon32.sysWinmon64.sysWintrust.dllX-ImforwardsX-Powered-By[[:^ascii:]]\/(\d+)-(.*)\\.\WinMonFSabi mismatchadvapi32.dllaltmatch -> anynotnl -> bad flushGenbad g statusbad g0 stackbad recoverybad value %dbootmgfw.efibuild_numberc ap trafficc hs trafficcaller errorcan't happencas64 failedcdn is emptychan receiveclose notifycontent-typecontext.TODOcountry_codedse disableddumping heapend tracegc
Source: file.exe	Binary or memory string: sbmousevmware: %wws2_32.dll of size (targetpc= , plugin: ErrCode=%v KiB work, bytes ... exp.) for freeindex= gcwaiting= idleprocs= in status mallocing= ms clock, nBSSRoots= p->status= s.nelems= schedtick= span.list= timerslen=$WINDIR\rss%!(BADPREC)%s
Source: file.exe, 00000005.00000002.424748729.000000000C08A000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.428126829.000000000C18A000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vboxtray.exe
Source: csrss.exe, 0000000F.00000002.624848873.0000000003400000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: RTP.exeSYSTEMROOT=SetFileTimeSignWritingSoft_DottedSystemDriveTTL expiredUninstallerVBoxServiceVMUSrvc.exeVariantInitVirtualFreeVirtualLockWSARecvFromWarang_CitiWhite_SpaceWinDefender[:^xdigit:]\dsefix.exeadditionalsalarm clockapplicationassistQueueauthoritiesbad addressbad argSizebad m valuebad messagebad timedivbitcoins.skbroken pipecampaign_idcgocall nilclobberfreeclosesocketcombase.dllcreated by crypt32.dlle2.keff.orgembedded/%sexternal IPfile existsfinal tokenfloat32nan2float64nan1float64nan2float64nan3gccheckmarkgeneralizedget CDN: %wgetpeernamegetsocknameglobalAllochttp2clienthttp2serverhttps_proxyi/o timeoutlocal errormSpanManualmethodargs(minTrigger=move %s: %wmswsock.dllnetpollInitnext servernil contextopera-proxyorannis.comout of syncparse errorprocess: %sreflect.SetreflectOffsretry-afterruntime: P runtime: g runtime: p scheddetailsechost.dllsecur32.dllservice: %sshell32.dllshort writestack tracestart proxytaskmgr.exetls: alert(tracealloc(traffic updunreachableuserenv.dllversion.dllversion=195wininet.dllwup_process (sensitive) B (
Source: file.exe	Binary or memory string: ermsetagethmfailfileflagfromftpsfuncgziphosthourhttpicmpidleigmpint8itabjsonkindlinkmdnsnullopenpathpipepop3quitreadrootsbrkseeksid=sizesmtpsse3tag:tcp4texttruetypeudp4uintunixuuidvaryvmcixn-- -%s (at ... MB, \" and got= max= ms, ptr tab= top=%s %q%s
Source: file.exe	Binary or memory string: yreleasep: m=remote errorremoving appruntime: gp=runtime: sp=s ap traffics hs trafficself-preemptsetupapi.dllshort bufferspanSetSpinesweepWaiterstraceStringstraffic/readtransmitfileulrichard.chunexpected )unknown portunknown typevmacthlp.exevmtoolsd.exewatchdo
Source: file.exe	Binary or memory string: sse3tag:tcp4texttruetypeudp4uintunixuuidvaryvmcixn-- -%s (at ... MB, \" and got= max= ms, ptr tab= top=%s %q%s %s%s*%d%s/%s%s:%d%s=%s"'&+0330+0430+0530+0545+0630+0845+1030+1245+1345, fp:-0930.avif.html.jpeg.json.wasm.webp1.4.2156253.2.2500
Source: csrss.exe, 0000000F.00000002.624848873.0000000003400000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: GetActiveObjectGetAdaptersInfoGetCommTimeoutsGetCommandLineWGetFirmwareTypeGetProcessTimesGetSecurityInfoGetStartupInfoWGlobal\qtxp9g8wHanifi_RohingyaICE-CONTROLLINGIdempotency-KeyImpersonateSelfInstall failureIsWindowUnicodeIsWindowVisibleIsWow64Process2Length RequiredLoadLibraryExALoadLibraryExWNot ImplementedNtSuspendThreadOpenThreadTokenOther_LowercaseOther_UppercasePKCS1WithSHA256PKCS1WithSHA384PKCS1WithSHA512Partial ContentPostQuitMessageProcess32FirstWPsalter_PahlaviQueryDosDeviceWRegCreateKeyExWRegDeleteValueWRequest TimeoutRtlDefaultNpAclSafeArrayCreateSafeArrayGetDimSafeArrayGetIIDSafeArrayUnlockScheduledUpdateSetCommTimeoutsSetSecurityInfoSetVolumeLabelWShellExecuteExWStringFromCLSIDStringFromGUID2TerminateThreadUnescaped quoteUninstallStringUnmapViewOfFileVBoxService.exeVPS.hsmiths.comWinsta0\DefaultX-Forwarded-For\\.\VBoxTrayIPC]
Source: file.exe, 00000000.00000003.342311330.0000000003760000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.360923805.0000000000400000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000002.364753333.0000000002E70000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.400548532.0000000000400000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000003.362103364.0000000003890000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.414419556.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003400000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: SafeArrayCopyDataSafeArrayCreateExSentence_TerminalSysAllocStringLenSystemFunction036Too Many RequestsTransfer-EncodingUnexpected escapeUnified_IdeographUnknown AttributeVGAuthService.exeWSAEnumProtocolsWWTSQueryUserTokenWrite after CloseWrong CredentialsX-Idempotency-Key\System32\drivers\\.\VBoxMiniRdrDN
Source: file.exe	Binary or memory string: RTP.exeSYSTEMROOT=SetFileTimeSignWritingSoft_DottedSystemDriveTTL expiredUninstallerVBoxServiceVMUSrvc.exeVariantInitVirtualFreeVirtualLockWSARecvFromWarang_CitiWhite_SpaceWinDefender[:^xdigit:]\dsefix.exeadditionalsalarm clockapplicationassistQueueauthorities
Source: file.exe, 00000005.00000002.424748729.000000000C08A000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: [system process]vboxtray.exe
Source: file.exe, 00000000.00000003.342311330.0000000003760000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.360923805.0000000000400000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000002.364753333.0000000002E70000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.400548532.0000000000400000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000003.362103364.0000000003890000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.414419556.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003400000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: ><'\'') = ) m=+Inf-Inf.bat.cmd.com.css.exe.gif.htm.jpg.mjs.pdf.png.svg.sys.xml0x%x1.1110803125: p=ACDTACSTAEDTAESTAKDTAKSTAWSTAhomAtoiCDN=CESTChamDATADashDataDateEESTEULAEtagFromGOGCGoneHostJulyJuneLEAFLisuMiaoModiNZDTNZSTNameNewaPINGPOSTPathQEMUROOTSASTSTARSendStatTempThaiTypeUUID"%s"\rss\smb\u00
Source: file.exe	Binary or memory string: sse42ssse3sudogsweeptext/tls: torrctotaltraceuint8unameusageuser=utf-8valuevmusbvmx86write B -> Value addr= alloc base code= ctxt: curg= free goid jobs= list= m->p= max= min= next= p->m= prev= span=% util%s.exe%s.sys%s: %s(...) , i = , not , val -BEFV--D
Source: file.exe	Binary or memory string: WSTAhomAtoiCDN=CESTChamDATADashDataDateEESTEULAEtagFromGOGCGoneHostJulyJuneLEAFLisuMiaoModiNZDTNZSTNameNewaPINGPOSTPathQEMUROOTSASTSTARSendStatTempThaiTypeUUID"%s"\rss\smb\u00 %+v m=] = ] n=allgallparchasn1avx2basebindbitsbmi1bmi2boolcallcap cas1cas2cas3cas4c
Source: file.exe	Binary or memory string: eUnprocessable EntityWinmonProcessMonitor\\.\pipe\VBoxTrayIPC^.*\._Ctype_uint8_t$asn1: syntax error: assigned stream ID 0bad font file formatbad system page sizebad use of bucket.bpbad use of bucket.mpcertificate requiredchan send (nil chan)close of nil channe
Source: file.exe	Binary or memory string: rdtscpreadatreasonremoverenamereturnrun-v3rune1 secondselectsendtoserversocketsocks socks5statusstringstructsweep sysmontelnettimersuint16uint32uint64unuseduptimevmhgfsvmxnetvpc-s3wup_hsxennetxensvcxenvdb %v=%v, (conn) (scan (scan) MB in Value> allocs dying=
Source: file.exe	Binary or memory string: t64unuseduptimevmhgfsvmxnetvpc-s3wup_hsxennetxensvcxenvdb %v=%v, (conn) (scan (scan) MB in Value> allocs dying= flags= len=%d locks= m->g0= nmsys= pad1= pad2= s=nil text= zombie$WINDIR% CPU (%03d %s%v: %#x, goid=, j0 = -nologo/delete19531252.5.4.32.5.4.5
Source: file.exe	Binary or memory string: potency-Key\System32\drivers\\.\VBoxMiniRdrDN os/exec.Command(^.*\._Ctype_char$bad TinySizeClasscouldn't dial: %wcouldn't find pidcouldn't get UUIDcouldn't get pidscouldn't hide PIDcpu name is emptycreate window: %wdecode server: %wdecryption faileddownloading
Source: file.exe, 00000005.00000002.424748729.000000000C08A000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: registryvboxtray.exe
Source: file.exe	Binary or memory string: expiresfloat32float64forcegcgctracehead = http://invalidlog.txtlookup messageminpc= nil keynop -> number pacer: panic: readdirrefererrefreshrequestrunningserial:server=signal svc_versyscalltor.exetraileruintptrunknownupgradeversionvmmousevpcuhubwaitingwindowsw
Source: file.exe	Binary or memory string: 12SOFTWARESaturdaySetEventSystem32TagbanwaTai_ThamTai_VietThursdayTifinaghTypeAAAATypeAXFRUSERHASHUSERNAMEUgariticVBoxWddmWSAIoctlWinmonFSWmiPrvSE[::1]:53[:word:][signal \\.\HGFS\\.\vmcistack=[_NewEnum_gatewayacceptexaddress bad instcgocheckcontinuecs de
Source: file.exe	Binary or memory string: releasep: m=remote errorremoving appruntime: gp=runtime: sp=s ap traffics hs trafficself-preemptsetupapi.dllshort bufferspanSetSpinesweepWaiterstraceStringstraffic/readtransmitfileulrichard.chunexpected )unknown portunknown typevmacthlp.exevmtoolsd.exewatchdog
Source: file.exe	Binary or memory string: mountvolmsvmmoufno anodeno-cacheno_proxypollDescreadfromrecvfromreflect.runnableruntime.rwmutexRrwmutexWscavengeshutdownstrconv.taskkilltor_modetraceBuftrigger=unixgramunknown(usernamevmmemctlvmx_svgawalk: %wwsaioctlwuauservx509sha1yuio.top (forced) B exp.) B
Source: file.exe, 00000000.00000002.363521570.0000000002A72000.00000040.00000020.00020000.00000000.sdmp, file.exe, 00000005.00000002.403769101.0000000002BA3000.00000040.00000020.00020000.00000000.sdmp	Binary or memory string: \\.\HGFS`
Source: file.exe, 00000005.00000002.403486156.0000000000E37000.00000004.00000020.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624231417.0000000001012000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: file.exe	Binary or memory string: lUnlockWINDOW_UPDATEWTSFreeMemoryWriteConsoleW[FrameHeader \\.\VBoxGuestaccept-rangesaccess deniedadvapi32.dll
Source: file.exe, 00000005.00000002.403769101.0000000002BA3000.00000040.00000020.00020000.00000000.sdmp	Binary or memory string: vmhgfsP
Source: file.exe, 00000005.00000002.403486156.0000000000E56000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\HGFS
Source: file.exe, 00000005.00000002.403486156.0000000000E37000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: xenvdb?
Source: csrss.exe, 0000000F.00000002.624848873.0000000003400000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: Not ImplementedNtSuspendThreadOpenThreadTokenOther_LowercaseOther_UppercasePKCS1WithSHA256PKCS1WithSHA384PKCS1WithSHA512Partial ContentPostQuitMessageProcess32FirstWPsalter_PahlaviQueryDosDeviceWRegCreateKeyExWRegDeleteValueWRequest TimeoutRtlDefaultNpAclSafeArrayCreateSafeArrayGetDimSafeArrayGetIIDSafeArrayUnlockScheduledUpdateSetCommTimeoutsSetSecurityInfoSetVolumeLabelWShellExecuteExWStringFromCLSIDStringFromGUID2TerminateThreadUnescaped quoteUninstallStringUnmapViewOfFileVBoxService.exeVPS.hsmiths.comWinsta0\DefaultX-Forwarded-For\\.\VBoxTrayIPC]
Source: file.exe, 00000000.00000002.362994570.0000000000E7A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlls
Source: csrss.exe, 0000000F.00000002.624848873.0000000003400000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: VirtualUnlockWINDOW_UPDATEWTSFreeMemoryWriteConsoleW[FrameHeader \\.\VBoxGuestaccept-rangesaccess deniedadvapi32.dllauthorizationbad flushGen bad map statebtc.cihar.combtc.xskyx.netcache-controlcontent-rangecouldn't polldalTLDpSugct?data is emptydouble unlockemail addressempty integerexchange fullfatal error: gethostbynamegetservbynamegzip, deflateif-none-matchignoring fileimage/svg+xmlinvalid ASN.1invalid UTF-8invalid base kernel32.dllkey expansionlame referrallast-modifiedlevel 3 resetload64 failedmaster secretmin too largename is emptynil stackbasenot a Float32open file: %wout of memoryparallels: %wparsing time powrprof.dllprl_tools.exeprofMemActiveprofMemFutureread EULA: %wrebooting nowruntime: seq=runtime: val=service stateset event: %wsigner is nilsocks connectsrmount errortimer expiredtraceStackTabtrailing dataunimplementedunsupported: user canceledvalue method virtualpc: %wxadd64 failedxchg64 failed}
Source: csrss.exe, 0000000F.00000002.624848873.0000000003400000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: unixpacketunknown pcuser-agentuser32.dllvmusbmousevmware: %wws2_32.dll of size (targetpc= , plugin: ErrCode=%v KiB work, bytes ...
Source: file.exe	Binary or memory string: ssse3sudogsweeptext/tls: torrctotaltraceuint8unameusageuser=utf-8valuevmusbvmx86write B -> Value addr= alloc base code= ctxt: curg= free goid jobs= list= m->p= max= min= next= p->m= prev= span=% util%s.exe%s.sys%s: %s(...) , i = , not , val -BEFV--DYOR--
Source: file.exe	Binary or memory string: bmi1bmi2boolcallcap cas1cas2cas3cas4cas5cas6chandatedeaddialdoneermsetagethmfailfileflagfromftpsfuncgziphosthourhttpicmpidleigmpint8itabjsonkindlinkmdnsnullopenpathpipepop3quitreadrootsbrkseeksid=sizesmtpsse3tag:tcp4texttruetypeudp4uintunixuuidvaryvmcixn-- -%
Source: file.exe	Binary or memory string: ultX-Forwarded-For\\.\VBoxTrayIPC] morebuf={pc:accept-encodingaccept-languageadvertise erroragent is closedapplication/pdfasyncpreemptoffbad certificatebad trailer keybefore EfiGuardclass registredclient finishedcouldn't set AVcouldn't set sbdecode hash: %wdo
Source: csrss.exe, 0000000F.00000002.624848873.0000000003400000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: VersionVirtualWSARecvWSASend"%s" %stypes value=abortedalt -> answersany -> booleancharsetchunkedcmd.execonnectconsolecpu: %scpuprofderiveddriversexpiresfloat32float64forcegcgctracehead = http://invalidlog.txtlookup messageminpc= nil keynop -> number pacer: panic: readdirrefererrefreshrequestrunningserial:server=signal svc_versyscalltor.exetraileruintptrunknownupgradeversionvmmousevpcuhubwaitingwindowswsarecvwsasendwup_verxen: %wxennet6 bytes, data=%q etypes incr=%v is not maxpc= mcount= minLC= minutes nalloc= newval= nfreed= ping=%q pointer stack=[ status %!Month(%02d%02d%s %s:%d%s: 0x%x-cleanup2.5.4.102.5.4.112.5.4.1748828125?4#?'1#0AcceptExAcceptedAllocateAltitudeArmenianBAD RANKBalineseBopomofoBugineseCancelIoCherokeeClassANYConflictContinueCurveID(CyrillicDNS nameDSA-SHA1DecemberDefenderDeleteDCDuployanEULA.txtEqualSidEthiopicExtenderFebruaryFirewallFullPathGeorgianGetOEMCPGoStringGujaratiGurmukhiHTTP/1.1HTTP/2.0HiraganaInstFailInstRuneIsWindowJavaneseKatakanaKayah_LiLIFETIMELinear_ALinear_BLocationLsaCloseMD5+SHA1MahajaniNO_ERRORNO_PROXYNovemberOl_ChikiPRIORITYPROGRESSParseIntPersoconPhags_PaQuestionReadFileReceivedSETTINGSSHA1-RSASHA3-224SHA3-256SHA3-384SHA3-512SOFTWARESaturdaySetEventSystem32TagbanwaTai_ThamTai_VietThursdayTifinaghTypeAAAATypeAXFRUSERHASHUSERNAMEUgariticVBoxWddmWSAIoctlWinmonFSWmiPrvSE[::1]:53[:word:][signal \\.\HGFS\\.\vmcistack=[_NewEnum_gatewayacceptexaddress bad instcgocheckcontinuecs deadlockdefault:dial: %wdnsquerydurationeax ebp ebx ecx edi edx eflags eip embeddedesi esp execwaitexporterf is nilfinishedfs gs hijackedhttp/1.1https://if-matchif-rangeinfinityinjectorinvalid linkpathlocationmac_addrmountvolmsvmmoufno anodeno-cacheno_proxypollDescreadfromrecvfromreflect.runnableruntime.rwmutexRrwmutexWscavengeshutdownstrconv.taskkilltor_modetraceBuftrigger=unixgramunknown(usernamevmmemctlvmx_svgawalk: %wwsaioctlwuauservx509sha1yuio.top (forced) B exp.) B work ( blocked= in use)
Source: csrss.exe, 0000000F.00000002.624848873.0000000003400000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: m=] = ] n=allgallparchasn1avx2basebindbitsbmi1bmi2boolcallcap cas1cas2cas3cas4cas5cas6chandatedeaddialdoneermsetagethmfailfileflagfromftpsfuncgziphosthourhttpicmpidleigmpint8itabjsonkindlinkmdnsnullopenpathpipepop3quitreadrootsbrkseeksid=sizesmtpsse3tag:tcp4texttruetypeudp4uintunixuuidvaryvmcixn-- -%s (at ...
Source: file.exe	Binary or memory string: bmi2boolcallcap cas1cas2cas3cas4cas5cas6chandatedeaddialdoneermsetagethmfailfileflagfromftpsfuncgziphosthourhttpicmpidleigmpint8itabjsonkindlinkmdnsnullopenpathpipepop3quitreadrootsbrkseeksid=sizesmtpsse3tag:tcp4texttruetypeudp4uintunixuuidvaryvmcixn-- -%s (a
Source: file.exe	Binary or memory string: too many linkstoo many userstorrc filenameunexpected EOFunknown code: unknown error unknown methodunknown mode: unreachable: unsafe.PointeruserArenaStatevirtualbox: %wvmwaretray.exevmwareuser.exewii libnup/1.0winapi error #window createdwork.full != 0xenservi
Source: file.exe, 00000005.00000002.424748729.000000000C08A000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: sharedintapp.exe[system process]vmsrvc.exe
Source: file.exe	Binary or memory string: ianLydianMondayPADDEDPcaSvcPragmaRejangSCHED STREETServerStringSundaySyriacTai_LeTangutTeluguThaanaTypeMXTypeNSUTC+12UTC+13UTC-02UTC-08UTC-09UTC-11VBoxSFWINDIRWanchoWinMonWinmonX25519Yezidi[]byte\??\%s\csrss\ufffd acceptactivechan<-closedcookiedirectdomai
Source: file.exe	Binary or memory string: rayCreateSafeArrayGetDimSafeArrayGetIIDSafeArrayUnlockScheduledUpdateSetCommTimeoutsSetSecurityInfoSetVolumeLabelWShellExecuteExWStringFromCLSIDStringFromGUID2TerminateThreadUnescaped quoteUninstallStringUnmapViewOfFileVBoxService.exeVPS.hsmiths.comWinsta0\Def

Source: C:\Users\user\Desktop\file.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\rss\csrss.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\rss\csrss.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\rss\csrss.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\file.exe

Code function: 5_2_02BA30A3 push dword ptr fs:[00000030h]

HIPS / PFW / Operating System Protection Evasion

Performs DNS TXT record lookups

Source: Traffic

DNS traffic detected: queries for: 28a89d66-6769-4b6d-ad7a-64ea56a01c93.uuid.mastiakele.xyz

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\rss\csrss.exe C:\Windows\rss\csrss.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
Source: C:\Windows\rss\csrss.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
Source: C:\Windows\rss\csrss.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
Source: C:\Windows\rss\csrss.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
Source: C:\Windows\rss\csrss.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\Sysnative\cmd.exe /C fodhelper
Source: C:\Windows\rss\csrss.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\fodhelper.exe fodhelper
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\fodhelper.exe "C:\Windows\system32\fodhelper.exe"
Source: C:\Windows\System32\fodhelper.exe	Process created: C:\Windows\rss\csrss.exe "C:\Windows\rss\csrss.exe"
Source: C:\Windows\rss\csrss.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
Source: C:\Windows\rss\csrss.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\Sysnative\cmd.exe /C fodhelper
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\fodhelper.exe fodhelper
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\fodhelper.exe "C:\Windows\system32\fodhelper.exe"
Source: C:\Windows\System32\fodhelper.exe	Process created: C:\Windows\rss\csrss.exe "C:\Windows\rss\csrss.exe"
Source: C:\Windows\rss\csrss.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
Source: C:\Windows\rss\csrss.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
Source: C:\Windows\rss\csrss.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
Source: C:\Windows\rss\csrss.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\System32\netsh.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\netsh.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation

Lowering of HIPS / PFW / Operating System Security Settings

Uses netsh to modify the Windows network and firewall settings

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\netsh.exe netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

Modifies the windows firewall

Source: C:\Users\user\Desktop\file.exe

Process created: C:\Windows\System32\cmd.exe C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

Source: C:\Users\user\Desktop\file.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected Glupteba

Source: Yara match	File source: 15.2.csrss.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 55.2.csrss.exe.3400e67.15.unpack, type: UNPACKEDPE
Source: Yara match	File source: 64.2.csrss.exe.3400e67.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 54.2.csrss.exe.3400e67.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 55.2.csrss.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.csrss.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 54.2.csrss.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 40.2.csrss.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.file.exe.3890000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.file.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.csrss.exe.3cf0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.file.exe.3760000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 60.2.csrss.exe.3400e67.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.csrss.exe.3400e67.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 41.2.csrss.exe.3400e67.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 60.2.csrss.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 64.2.csrss.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.csrss.exe.3400e67.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 40.2.csrss.exe.3400e67.15.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.csrss.exe.3400e67.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.2e70e67.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.400548532.0000000000843000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 0000003C.00000002.570772687.0000000003843000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.480076167.0000000000843000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.599256866.0000000003843000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000002.475119649.0000000000843000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.342311330.0000000003BA1000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.517016941.0000000003843000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003C.00000002.555538595.0000000000843000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.364753333.00000000032B3000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.624848873.0000000003843000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.442933383.0000000000843000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000036.00000002.509180776.0000000000843000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.360923805.0000000000843000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.474423573.0000000003843000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000002.514590108.0000000003843000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000037.00000002.522989058.0000000000843000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000040.00000002.609271972.0000000003843000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000040.00000002.598741475.0000000000843000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000036.00000002.521380153.0000000003843000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.362103364.0000000003CD1000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.566670417.0000000000843000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.615156234.0000000000843000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000037.00000002.553779043.0000000003843000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.414419556.00000000033E3000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.401909888.0000000004131000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 6760, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: file.exe PID: 1488, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: csrss.exe PID: 768, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: csrss.exe PID: 4472, type: MEMORYSTR

Remote Access Functionality

Yara detected Glupteba

Source: Yara match	File source: 15.2.csrss.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 55.2.csrss.exe.3400e67.15.unpack, type: UNPACKEDPE
Source: Yara match	File source: 64.2.csrss.exe.3400e67.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 54.2.csrss.exe.3400e67.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 55.2.csrss.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.csrss.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 54.2.csrss.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 40.2.csrss.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.file.exe.3890000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.file.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.csrss.exe.3cf0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.file.exe.3760000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 60.2.csrss.exe.3400e67.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.csrss.exe.3400e67.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 41.2.csrss.exe.3400e67.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 60.2.csrss.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 64.2.csrss.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.csrss.exe.3400e67.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 40.2.csrss.exe.3400e67.15.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.csrss.exe.3400e67.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.2e70e67.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.400548532.0000000000843000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 0000003C.00000002.570772687.0000000003843000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.480076167.0000000000843000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.599256866.0000000003843000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000002.475119649.0000000000843000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.342311330.0000000003BA1000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.517016941.0000000003843000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003C.00000002.555538595.0000000000843000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.364753333.00000000032B3000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.624848873.0000000003843000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.442933383.0000000000843000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000036.00000002.509180776.0000000000843000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.360923805.0000000000843000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.474423573.0000000003843000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000002.514590108.0000000003843000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000037.00000002.522989058.0000000000843000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000040.00000002.609271972.0000000003843000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000040.00000002.598741475.0000000000843000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000036.00000002.521380153.0000000003843000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.362103364.0000000003CD1000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.566670417.0000000000843000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.615156234.0000000000843000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000037.00000002.553779043.0000000003843000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.414419556.00000000033E3000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.401909888.0000000004131000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 6760, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: file.exe PID: 1488, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: csrss.exe PID: 768, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: csrss.exe PID: 4472, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	21 Windows Management Instrumentation	1 Windows Service	1 Windows Service	321 Masquerading	1 Input Capture	231 Security Software Discovery	Remote Services	1 Input Capture	Exfiltration Over Other Network Medium	1 Non-Application Layer Protocol	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	2 Command and Scripting Interpreter	1 Scheduled Task/Job	11 Process Injection	2 Disable or Modify Tools	LSASS Memory	41 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	1 Application Layer Protocol	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	1 Scheduled Task/Job	11 Registry Run Keys / Startup Folder	1 Scheduled Task/Job	41 Virtualization/Sandbox Evasion	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Proxy	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	11 Registry Run Keys / Startup Folder	11 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	2 Software Packing	Cached Domain Credentials	13 System Information Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	1 File Deletion	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	76%	ReversingLabs	Win32.Trojan.RedLine
file.exe	80%	Virustotal		Browse
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Windows\rss\csrss.exe	100%	Joe Sandbox ML
C:\Windows\rss\csrss.exe	76%	ReversingLabs	Win32.Trojan.RedLine

Source	Detection	Scanner	Label
http://www.alltheweb.com/help/webmaster/crawler)Mozilla/5.0	0%	URL Reputation	safe
http://invalidlog.txtlookup	0%	URL Reputation	safe
http://gais.cs.ccu.edu.tw/robot.php)Gulper	0%	URL Reputation	safe
http://devlog.gregarius.net/docs/ua)Links	0%	URL Reputation	safe
http://www.google.	0%	URL Reputation	safe
http://misc.yahoo.com.cn/help.html)QueryPerformanceFrequency	0%	URL Reputation	safe
http://www.spidersoft.com)Wg	0%	Avira URL Cloud	safe
http://vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.oniontls:	0%	Avira URL Cloud	safe
http://un6fsy7wsdbqb54aridsmu5mtdcctatumigg37ip476tsdy2jf6ascqd.onionC:	0%	Avira URL Cloud	safe
http://crl.g	0%	URL Reputation	safe
https://blockchain.infoindex	0%	URL Reputation	safe
https://mastiakele.xyzhttp://un6fsy7wsdbqb54aridsmu5mtdcctatumigg37ip476tsdy2jf6ascqd.onionhttps://m	0%	Avira URL Cloud	safe
http://www.exabot.com/go/robot)Opera/9.80	0%	URL Reputation	safe
http://www.googlebot.com/bot.html)Links	0%	URL Reputation	safe
https://mastiakele.xyzhttps://mastiakele.xyzRegQueryValueExWhttps://mastiakele.xyzUUIDUUIDPGDSEPGDSE	0%	Avira URL Cloud	safe
http://https://_bad_pdb_file.pdb	0%	Avira URL Cloud	safe
http://un6fsy7wsdbqb54aridsmu5mtdcctatumigg37ip476tsdy2jf6ascqd.onionS-1-5-21-3853321935-2125563209-	0%	Avira URL Cloud	safe
https://raw.githubusercontent.com/spesmilo/electrum/master/electrum/servers.jsonsize	0%	Avira URL Cloud	safe
http://grub.org)Mozilla/5.0	0%	Avira URL Cloud	safe
http://www.avantbrowser.com)MOT-V9mm/00.62	0%	Avira URL Cloud	safe
http://localhost:3433/https://duniadekho.baridna:	0%	Avira URL Cloud	safe
https://mastiakele.xyzhttp://un6fsy7wsdbqb54aridsmu5mtdcctatumigg37ip476tsdy2jf6ascqd.onionCommonPro	0%	Avira URL Cloud	safe
http://www.bloglines.com)Frame	0%	Avira URL Cloud	safe
https://mastiakele.xyzhttps://mastiakele.xyzRegQueryValueExWUUIDPGDSE64-bitc:	0%	Avira URL Cloud	safe
https://mastiakele.xyzhttp://un6fsy7wsdbqb54aridsmu5mtdcctatumigg37ip476tsdy2jf6ascqd.onion	0%	Avira URL Cloud	safe
http://un6fsy7wsdbqb54aridsmu5mtdcctatumigg37ip476tsdy2jf6ascqd.onionhttp://un6fsy7wsdbqb54aridsmu5m	0%	Avira URL Cloud	safe
https://mastiakele.xyzMicrosoft	0%	Avira URL Cloud	safe
http://un6fsy7wsdbqb54aridsmu5mtdcctatumigg37ip476tsdy2jf6ascqd.onion	100%	Avira URL Cloud	malware
https://mastiakele.xyz	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
28a89d66-6769-4b6d-ad7a-64ea56a01c93.uuid.mastiakele.xyz	unknown	unknown	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.spidersoft.com)Wg	file.exe	false	Avira URL Cloud: safe	low
http://search.msn.com/msnbot.htm)net/http:	file.exe, 00000000.00000003.342311330.0000000003760000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.360923805.0000000000400000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000002.364753333.0000000002E70000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.400548532.0000000000400000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000003.362103364.0000000003890000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.414419556.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003400000.00000040.00001000.00020000.00000000.sdmp	false		high
http://www.alltheweb.com/help/webmaster/crawler)Mozilla/5.0	file.exe	false	URL Reputation: safe	unknown
http://yandex.com/	file.exe	false		high
http://search.msn.com/msnbot.htm)net/htt	file.exe	false		high
http://un6fsy7wsdbqb54aridsmu5mtdcctatumigg37ip476tsdy2jf6ascqd.onionC:	file.exe, 00000005.00000002.424748729.000000000C01A000.00000004.00001000.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://www.google.com/bot.html)crypto/ecdh:	file.exe	false		high
http://vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.oniontls:	file.exe	true	Avira URL Cloud: safe	unknown
https://github.com/Snawoot/opera-proxy/releases/download/v1.2.2/opera-p	file.exe	false		high
http://invalidlog.txtlookup	file.exe, file.exe, 00000005.00000002.400548532.0000000000400000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000003.362103364.0000000003890000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.414419556.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003400000.00000040.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://search.msn.com/msnbot.htm)msnbot/1.1	file.exe, file.exe, 00000005.00000002.400548532.0000000000400000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000003.362103364.0000000003890000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.414419556.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003400000.00000040.00001000.00020000.00000000.sdmp	false		high
http://gais.cs.ccu.edu.tw/robot.php)Gulper	file.exe	false	URL Reputation: safe	unknown
https://mastiakele.xyzhttp://un6fsy7wsdbqb54aridsmu5mtdcctatumigg37ip476tsdy2jf6ascqd.onionhttps://m	file.exe, 00000000.00000002.378648564.000000000C0A2000.00000004.00001000.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://www.archive.org/details/archive.org_bot)Opera/9.80	file.exe	false		high
http://www.baidu.com/search/spider.htm)MobileSafari/600.1.4	file.exe, file.exe, 00000005.00000002.400548532.0000000000400000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000003.362103364.0000000003890000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.414419556.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003400000.00000040.00001000.00020000.00000000.sdmp	false		high
http://yandex.com/bots)Opera/9.51	file.exe	false		high
http://www.google.com/bot.html)Mozilla/5.0	file.exe	false		high
https://mastiakele.xyz	file.exe, 00000000.00000002.378648564.000000000C090000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.378648564.000000000C0A2000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.424748729.000000000C016000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.424748729.000000000C00E000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.627457527.000000000C80E000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.627457527.000000000C816000.00000004.00001000.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://mastiakele.xyzhttps://mastiakele.xyzRegQueryValueExWhttps://mastiakele.xyzUUIDUUIDPGDSEPGDSE	file.exe, 00000000.00000002.378648564.000000000C090000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://https://_bad_pdb_file.pdb	file.exe, 00000000.00000003.342311330.0000000003E2B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.364753333.000000000353B000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.400548532.0000000000ACC000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000002.414419556.000000000366B000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003ACB000.00000040.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://archive.org/details/archive.org_bot)Mozilla/5.0	file.exe	false		high
http://devlog.gregarius.net/docs/ua)Links	file.exe, file.exe, 00000005.00000002.400548532.0000000000400000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000003.362103364.0000000003890000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.414419556.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003400000.00000040.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.google.	file.exe	false	URL Reputation: safe	unknown
http://misc.yahoo.com.cn/help.html)QueryPerformanceFrequency	file.exe	false	URL Reputation: safe	unknown
http://help.yahoo.com/help/us/ysearch/slurp)SonyEricssonK550i/R1JD	file.exe	false		high
http://www.avantbrowser.com	file.exe	false		high
http://un6fsy7wsdbqb54aridsmu5mtdcctatumigg37ip476tsdy2jf6ascqd.onionS-1-5-21-3853321935-2125563209-	file.exe, 00000005.00000002.424748729.000000000C00E000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.627457527.000000000C80E000.00000004.00001000.00020000.00000000.sdmp	true	Avira URL Cloud: safe	low
https://mastiakele.xyzMicrosoft	file.exe, 00000005.00000002.424748729.000000000C00E000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.424748729.000000000C072000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.627457527.000000000C858000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.627457527.000000000C80E000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.google.com/feedfetcher.html)HKLM	file.exe, file.exe, 00000005.00000002.400548532.0000000000400000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000003.362103364.0000000003890000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.414419556.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003400000.00000040.00001000.00020000.00000000.sdmp	false		high
http://grub.org)Mozilla/5.0	file.exe	false	Avira URL Cloud: safe	low
https://cdn.discordapp.com/attachments/1087398815188910163/1087399133926674453/LZ.zipreflect.Value.I	file.exe	false		high
https://raw.githubusercontent.com/spesmilo/electrum/master/electrum/servers.jsonsize	file.exe	false	Avira URL Cloud: safe	unknown
http://crl.g	file.exe, 00000000.00000002.363521570.0000000002A72000.00000040.00000020.00020000.00000000.sdmp, file.exe, 00000005.00000002.403769101.0000000002BA3000.00000040.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://blockchain.infoindex	csrss.exe, 0000000F.00000002.624848873.0000000003400000.00000040.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.avantbrowser.com)MOT-V9mm/00.62	file.exe, 00000000.00000003.342311330.0000000003760000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.360923805.0000000000400000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000002.364753333.0000000002E70000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.400548532.0000000000400000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000003.362103364.0000000003890000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.414419556.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003400000.00000040.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://turnitin.com/robot/crawlerinfo.html)cannot	file.exe, file.exe, 00000005.00000002.400548532.0000000000400000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000003.362103364.0000000003890000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.414419556.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003400000.00000040.00001000.00020000.00000000.sdmp	false		high
http://localhost:3433/https://duniadekho.baridna:	file.exe, file.exe, 00000005.00000002.400548532.0000000000400000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000003.362103364.0000000003890000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.414419556.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003400000.00000040.00001000.00020000.00000000.sdmp	true	Avira URL Cloud: safe	low
http://un6fsy7wsdbqb54aridsmu5mtdcctatumigg37ip476tsdy2jf6ascqd.onion	file.exe, 00000000.00000002.378648564.000000000C0DE000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.378648564.000000000C0A2000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.424748729.000000000C00E000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.627457527.000000000C80E000.00000004.00001000.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.exabot.com/go/robot)Opera/9.80	file.exe	false	URL Reputation: safe	unknown
http://search.msn.com/msnbot.htm)pkcs7:	file.exe, file.exe, 00000005.00000002.400548532.0000000000400000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000005.00000003.362103364.0000000003890000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.414419556.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624848873.0000000003400000.00000040.00001000.00020000.00000000.sdmp	false		high
https://mastiakele.xyzhttp://un6fsy7wsdbqb54aridsmu5mtdcctatumigg37ip476tsdy2jf6ascqd.onionCommonPro	file.exe, 00000000.00000002.378648564.000000000C092000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.426549971.000000000C11E000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.629197861.000000000C91E000.00000004.00001000.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://www.alexa.com/help/webmasters;	file.exe	false		high
http://www.google.com/adsbot.html)Encountered	file.exe	false		high
https://mastiakele.xyzhttps://mastiakele.xyzRegQueryValueExWUUIDPGDSE64-bitc:	file.exe, 00000005.00000002.424748729.000000000C016000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.627457527.000000000C816000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.bloglines.com)Frame	file.exe	false	Avira URL Cloud: safe	low
https://mastiakele.xyzhttp://un6fsy7wsdbqb54aridsmu5mtdcctatumigg37ip476tsdy2jf6ascqd.onion	file.exe, 00000000.00000002.378648564.000000000C0E6000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.624321444.000000000105A000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://un6fsy7wsdbqb54aridsmu5mtdcctatumigg37ip476tsdy2jf6ascqd.onionhttp://un6fsy7wsdbqb54aridsmu5m	file.exe, 00000000.00000002.378648564.000000000C0DE000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.424748729.000000000C00E000.00000004.00001000.00020000.00000000.sdmp, csrss.exe, 0000000F.00000002.627457527.000000000C80E000.00000004.00001000.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://www.googlebot.com/bot.html)Links	file.exe	false	URL Reputation: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	37.1.0 Beryl
Analysis ID:	882707
Start date and time:	2023-06-06 17:17:17 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 13m 11s
Hypervisor based Inspection enabled:	false
Report type:	light
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	66
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	file.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@79/32@1/0
EGA Information:	Successful, ratio: 50%
HDC Information:	Successful, ratio: 27.5% (good quality ratio 13.2%) Quality average: 40.1% Quality standard deviation: 44.2%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, consent.exe, WMIADAP.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com
Execution Graph export aborted for target file.exe, PID 6760 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
17:18:18	API Interceptor	7x Sleep call for process: file.exe modified
17:18:23	API Interceptor	330x Sleep call for process: powershell.exe modified
17:18:46	API Interceptor	9x Sleep call for process: csrss.exe modified
17:18:46	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run csrss "C:\Windows\rss\csrss.exe"
17:18:56	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run csrss "C:\Windows\rss\csrss.exe"
17:18:57	Task Scheduler	Run new task: csrss path: C:\Windows\rss\csrss.exe

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	14734
Entropy (8bit):	4.993014478972177
Encrypted:	false
SSDEEP:	384:cBVoGIpN6KQkj2Wkjh4iUxtaKdROdBLNXp5nYoGib4J:cBV3IpNBQkj2Lh4iUxtaKdROdBLNZBYH
MD5:	8D5E194411E038C060288366D6766D3D
SHA1:	DC1A8229ED0B909042065EA69253E86E86D71C88
SHA-256:	44EEE632DEDFB83A545D8C382887DF3EE7EF551F73DD55FEDCDD8C93D390E31F
SHA-512:	21378D13D42FBFA573DE91C1D4282B03E0AA1317B0C37598110DC53900C6321DB2B9DF27B2816D6EE3B3187E54BF066A96DB9EC1FF47FF86FEA36282AB906367
Malicious:	false
Reputation:	unknown
Preview:	PSMODULECACHE......<.e...Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........<.e...T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	22204
Entropy (8bit):	5.459012652297042
Encrypted:	false
SSDEEP:	384:7tCRL0YyLr2AfLNSVud7WjbPsJa1QQ1C5SeO8vH4b60mwXJpiprg:iyn3fBUud7a/QjTP4uvCp5
MD5:	AD1C21EEB0DAC1C77F3EF5AD7FA46A7D
SHA1:	17E154771EF4DEE59BB98668F671BAB2CCCFDB93
SHA-256:	AD83FC496FDB8A1F66C7359293721288833C649BD2AEAE104EC307CB256B5BD6
SHA-512:	E6F3D9005ACBD7D64A200D63A37DEE562B1C2CDC8E5CAA5A171E78DC4001804905A81CC12A9CDEFC052D1E8618C1B54A358C1CE4BAB793B789B83333DBABBF0A
Malicious:	false
Reputation:	unknown
Preview:	@...e...........e....................................@..........H...............<@.^.L."My...:I..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)........System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0hiwndk4.bpq.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	unknown
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1kmi0cxx.czu.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	unknown
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_neh5uxb5.2du.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	unknown
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_r24lykxa.jtx.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	unknown
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_s4hshgl2.ban.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	unknown
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xxox1cid.pwx.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	unknown
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yfxhgdjq.5aw.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	unknown
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yz2x05go.ann.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	unknown
Preview:	1

C:\Windows\Logs\CBS\CBS.log

Download File

Process:	C:\Windows\servicing\TrustedInstaller.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (315), with CRLF line terminators
Category:	modified
Size (bytes):	3080192
Entropy (8bit):	5.307629755331727
Encrypted:	false
SSDEEP:	6144:TLS5YygL1mnGVFQa/qJIxOfTFyKQel5lmhSVjfChq4TMmdqj3:TL1dq
MD5:	84284E25CC68C93D0D4AC6319713FA6C
SHA1:	C79240F519C0CE886F20A0B603C7741639F329FA
SHA-256:	72ED1E9104F4941C2A30EF3951F42E8BE5DB2789FC28D6108E89EFC2AE8654CE
SHA-512:	EEFDA1D5C2A0390F9D096B75DA4B5B3C62E6DA2BDED9A33D0CB7D707C1A62E2EC162B1D105F3F7426EE167DF02904E11462992CD249C16460D5B0AEC28A14274
Malicious:	false
Reputation:	unknown
Preview:	.2019-06-27 00:55:29, Info CBS TI: --- Initializing Trusted Installer ---..2019-06-27 00:55:29, Info CBS TI: Last boot time: 2019-06-27 00:49:51.660..2019-06-27 00:55:29, Info CBS Starting TrustedInstaller initialization...2019-06-27 00:55:29, Info CBS Lock: New lock added: CCbsPublicSessionClassFactory, level: 30, total lock:4..2019-06-27 00:55:29, Info CBS Lock: New lock added: CCbsPublicSessionClassFactory, level: 30, total lock:5..2019-06-27 00:55:29, Info CBS Lock: New lock added: WinlogonNotifyLock, level: 8, total lock:6..2019-06-27 00:55:29, Info CBS Ending TrustedInstaller initialization...2019-06-27 00:55:29, Info CBS Starting the TrustedInstaller main loop...2019-06-27 00:55:29, Info CBS TrustedInstaller service starts successfully...2019-06-27 00:55:29, Info CBS No startup pr

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	22092
Entropy (8bit):	5.599604238208506
Encrypted:	false
SSDEEP:	384:xtCRo089Iocj0aKiLSBTKpUyucFzFjjP971ea5cO9fgSe1yvB4Iz60lTXLpiOUx:coovL4+5uOlR71TFOGZ4Jwpe
MD5:	BFA918656378264D5004CC1470E162BB
SHA1:	787B0B440203F5DB0025F15F8D5AB740759ECB80
SHA-256:	43A9F755F97F0CD8DC8661AB6D120735F8B61C5244D6299667E57D50DB53BDC7
SHA-512:	31CAB5D79FA45A4403AE0CF4EF08CD15FBC0CF94FDC110423C958E7F64B05270F48DD695538F246F04F9BD3C7AAA6DCDE03972422544704BA9887D5DEDBA3E66
Malicious:	false
Reputation:	unknown
Preview:	@...e...........J...........a.O.O.......+............@..........H...............<@.^.L."My...:I..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)........System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins

C:\Windows\Temp\__PSScriptPolicyTest_1ufz0sgk.myo.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	unknown
Preview:	1

C:\Windows\Temp\__PSScriptPolicyTest_4kbnorl3.12h.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	unknown
Preview:	1

C:\Windows\Temp\__PSScriptPolicyTest_5rosccoi.3tj.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	unknown
Preview:	1

C:\Windows\Temp\__PSScriptPolicyTest_5z2r5jwu.tvo.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	unknown
Preview:	1

C:\Windows\Temp\__PSScriptPolicyTest_alrlhr1g.v5f.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	unknown
Preview:	1

C:\Windows\Temp\__PSScriptPolicyTest_llc3eusd.wzr.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	unknown
Preview:	1

C:\Windows\Temp\__PSScriptPolicyTest_m40tnpqs.odn.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	unknown
Preview:	1

C:\Windows\Temp\__PSScriptPolicyTest_mcrmpiy0.i5p.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	unknown
Preview:	1

C:\Windows\Temp\__PSScriptPolicyTest_ninjjd0h.sdc.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	unknown
Preview:	1

C:\Windows\Temp\__PSScriptPolicyTest_p2nuu3nn.1zm.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	unknown
Preview:	1

C:\Windows\Temp\__PSScriptPolicyTest_phccmwlw.m0k.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	unknown
Preview:	1

C:\Windows\Temp\__PSScriptPolicyTest_q5tugduk.fnu.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	unknown
Preview:	1

C:\Windows\Temp\__PSScriptPolicyTest_tegyafc1.bwe.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	unknown
Preview:	1

C:\Windows\Temp\__PSScriptPolicyTest_txvnygx2.3pj.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	unknown
Preview:	1

C:\Windows\Temp\__PSScriptPolicyTest_vvhtfm1i.slt.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	unknown
Preview:	1

C:\Windows\Temp\__PSScriptPolicyTest_w0aevyid.a34.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	unknown
Preview:	1

C:\Windows\Temp\__PSScriptPolicyTest_yjogpmn2.2vt.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	unknown
Preview:	1

C:\Windows\Temp\__PSScriptPolicyTest_z5j1xn30.oha.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	unknown
Preview:	1

C:\Windows\rss\csrss.exe

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4377472
Entropy (8bit):	7.9744939964113035
Encrypted:	false
SSDEEP:	98304:6tF4ah6fnbBWKRFjbBoWQaZBcADzh9LZIm9riDYPhtZj:1c6foKbBzDcADzhht5F
MD5:	5E7D3490818E3F2A96F7A9DFC6950F9C
SHA1:	934454A655F32B4645CE827B3A39BED2CF5D891C
SHA-256:	E498809A30CAB90E8D5EB3FF4610BC177EA9E63110530DA50643332263F4AB55
SHA-512:	6E94AFCC7027D56A9AD19CC687766A4DAB407314B622128200EBC84EBFB6A5F9F8A29F9DA7A6CE5DB0EC7A96CB9992FC964430818426468A59D222D054E3C24A
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 76%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........:].[3..[3..[3......[3......[3......[3...H..[3..[2.;[3......[3......[3......[3.Rich.[3.........PE..L.....c..................@..L&.....)H........@...@.................................l.C.....................................x.@.d.... e...............B......P...... ...............................X0..@............................................text...&.@.......@................. ..`.data...HX$...@.......@.............@....rsrc....',.. e.......@.............@..@.reloc...Z...P...Z...fB.............@..B................................................................................................................................................................................................................................................................................................................................................................................

\Device\Null

Download File

Process:	C:\Windows\rss\csrss.exe
File Type:	ASCII text, with CRLF, LF line terminators
Category:	dropped
Size (bytes):	2005
Entropy (8bit):	5.199889815210355
Encrypted:	false
SSDEEP:	24:EEDi2++lqD+0qt0vi1x8/ko+3bd+e2Td0dxWs9xD+FuN1c8t0vndauS/ko+3bdhb:0+QTqtpxM+YO/9x6CG8ticL+3OtZL+37
MD5:	85F8EE5B629AA6A997426FCA1F18AE12
SHA1:	CD0D07D4F353E1F4797C07E36DBE77C2B3487A4C
SHA-256:	06052F50A0750BF5F1EA92A2EFA2ADD285CE8E78562A3866A80EDC85D3C8EB4F
SHA-512:	24339EF07C1C66AC7F17CF484E694516450B2DF7A4C0D2187989185FFF5059A942847ED698C1E12384CCD383958AEE87A40671899B1108D455AE47A54A183CC9
Malicious:	false
Reputation:	unknown
Preview:	2023/06/06 17:18:46 current filenname with args "C:\Windows\rss\csrss.exe".2023/06/06 17:18:56 disable cloud protection: exit status 1: PS C:\Windows\rss> Set-MpPreference -MAPSReporting Disabled.Set-MpPreference : Operation failed with the following error: 0x800106ba. Operation: Set-MpPreference. Target: ..MAPS_MAPSReporting...At line:1 char:1..+ Set-MpPreference -MAPSReporting Disabled..+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~.. + CategoryInfo : NotSpecified: (MSFT_MpPreference:root\Microsoft\...FT_MpPreference) [Set-MpPreference], .. CimException.. + FullyQualifiedErrorId : HRESULT 0x800106ba,Set-MpPreference.. ..PS C:\Windows\rss> .2023/06/06 17:18:56 initial server https://server3.mastiakele.xyz.2023/06/06 17:18:56 first install, ignore discover on start.2023/06/06 17:19:02 add defender path exclusions: exit status 1: PS C:\Windows\rss> Add-MpPreference -ExclusionPath "C:\Windows\rss", "C:\Users\user\AppData\Local\Temp\csrss", "C:\Windows\windefender.exe",

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.9744939964113035
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	4377472
MD5:	5e7d3490818e3f2a96f7a9dfc6950f9c
SHA1:	934454a655f32b4645ce827b3a39bed2cf5d891c
SHA256:	e498809a30cab90e8d5eb3ff4610bc177ea9e63110530da50643332263f4ab55
SHA512:	6e94afcc7027d56a9ad19cc687766a4dab407314b622128200ebc84ebfb6a5f9f8a29f9da7a6ce5db0ec7a96cb9992fc964430818426468a59d222d054e3c24a
SSDEEP:	98304:6tF4ah6fnbBWKRFjbBoWQaZBcADzh9LZIm9riDYPhtZj:1c6foKbBzDcADzhht5F
TLSH:	E4162353D295BD50D9AB4A73AF2FC6F87A1DF4108F563B6A02298E1F1472772D1A3B00
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........:]..[3..[3..[3......[3......[3......[3...H..[3..[2.;[3......[3......[3......[3.Rich.[3.........PE..L......c..................@

File Icon


Icon Hash:	454545556145691d

Static PE Info

General

Entrypoint:	0x404829
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x6385D2BC [Tue Nov 29 09:37:00 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	96475f7ea3cc105ae1bb971e987af868

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=522b1f00070a2734475a3201002b1c42301c1b0732151b1d231030330b0713013107, PostalCode=10802, S=0b1c1115005f5c4e1802161701040e1609164f0d1a1f + S=0b1c1115494a5c141b55031011521200011110175651021a0c0100080654181701000b110407101e081204565401155144530712111a57090e5304000602055b0c0b0a070b
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	5/28/2023 10:15:45 AM 5/27/2024 10:15:45 AM
Subject Chain	CN=522b1f00070a2734475a3201002b1c42301c1b0732151b1d231030330b0713013107, PostalCode=10802, S=0b1c1115005f5c4e1802161701040e1609164f0d1a1f + S=0b1c1115494a5c141b55031011521200011110175651021a0c0100080654181701000b110407101e081204565401155144530712111a57090e5304000602055b0c0b0a070b
Version:	3
Thumbprint MD5:	FA53284E976FB57C511F84800D1026E7
Thumbprint SHA-1:	AAB41FBA0BFBA63477C31EE1F81BACD1C7823717
Thumbprint SHA-256:	53CC9B394A0EAA065DA50259374B3E3F028D96EC454727111A05CB9D11C9958F
Serial:	5A3B83BA33D148511EE69564FACB49F1

Entrypoint Preview

Instruction
call 00007FD1509E1603h
jmp 00007FD1509DCF9Dh
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
mov ecx, dword ptr [esp+04h]
test ecx, 00000003h
je 00007FD1509DD146h
mov al, byte ptr [ecx]
add ecx, 01h
test al, al
je 00007FD1509DD170h
test ecx, 00000003h
jne 00007FD1509DD111h
add eax, 00000000h
lea esp, dword ptr [esp+00000000h]
lea esp, dword ptr [esp+00000000h]
mov eax, dword ptr [ecx]
mov edx, 7EFEFEFFh
add edx, eax
xor eax, FFFFFFFFh
xor eax, edx
add ecx, 04h
test eax, 81010100h
je 00007FD1509DD10Ah
mov eax, dword ptr [ecx-04h]
test al, al
je 00007FD1509DD154h
test ah, ah
je 00007FD1509DD146h
test eax, 00FF0000h
je 00007FD1509DD135h
test eax, FF000000h
je 00007FD1509DD124h
jmp 00007FD1509DD0EFh
lea eax, dword ptr [ecx-01h]
mov ecx, dword ptr [esp+04h]
sub eax, ecx
ret
lea eax, dword ptr [ecx-02h]
mov ecx, dword ptr [esp+04h]
sub eax, ecx
ret
lea eax, dword ptr [ecx-03h]
mov ecx, dword ptr [esp+04h]
sub eax, ecx
ret
lea eax, dword ptr [ecx-04h]
mov ecx, dword ptr [esp+04h]
sub eax, ecx
ret
mov edi, edi
push ebp
mov ebp, esp
sub esp, 20h
mov eax, dword ptr [ebp+08h]
push esi
push edi
push 00000008h
pop ecx
mov esi, 004012D8h
lea edi, dword ptr [ebp-20h]
rep movsd
mov dword ptr [ebp-08h], eax
mov eax, dword ptr [ebp+0Ch]
pop edi
mov dword ptr [ebp-04h], eax
pop esi

Rich Headers

Programming Language:

[ASM] VS2008 build 21022
[ C ] VS2008 build 21022
[C++] VS2008 build 21022
[IMP] VS2005 build 50727
[RES] VS2008 build 21022
[LNK] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x40af78	0x64	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x652000	0x197f8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x42c000	0xb80	.data
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x915000	0xdc8	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x1220	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x3058	0x40	.text
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x1cc	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x40aa26	0x40ac00	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x40c000	0x245848	0x1e00	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x652000	0x2c27f8	0x19800	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x915000	0x5a00	0x5a00	False	0.13307291666666668	data	1.581416306261645	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0x652730	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0
RT_ICON	0x6535d8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0
RT_ICON	0x653e80	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0
RT_ICON	0x656428	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0
RT_ICON	0x6574d0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0
RT_ICON	0x657988	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0
RT_ICON	0x658830	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0
RT_ICON	0x6590d8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0
RT_ICON	0x659640	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0
RT_ICON	0x65bbe8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0
RT_ICON	0x65cc90	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0
RT_ICON	0x65d618	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0
RT_ICON	0x65dae8	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0
RT_ICON	0x65e990	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0
RT_ICON	0x65f238	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0
RT_ICON	0x65f900	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0
RT_ICON	0x65fe68	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0
RT_ICON	0x662410	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0
RT_ICON	0x6634b8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0
RT_ICON	0x663988	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0
RT_ICON	0x664830	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0
RT_ICON	0x6650d8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0
RT_ICON	0x665640	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0
RT_ICON	0x667be8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0
RT_ICON	0x668c90	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0
RT_ICON	0x669618	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0
RT_STRING	0x669d20	0x5c4	data
RT_STRING	0x66a2e8	0x710	data
RT_STRING	0x66a9f8	0x558	data
RT_STRING	0x66af50	0x29c	data
RT_STRING	0x66b1f0	0x606	data
RT_GROUP_ICON	0x669a80	0x68	data
RT_GROUP_ICON	0x657938	0x4c	data
RT_GROUP_ICON	0x663920	0x68	data
RT_GROUP_ICON	0x65da80	0x68	data
RT_VERSION	0x669ae8	0x238	data

Imports

DLL	Import
KERNEL32.dll	VirtualFree, IsBadReadPtr, GetConsoleAliasesLengthA, WaitForMultipleObjectsEx, FreeConsole, GetVersionExW, WritePrivateProfileStructW, IsProcessorFeaturePresent, MulDiv, EnumResourceLanguagesA, GetModuleFileNameW, CreateActCtxA, WritePrivateProfileStringW, ReplaceFileA, GetStringTypeExA, GetStdHandle, GetLogicalDriveStringsA, OpenMutexW, GetLastError, ReadConsoleOutputCharacterA, GetModuleHandleW, AttachConsole, VirtualAlloc, LoadLibraryA, InterlockedExchangeAdd, LocalAlloc, GetFileType, CreateFileMappingW, FindFirstVolumeMountPointW, GetNumberFormatW, CreateEventW, GetModuleFileNameA, lstrcmpiW, GetModuleHandleA, CreateMutexA, CancelTimerQueueTimer, GetFileAttributesExW, GetConsoleCursorInfo, ScrollConsoleScreenBufferA, GetCurrentThreadId, FindAtomW, DebugBreak, FindNextVolumeA, AddConsoleAliasW, CancelWaitableTimer, GetCommState, WaitForSingleObject, GetProcAddress, GetCommandLineA, GetStartupInfoA, RaiseException, RtlUnwind, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, HeapAlloc, HeapFree, EnterCriticalSection, LeaveCriticalSection, SetHandleCount, DeleteCriticalSection, Sleep, ExitProcess, WriteFile, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStringsW, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, SetLastError, InterlockedDecrement, HeapCreate, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, HeapReAlloc, SetFilePointer, GetConsoleCP, GetConsoleMode, InitializeCriticalSectionAndSpinCount, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, HeapSize, FlushFileBuffers, SetStdHandle, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, MultiByteToWideChar, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, CloseHandle, CreateFileA
USER32.dll	CharLowerBuffA
GDI32.dll	EnumFontsW, GetCharABCWidthsFloatA, GetCharWidthW
ADVAPI32.dll	MapGenericMask

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 6, 2023 17:18:55.956470013 CEST	61178	53	192.168.2.7	8.8.8.8
Jun 6, 2023 17:18:56.020364046 CEST	53	61178	8.8.8.8	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jun 6, 2023 17:18:55.956470013 CEST	192.168.2.7	8.8.8.8	0x11d	Standard query (0)	28a89d66-6769-4b6d-ad7a-64ea56a01c93.uuid.mastiakele.xyz	16	IN (0x0001)	false

Target ID:	0
Start time:	17:18:16
Start date:	06/06/2023
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\file.exe
Imagebase:	0x400000
File size:	4377472 bytes
MD5 hash:	5E7D3490818E3F2A96F7A9DFC6950F9C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: SUSP_PE_Discord_Attachment_Oct21_1, Description: Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), Source: 00000000.00000003.342311330.0000000003760000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: JoeSecurity_Glupteba, Description: Yara detected Glupteba, Source: 00000000.00000003.342311330.0000000003BA1000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Glupteba, Description: Yara detected Glupteba, Source: 00000000.00000002.364753333.00000000032B3000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.363521570.0000000002A72000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Glupteba, Description: Yara detected Glupteba, Source: 00000000.00000002.360923805.0000000000843000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: SUSP_PE_Discord_Attachment_Oct21_1, Description: Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), Source: 00000000.00000002.360923805.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Florian Roth (Nextron Systems) Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.364753333.0000000002E70000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Reputation:	low

Analysis Process: powershell.exePID: 6824, Parent PID: 6760

General

Target ID:	1
Start time:	17:18:19
Start date:	06/06/2023
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	powershell -nologo -noprofile
Imagebase:	0xe60000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Analysis Process: conhost.exePID: 6816, Parent PID: 6824

General

Target ID:	2
Start time:	17:18:19
Start date:	06/06/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6edaf0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: TrustedInstaller.exePID: 6536, Parent PID: 552

General

Target ID:	4
Start time:	17:18:25
Start date:	06/06/2023
Path:	C:\Windows\servicing\TrustedInstaller.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\servicing\TrustedInstaller.exe
Imagebase:	0x7ff72a050000
File size:	131584 bytes
MD5 hash:	4578046C54A954C917BB393B70BA0AEB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: file.exePID: 1488, Parent PID: 6760

General

Target ID:	5
Start time:	17:18:26
Start date:	06/06/2023
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\file.exe
Imagebase:	0x400000
File size:	4377472 bytes
MD5 hash:	5E7D3490818E3F2A96F7A9DFC6950F9C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Glupteba, Description: Yara detected Glupteba, Source: 00000005.00000002.400548532.0000000000843000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000005.00000002.403769101.0000000002BA3000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: SUSP_PE_Discord_Attachment_Oct21_1, Description: Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), Source: 00000005.00000002.400548532.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Florian Roth (Nextron Systems) Rule: JoeSecurity_Glupteba, Description: Yara detected Glupteba, Source: 00000005.00000003.362103364.0000000003CD1000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: SUSP_PE_Discord_Attachment_Oct21_1, Description: Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), Source: 00000005.00000003.362103364.0000000003890000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: JoeSecurity_Glupteba, Description: Yara detected Glupteba, Source: 00000005.00000002.414419556.00000000033E3000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000005.00000002.414419556.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Reputation:	low

Analysis Process: powershell.exePID: 5576, Parent PID: 1488

General

Target ID:	6
Start time:	17:18:28
Start date:	06/06/2023
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	powershell -nologo -noprofile
Imagebase:	0xe60000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Analysis Process: conhost.exePID: 5984, Parent PID: 5576

General

Target ID:	7
Start time:	17:18:28
Start date:	06/06/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6edaf0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: cmd.exePID: 2760, Parent PID: 1488

General

Target ID:	8
Start time:	17:18:35
Start date:	06/06/2023
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
Imagebase:	0x7ff7651b0000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: conhost.exePID: 3432, Parent PID: 2760

General

Target ID:	9
Start time:	17:18:35
Start date:	06/06/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6edaf0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: netsh.exePID: 6792, Parent PID: 2760

General

Target ID:	10
Start time:	17:18:36
Start date:	06/06/2023
Path:	C:\Windows\System32\netsh.exe
Wow64 process (32bit):	false
Commandline:	netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
Imagebase:	0x7ff747c60000
File size:	92672 bytes
MD5 hash:	98CC37BBF363A38834253E22C80A8F32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: powershell.exePID: 7076, Parent PID: 1488

General

Target ID:	11
Start time:	17:18:36
Start date:	06/06/2023
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	powershell -nologo -noprofile
Imagebase:	0xe60000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET

Analysis Process: conhost.exePID: 6892, Parent PID: 7076

General

Target ID:	12
Start time:	17:18:36
Start date:	06/06/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6edaf0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: powershell.exePID: 5848, Parent PID: 1488

General

Target ID:	13
Start time:	17:18:40
Start date:	06/06/2023
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	powershell -nologo -noprofile
Imagebase:	0xe60000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET

Analysis Process: conhost.exePID: 3372, Parent PID: 5848

General

Target ID:	14
Start time:	17:18:40
Start date:	06/06/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6edaf0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: csrss.exePID: 768, Parent PID: 1488

General

Target ID:	15
Start time:	17:18:44
Start date:	06/06/2023
Path:	C:\Windows\rss\csrss.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\rss\csrss.exe
Imagebase:	0x400000
File size:	4377472 bytes
MD5 hash:	5E7D3490818E3F2A96F7A9DFC6950F9C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 0000000F.00000002.624848873.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Glupteba, Description: Yara detected Glupteba, Source: 0000000F.00000002.624848873.0000000003843000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: SUSP_PE_Discord_Attachment_Oct21_1, Description: Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), Source: 0000000F.00000002.615156234.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Author: Florian Roth (Nextron Systems) Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 0000000F.00000002.624483863.0000000003000000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: SUSP_PE_Discord_Attachment_Oct21_1, Description: Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), Source: 0000000F.00000003.401909888.0000000003CF0000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: JoeSecurity_Glupteba, Description: Yara detected Glupteba, Source: 0000000F.00000002.615156234.0000000000843000.00000040.00000001.01000000.00000005.sdmp, Author: Joe Security Rule: JoeSecurity_Glupteba, Description: Yara detected Glupteba, Source: 0000000F.00000003.401909888.0000000004131000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 76%, ReversingLabs

Analysis Process: powershell.exePID: 7012, Parent PID: 768

General

Target ID:	16
Start time:	17:18:46
Start date:	06/06/2023
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	powershell -nologo -noprofile
Imagebase:	0xe60000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET

Analysis Process: conhost.exePID: 6724, Parent PID: 7012

General

Target ID:	17
Start time:	17:18:47
Start date:	06/06/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6edaf0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: schtasks.exePID: 5760, Parent PID: 768

General

Target ID:	21
Start time:	17:18:56
Start date:	06/06/2023
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
Imagebase:	0x7ff6d8c70000
File size:	226816 bytes
MD5 hash:	838D346D1D28F00783B7A6C6BD03A0DA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: csrss.exePID: 6772, Parent PID: 3320

General

Target ID:	22
Start time:	17:18:56
Start date:	06/06/2023
Path:	C:\Windows\rss\csrss.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\rss\csrss.exe"
Imagebase:	0x400000
File size:	4377472 bytes
MD5 hash:	5E7D3490818E3F2A96F7A9DFC6950F9C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000016.00000002.471247409.0000000003000000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: SUSP_PE_Discord_Attachment_Oct21_1, Description: Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), Source: 00000016.00000002.442933383.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Author: Florian Roth (Nextron Systems) Rule: JoeSecurity_Glupteba, Description: Yara detected Glupteba, Source: 00000016.00000002.442933383.0000000000843000.00000040.00000001.01000000.00000005.sdmp, Author: Joe Security Rule: JoeSecurity_Glupteba, Description: Yara detected Glupteba, Source: 00000016.00000002.474423573.0000000003843000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000016.00000002.474423573.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Author: unknown

Analysis Process: conhost.exePID: 7136, Parent PID: 5760

General

Target ID:	23
Start time:	17:18:56
Start date:	06/06/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6edaf0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: schtasks.exePID: 6852, Parent PID: 768

General

Target ID:	24
Start time:	17:18:56
Start date:	06/06/2023
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks /delete /tn ScheduledUpdate /f
Imagebase:	0x7ff6d8c70000
File size:	226816 bytes
MD5 hash:	838D346D1D28F00783B7A6C6BD03A0DA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: conhost.exePID: 240, Parent PID: 6852

General

Target ID:	25
Start time:	17:18:56
Start date:	06/06/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6edaf0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: powershell.exePID: 2896, Parent PID: 768

General

Target ID:	26
Start time:	17:18:56
Start date:	06/06/2023
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	powershell -nologo -noprofile
Imagebase:	0xe60000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET

Analysis Process: conhost.exePID: 5124, Parent PID: 2896

General

Target ID:	27
Start time:	17:18:56
Start date:	06/06/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6edaf0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: csrss.exePID: 2344, Parent PID: 1100

General

Target ID:	28
Start time:	17:18:57
Start date:	06/06/2023
Path:	C:\Windows\rss\csrss.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\rss\csrss.exe
Imagebase:	0x400000
File size:	4377472 bytes
MD5 hash:	5E7D3490818E3F2A96F7A9DFC6950F9C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Glupteba, Description: Yara detected Glupteba, Source: 0000001C.00000002.599256866.0000000003843000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 0000001C.00000002.594116326.0000000003000000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Glupteba, Description: Yara detected Glupteba, Source: 0000001C.00000002.566670417.0000000000843000.00000040.00000001.01000000.00000005.sdmp, Author: Joe Security Rule: SUSP_PE_Discord_Attachment_Oct21_1, Description: Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), Source: 0000001C.00000002.566670417.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Author: Florian Roth (Nextron Systems) Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 0000001C.00000002.599256866.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Author: unknown

Analysis Process: cmd.exePID: 2224, Parent PID: 6772

General

Target ID:	29
Start time:	17:19:00
Start date:	06/06/2023
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Sysnative\cmd.exe /C fodhelper
Imagebase:	0x7ff7651b0000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: conhost.exePID: 4768, Parent PID: 2224

General

Target ID:	30
Start time:	17:19:00
Start date:	06/06/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6edaf0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: fodhelper.exePID: 6780, Parent PID: 2224

General

Target ID:	31
Start time:	17:19:00
Start date:	06/06/2023
Path:	C:\Windows\System32\fodhelper.exe
Wow64 process (32bit):	false
Commandline:	fodhelper
Imagebase:	0x7ff779cf0000
File size:	46080 bytes
MD5 hash:	1D1F9E564472A9698F1BE3F9FEB9864B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: fodhelper.exePID: 4248, Parent PID: 2224

General

Target ID:	32
Start time:	17:19:00
Start date:	06/06/2023
Path:	C:\Windows\System32\fodhelper.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\fodhelper.exe"
Imagebase:	0x7ff779cf0000
File size:	46080 bytes
MD5 hash:	1D1F9E564472A9698F1BE3F9FEB9864B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: fodhelper.exePID: 6708, Parent PID: 2224

General

Target ID:	37
Start time:	17:19:02
Start date:	06/06/2023
Path:	C:\Windows\System32\fodhelper.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\fodhelper.exe"
Imagebase:	0x7ff779cf0000
File size:	46080 bytes
MD5 hash:	1D1F9E564472A9698F1BE3F9FEB9864B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: powershell.exePID: 1360, Parent PID: 768

General

Target ID:	38
Start time:	17:19:02
Start date:	06/06/2023
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	powershell -nologo -noprofile
Imagebase:	0xe60000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET

Analysis Process: conhost.exePID: 5788, Parent PID: 1360

General

Target ID:	39
Start time:	17:19:02
Start date:	06/06/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6edaf0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: csrss.exePID: 5596, Parent PID: 6708

General

Target ID:	40
Start time:	17:19:03
Start date:	06/06/2023
Path:	C:\Windows\rss\csrss.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\rss\csrss.exe"
Imagebase:	0x400000
File size:	4377472 bytes
MD5 hash:	5E7D3490818E3F2A96F7A9DFC6950F9C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Glupteba, Description: Yara detected Glupteba, Source: 00000028.00000002.475119649.0000000000843000.00000040.00000001.01000000.00000005.sdmp, Author: Joe Security Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000028.00000002.510967623.0000000003000000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Glupteba, Description: Yara detected Glupteba, Source: 00000028.00000002.514590108.0000000003843000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000028.00000002.514590108.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: SUSP_PE_Discord_Attachment_Oct21_1, Description: Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), Source: 00000028.00000002.475119649.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Author: Florian Roth (Nextron Systems) Rule: SUSP_PE_Discord_Attachment_Oct21_1, Description: Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), Source: 00000028.00000003.442621501.0000000003CF0000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)

Analysis Process: csrss.exePID: 5280, Parent PID: 3320

General

Target ID:	41
Start time:	17:19:04
Start date:	06/06/2023
Path:	C:\Windows\rss\csrss.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\rss\csrss.exe"
Imagebase:	0x400000
File size:	4377472 bytes
MD5 hash:	5E7D3490818E3F2A96F7A9DFC6950F9C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Glupteba, Description: Yara detected Glupteba, Source: 00000029.00000002.480076167.0000000000843000.00000040.00000001.01000000.00000005.sdmp, Author: Joe Security Rule: JoeSecurity_Glupteba, Description: Yara detected Glupteba, Source: 00000029.00000002.517016941.0000000003843000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: SUSP_PE_Discord_Attachment_Oct21_1, Description: Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), Source: 00000029.00000002.480076167.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Author: Florian Roth (Nextron Systems) Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000029.00000002.517016941.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000029.00000002.513462018.0000000003000000.00000040.00000020.00020000.00000000.sdmp, Author: unknown

Analysis Process: powershell.exePID: 1196, Parent PID: 5596

General

Target ID:	42
Start time:	17:19:06
Start date:	06/06/2023
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	powershell -nologo -noprofile
Imagebase:	0xe60000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET

Analysis Process: conhost.exePID: 6740, Parent PID: 1196

General

Target ID:	43
Start time:	17:19:06
Start date:	06/06/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6edaf0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: powershell.exePID: 1364, Parent PID: 2344

General

Target ID:	44
Start time:	17:19:06
Start date:	06/06/2023
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	powershell -nologo -noprofile
Imagebase:	0xe60000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET

Analysis Process: conhost.exePID: 6720, Parent PID: 1364

General

Target ID:	45
Start time:	17:19:14
Start date:	06/06/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6edaf0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: cmd.exePID: 6104, Parent PID: 5280

General

Target ID:	46
Start time:	17:19:14
Start date:	06/06/2023
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Sysnative\cmd.exe /C fodhelper
Imagebase:	0x7ff7651b0000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: conhost.exePID: 6140, Parent PID: 6104

General

Target ID:	47
Start time:	17:19:14
Start date:	06/06/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6edaf0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: fodhelper.exePID: 6048, Parent PID: 6104

General

Target ID:	48
Start time:	17:19:15
Start date:	06/06/2023
Path:	C:\Windows\System32\fodhelper.exe
Wow64 process (32bit):	false
Commandline:	fodhelper
Imagebase:	0x7ff779cf0000
File size:	46080 bytes
MD5 hash:	1D1F9E564472A9698F1BE3F9FEB9864B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: fodhelper.exePID: 5708, Parent PID: 6104

General

Target ID:	49
Start time:	17:19:15
Start date:	06/06/2023
Path:	C:\Windows\System32\fodhelper.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\fodhelper.exe"
Imagebase:	0x7ff779cf0000
File size:	46080 bytes
MD5 hash:	1D1F9E564472A9698F1BE3F9FEB9864B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: fodhelper.exePID: 6216, Parent PID: 6104

General

Target ID:	53
Start time:	17:19:18
Start date:	06/06/2023
Path:	C:\Windows\System32\fodhelper.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\fodhelper.exe"
Imagebase:	0x7ff779cf0000
File size:	46080 bytes
MD5 hash:	1D1F9E564472A9698F1BE3F9FEB9864B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: csrss.exePID: 6316, Parent PID: 5596

General

Target ID:	54
Start time:	17:19:18
Start date:	06/06/2023
Path:	C:\Windows\rss\csrss.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\rss\csrss.exe
Imagebase:	0x400000
File size:	4377472 bytes
MD5 hash:	5E7D3490818E3F2A96F7A9DFC6950F9C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: SUSP_PE_Discord_Attachment_Oct21_1, Description: Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), Source: 00000036.00000002.509180776.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Author: Florian Roth (Nextron Systems) Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000036.00000002.521380153.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Glupteba, Description: Yara detected Glupteba, Source: 00000036.00000002.509180776.0000000000843000.00000040.00000001.01000000.00000005.sdmp, Author: Joe Security Rule: JoeSecurity_Glupteba, Description: Yara detected Glupteba, Source: 00000036.00000002.521380153.0000000003843000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000036.00000002.518888987.0000000003000000.00000040.00000020.00020000.00000000.sdmp, Author: unknown

Analysis Process: csrss.exePID: 6464, Parent PID: 6216

General

Target ID:	55
Start time:	17:19:19
Start date:	06/06/2023
Path:	C:\Windows\rss\csrss.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\rss\csrss.exe"
Imagebase:	0x400000
File size:	4377472 bytes
MD5 hash:	5E7D3490818E3F2A96F7A9DFC6950F9C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000037.00000002.553779043.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: SUSP_PE_Discord_Attachment_Oct21_1, Description: Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), Source: 00000037.00000002.522989058.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Author: Florian Roth (Nextron Systems) Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000037.00000002.548334385.0000000003000000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Glupteba, Description: Yara detected Glupteba, Source: 00000037.00000002.522989058.0000000000843000.00000040.00000001.01000000.00000005.sdmp, Author: Joe Security Rule: JoeSecurity_Glupteba, Description: Yara detected Glupteba, Source: 00000037.00000002.553779043.0000000003843000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security

Analysis Process: powershell.exePID: 6652, Parent PID: 6316

General

Target ID:	56
Start time:	17:19:22
Start date:	06/06/2023
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	powershell -nologo -noprofile
Imagebase:	0xe60000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET

Analysis Process: conhost.exePID: 6660, Parent PID: 6652

General

Target ID:	57
Start time:	17:19:22
Start date:	06/06/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6edaf0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: powershell.exePID: 4680, Parent PID: 6464

General

Target ID:	58
Start time:	17:19:25
Start date:	06/06/2023
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	powershell -nologo -noprofile
Imagebase:	0xe60000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET

Analysis Process: conhost.exePID: 4164, Parent PID: 4680

General

Target ID:	59
Start time:	17:19:25
Start date:	06/06/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6edaf0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: csrss.exePID: 4472, Parent PID: 6464

General

Target ID:	60
Start time:	17:19:40
Start date:	06/06/2023
Path:	C:\Windows\rss\csrss.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\rss\csrss.exe
Imagebase:	0x400000
File size:	4377472 bytes
MD5 hash:	5E7D3490818E3F2A96F7A9DFC6950F9C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Glupteba, Description: Yara detected Glupteba, Source: 0000003C.00000002.570772687.0000000003843000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 0000003C.00000002.567142232.0000000003000000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: SUSP_PE_Discord_Attachment_Oct21_1, Description: Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), Source: 0000003C.00000002.555538595.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Author: Florian Roth (Nextron Systems) Rule: JoeSecurity_Glupteba, Description: Yara detected Glupteba, Source: 0000003C.00000002.555538595.0000000000843000.00000040.00000001.01000000.00000005.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 0000003C.00000002.570772687.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Author: unknown

Analysis Process: powershell.exePID: 2224, Parent PID: 4472

General

Target ID:	61
Start time:	17:19:43
Start date:	06/06/2023
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	powershell -nologo -noprofile
Imagebase:	0xe60000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET

Analysis Process: conhost.exePID: 6532, Parent PID: 2224

General

Target ID:	62
Start time:	17:19:44
Start date:	06/06/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6edaf0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: csrss.exePID: 6216, Parent PID: 2344

General

Target ID:	64
Start time:	17:19:59
Start date:	06/06/2023
Path:	C:\Windows\rss\csrss.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\rss\csrss.exe
Imagebase:	0x400000
File size:	4377472 bytes
MD5 hash:	5E7D3490818E3F2A96F7A9DFC6950F9C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: SUSP_PE_Discord_Attachment_Oct21_1, Description: Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), Source: 00000040.00000002.598741475.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Author: Florian Roth (Nextron Systems) Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000040.00000002.604158371.0000000003000000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000040.00000002.609271972.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Glupteba, Description: Yara detected Glupteba, Source: 00000040.00000002.609271972.0000000003843000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Glupteba, Description: Yara detected Glupteba, Source: 00000040.00000002.598741475.0000000000843000.00000040.00000001.01000000.00000005.sdmp, Author: Joe Security

Analysis Process: powershell.exePID: 6184, Parent PID: 6216

General

Target ID:	65
Start time:	17:20:04
Start date:	06/06/2023
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	powershell -nologo -noprofile
Imagebase:	0xe60000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET

Analysis Process: conhost.exePID: 6200, Parent PID: 6184

General

Target ID:	66
Start time:	17:20:04
Start date:	06/06/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6edaf0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Disassembly

⊘No disassembly

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and Reg .
Tactics:	Persistence, Privilege Escalation
Data Sources:	API monitoring, File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including HTRAN , ZXProxy, and ZXPortMap. Adversaries use these types of proxies to manage command and control communications, reduce the number of simultaneous outbound network connections, provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. Adversaries may chain together multiple proxies to further disguise the source of malicious traffic.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Persistence and Installation Behavior

Snort Signatures

Joe Sandbox Signatures

AV Detection

Bitcoin Miner

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0hiwndk4.bpq.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1kmi0cxx.czu.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_neh5uxb5.2du.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_r24lykxa.jtx.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_s4hshgl2.ban.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xxox1cid.pwx.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yfxhgdjq.5aw.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yz2x05go.ann.psm1

C:\Windows\Logs\CBS\CBS.log

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

C:\Windows\Temp\__PSScriptPolicyTest_1ufz0sgk.myo.psm1

C:\Windows\Temp\__PSScriptPolicyTest_4kbnorl3.12h.psm1

Windows Analysis Report
file.exe